This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michel_B
Participant
‎2018-03-21 09:55 AM

Clustering standalone units, recommended?

I was what the general consensus is on clustering standalone units, so with management + gateway on the same appliance. Or perhaps not even clustering, but the idea of standalone units as a whole.

We're dealing mostly the customer who buy the 4000 and 5000-series appliances and we've had the feeling, from day one of stepping into the CheckPoint partner playing field, that standalone setups are supported, but never mentioned. With every proposal that we've done together with CheckPoint, it was always assumed that, no matter what, a separate management server was the way to go. To tell you the truth, I didn't know that a HA setup with 2 standalone units was even supported.

What gives? What are your experiences with standalone units, HA or not?

8 Replies
AlekseiShelepov
Advisor
‎2018-03-21 12:56 PM

My opinion - say no to standalone setups with Check Point (unless it is not an SMB device).

Some time ago I implemented a setup of two 4800 appliances with increased RAM working in Full HA (FW + Mgmt) on R77.30 version of software. As I remember, some NGFW blades were enabled - IPS and Application Control. Something around 50 - 100 rules and standard profiles without much tuning.

Every time when policy was installed there were drops of traffic (very short, but visible with simple ping), because policy verification and compilation is quite a resource-demanding operation. The setup ended up with node 1 acting as active FW and node 2 as active management server. Not enough space on HDD to store logs for a longer time, log Indexing (SmartLog) was not really possible.

It also adds complexity to software upgrades and maintenance. Higher risks of ruining management database. Higher risks of some security issues. More time and troubles to restore a gateway from a backup. Snapshots might be not possible to make because there would be no enough space.

Of course, if there are much more powerful appliances you can try the setup. It would be interesting to know how it would perform, just for fun. But I think that anyone who buys some 15000-23000 appliances already has a server, most probably even MDS. Right?

And I would definitely not recommend standalone setup with R80.10 - management server will eat all RAM and CPU that you have. Although, there is this sk120131 which assumes that everything would be fine.

0 Kudos
Iain_Keir1
Contributor
‎2018-03-21 09:58 PM

I would avoid standalone deployments in all but the smallest of environments, especially Full HA (standalone setup in a cluster)

Iain
CISSP
0 Kudos
Michel_B
Participant
‎2018-03-22 12:40 AM

Thanks for the comments so far, this is exactly the kind of input I'm looking for and it annoys me that this is something most CheckPoint representatives are so hesitant to come forward with.

The reason for asking about these kind of setups is that we have more customers willing to buy a unit for a rather simple setup, with say a 3200 or 5200 which includes a gateway+management license in one. But when they want to separate these, they suddenly have to pay for a, rather expensive, management server license.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-03-22 06:42 AM
In response to Michel_B

That is a true statement that should be directed to the sales people only - i am glad to assist in technical questions or help with known bugs, but i have nothing to do with license bundling and pricing...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Michel_B
Participant
‎2018-03-22 06:46 AM
In response to G_W_Albrecht

The same is true for me, but I was just trying to explain where this was coming from. Smiley Happy

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-03-22 01:29 AM

Aleksei for me spoke true words 😉 Full Managment HA out of my experience is not the stablest deployment - management sync alone made heavy headaches from time to time, and to have the active node together with the primary management is no good idea at all Smiley Sad.

I would rather go for SMS in a VM together with an appliance cluster...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-03-23 02:55 AM

As an addition, find here the most important SKs dealing with Full HA:

sk54160 How to Configure Management HA
sk60443 How to install Full HA cluster on Check Point appliances

sk93585_How to convert two Standalone machines into a Full-HA environment
sk104699 How to configure a Standalone machine to become a part of a Full HA cluster
sk39345 Management High Availability restrictions
sk39740 How to configure management HA when the Primary and Secondary management servers are on separate networks?
sk25164 SmartEvent / SmartReporter is not supported in High Availability environment

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Tom_Heesmans
Contributor
‎2018-03-28 06:28 AM

It is definitely possible. I've build this and noticed that especially the CPU is having a heavy load when using this configuration. Also keep in mind that rebooting a GW can take a long time because of the CPU load. The CPU load is spiking mainly when accessing the management console and accessing logging. My technical advice would also be to have a management server.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events