This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ihenock1011
Advisor
‎2024-05-14 01:19 AM
Jump to solution

MHO cluster

Hi Team,

We currently have three Check Point Maestro MHO-140 appliances. Two are deployed in an active-active cluster at our main data center for redundancy, while the third serves as a spare.

We'd like to explore the possibility of utilizing the spare MHO appliance at our Disaster Recovery (DR) site. Since all three appliances are the same model, we'd like to confirm if it's feasible to:

  1. Deploy one MHO at the DR site: Can we establish a cluster between the active MHOs in the main data center and the MHO deployed at the DR site?
  2. Cluster configuration: Is it possible to configure this cluster in either active-active or active-standby mode for optimal redundancy at both locations?

Please advise on the supportability and recommended configuration for this scenario.

Thanks,

0 Kudos
2 Solutions

Accepted Solutions
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-05-14 01:28 AM
Jump to solution

MHOs are not clustered like gateways are. They provide a form of active/active high availability when architected appropriately (all uplinks bonded across both MHOs) but they are functionally independent devices who sync a bit of configuration, and pass packets down to the SGMs / out to the network switches as they come in and out. 

When looking to set up a Dual-Site architecture, you need the same amount of MHOs on both sites. So you'd have to add a fourth MHO to your setup if you wanted to move to this. You would then also have to move/add SGMs to that site before you can use that second site. A dual-site Security Group should have the same amount of SGMs on both sites in order to achieve HA, as they form an Active/Standby setup across the two sites. All SGMs in site 1 are active and all SGMs in site 2 are standby, until a failover event occurs. 

View solution in original post

Dario_Perez
Employee Employee
Employee
‎2024-05-14 02:03 AM
Jump to solution

MHO have to be mirrored on both sites, if you are planning to have dual site, the site two must have the same set up on MHO as primary have, if you have 2 MHO on site 1 you need 2 on site 2, you can't have 2 on site 1 and 1 on site 2. that is not supported. 

View solution in original post

4 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-05-14 01:28 AM
Jump to solution

MHOs are not clustered like gateways are. They provide a form of active/active high availability when architected appropriately (all uplinks bonded across both MHOs) but they are functionally independent devices who sync a bit of configuration, and pass packets down to the SGMs / out to the network switches as they come in and out. 

When looking to set up a Dual-Site architecture, you need the same amount of MHOs on both sites. So you'd have to add a fourth MHO to your setup if you wanted to move to this. You would then also have to move/add SGMs to that site before you can use that second site. A dual-site Security Group should have the same amount of SGMs on both sites in order to achieve HA, as they form an Active/Standby setup across the two sites. All SGMs in site 1 are active and all SGMs in site 2 are standby, until a failover event occurs. 

Dario_Perez
Employee Employee
Employee
‎2024-05-14 02:03 AM
Jump to solution

MHO have to be mirrored on both sites, if you are planning to have dual site, the site two must have the same set up on MHO as primary have, if you have 2 MHO on site 1 you need 2 on site 2, you can't have 2 on site 1 and 1 on site 2. that is not supported. 

Ihenock1011
Advisor
‎2024-05-14 05:39 AM
In response to Dario_Perez
Jump to solution

@emmap @Dario_Perez Does the SGMs must be the same model for example if we have 7K series in site 1 SG-01 and in site 2 the same model must be used ?

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-05-14 07:35 PM
In response to Ihenock1011
Jump to solution

It is recommended that the same models are used so that you have the same capabilities on both sides and full HA. but mix&match rules apply if you want to use different models.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events