This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Philip_W
Contributor
‎2018-11-12 03:20 AM

ClusterXL active-active vs active-passive

Hi CheckMates!

We are going to implement new CheckPoint clusters to replace the ageing Juniper firewalls. I was going to install 2 HA Active-Passive clusters, each with 2 IP addresses + VIP per WAN link but the ISP's design does not allow this.

ISP is suggesting the following:

- Site1 GW1 uses the Active Layer3 link with IP address a.a.a.x/31 for internet access

- Site1 GW2 uses the Active Layer3 link with IP address b.b.b.x/31 for connections between sites via IPSEC

- Site2 GW1 uses the Active Layer3 link with IP address c.c.c.x/31 for internet access

- Site2 GW2 uses the Active Layer3 link with IP address d.d.d.x/31 for connections between sites via IPSEC

(Apparently "on Juniper you can use a WAN link on the Active member, and another active WAN link on the Passive member")

If you ask me, this cannot be done in a CheckPoint Active-Passive setup. At a minimum I'll need an Active-Active load sharing cluster, but then I imagine I'll run into issues using different subnets on the WAN interfaces of each cluster member.

What is your opinion? Any suggestions?

Kind regards

Ph.

5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-11-12 04:50 AM

Why do you need two IP addresses per cluster ? Using VIP you have one IP per ha cluster only...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Gaurav_Pandya
Advisor
‎2018-11-12 05:22 AM

Generally I would prefer Active/Passive mode in cluster environment. You should use active/active mode only if your single gateway is not able to handle traffic/ CPU/ Memory.

Below are some drawbacks of active/active mode.

SecureXL does not support load balancing

SK42359 - SecureXL and Sticky decision function in ClusterXL Load Sharing Mode

SK65486 - Features not supported by Sticky Decision(SDF)

SK31680 - Load sharing mode with SDF

0 Kudos
Marco_Valenti
Advisor
‎2018-11-12 06:10 AM

good luck with that

0 Kudos
Jerry
Mentor
Mentor
‎2018-11-12 06:37 AM

hi Phil

that's saying at least a little bit overcomplicated design, all you need is as Guenter suggested:

1 VIP IP per claster on each interface (with sync) and other interfaces as designed with physical x 2 and VIP on each

1 VIP on each WAN side towards CPE from the same subnet with /mask etc. - nothing really as complicated as you've described. I think this entire design is an attempt of migrating Juniper Netscreen devices to GAIA am I right ? Smiley Happy

make it simple and do follow mentioned SK's - all you need is the HA Active/Passive (Active/Active with LSM mode is not really very up2date architecture any longer - see Valeri posts from few weeks ago) - you don't need A/A LSM nor A/A - all what's needed is a proper "subnetting" and structure of vlans/subnets/interface's design - that's all.

For the sake of IPSec - don't pay attention to this, IPSec peers can be terminated on each Gateway VIP IP address and there is no need for anything to worry about - just valid routing table and off we go  

All the best

Jerry

Jerry
Philip_W
Contributor
‎2018-11-12 07:28 AM

Hi All,

Thanks for your replies - great to see Checkmates in action and helping me out. I'll try to return the favour later!

@Jerry:

Indeed:

- The guys at the ISP are used to working with Juniper

- In my first meeting with them, first thing I said was: I'm going to need 3 IPs per link, because I want to work with HA clustering & VIP.

Thank you for confirming that I was on the right track!

Best regards,

Philip

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top