Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin_Raska
Advisor
Advisor
Jump to solution

FULL HA cluster support

Hello mates,

Question:

Is FULL HA Cluster supported on vmware? This sk60443 says yes.  Installation a Upgrade guide R80.40 says only CP appliances, page 134.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

We've updated sk60443 so it is clear this is only supported on physical Check Point appliances.
It is not supported on Open servers or virtualized appliances at all.

View solution in original post

(1)
23 Replies
G_W_Albrecht
Legend Legend
Legend

You did not read sk60443 correctly: These guidelines apply to all Check Point appliances running on Gaia OS / SecurePlatform OS, as well as Virtual Appliances running vSEC Virtual Edition on Gaia OS
(Note: this article does not apply to vSEC for Amazon Web Services, vSEC for Microsoft Azure, vSEC for Google Cloud Platform, vSEC for VMware NSX, vSEC for VMware vCloud Air, vSEC for Cisco ACI, vSEC for OpenStack).

Historically, this had never been supported on OpenServer at all, only on (also virtual) appliances.

But i would put my answer like this: On VMWare, Full HA Cluster does make no sense at all !

  • Gateway clustering = Cluster XL HA should be used
  • SMS on VM is easily cloned, different ways of backup are possible, so we do not need Management HA in most cases we could think of
  • Full HA is the solution with many features for less money very often giving big trouble 😞
  • So out of long experience, i always have suggested to keep the hands from fool management haha...
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Martin_Raska
Advisor
Advisor
I read it many times but admin guide says different. It makes sense, the answer is as always money, therefore you have to build FULL HA without separate management. That's it.
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Which Admin Guide says differently ? The sk39345 (from 03-Okt-2019) says: 

Additional restrictions for ClusterXL Full High Availability configuration:

  • Supported only between appliances with the identical Operating Systems (cluster requirement).

Again: For me it makes no sense to have two small appliances with NPM licenses in Fool HA configuration - it turned  to be a PITA much too often...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ian_Cresswell
Contributor

If HA is not available in the Virtual world what is recommended for virtual gateways running on ESX?

If we have two ESX servers with the gateway on one of them, if that ESX server blows up how are the services transitioned to the other ESX server?

0 Kudos
Martin_Raska
Advisor
Advisor

HA is supported, what is not is FULL HA = Standalone HA cluster

0 Kudos
Ian_Cresswell
Contributor

Not sure what the difference is between HA and Full HA?

Do you mean that when there are two separate gateways, one on each ESX server, similar to there being two appliances in the physical world is supported?

Is there any documentation supporting this, I find documentation on private clouds for virtual appliances is a bit sparse.

0 Kudos
Martin_Raska
Advisor
Advisor
0 Kudos
Ian_Cresswell
Contributor

Yeah that's a link to appliances, I will be running virtual servers, so CloudGuard IAAS virtual gateways.

Its easy on physical appliances, there is a wealth of documentation for that.

0 Kudos
PhoneBoy
Admin
Admin

And we only support this on PHYSICAL Check Point appliances (not virtual ones).

0 Kudos
PhoneBoy
Admin
Admin
This has only ever been supported on physical Check Point appliances, not VMs.
At least as far as I know.
Clearly the SK needs to be updated if for no other reason than to remove the references to vSEC. 😬
Will ask them to clarify this point and update.
Martin_Raska
Advisor
Advisor
PhoneBoy
"Will ask them to clarify this point and update."

please do.

and others stop flame, my question was not about ClusterXL active/passive, but about FULL HA standalone cluster and what is /not supported.
0 Kudos
G_W_Albrecht
Legend Legend
Legend

I did not notice any flaming here, neither in mine nor someone elses posts, and at least my posts were about fool mgmt ha only 😎 - can you please elaborate your last sentence ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Martin_Raska
Advisor
Advisor
Guys, I am not new to CP, I know this solution very well, I don't like it either but the project will be FULL HA standalone setup or different vendor. That's it. I don't need a lection about this solution, I just need correct if it's supported on vmware nothing more.

Thanks

PhoneBoy
Admin
Admin
Not to fan any flames here, but is the decision to do Full HA a function of cost (i.e. separate management requires another license) versus functionality?
0 Kudos
Wolfgang
Authority
Authority

Martin,

we too had this requirements from one of our customers end of last year and answer from local Check Point team was  "It's not supported with VMware" only CheckkPoint appliances.

Wolfgang

HeikoAnkenbrand
Champion Champion
Champion

There are several ways to install a ClusterXL for R80.30 or R80.40:

Open Server and Appliance:

- sk144293 - Check Point R80.30  or sk160736 - Check Point R80.40

CloudGuard Virtual Edition (VE) OpenStack, KVM, ESXi

sk158292 - CloudGuard for Private Cloud images

CloudGuard for VMware NSX 

sk114518: CloudGuard for NSX

 

More read here:

ClusterXL Installation - OpenServer, Appliance, OpenStack, KVM, ESXi, NSX, AWS, ACI, Azure, Google

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Uri_Lewitus
Employee
Employee

Hi Martin

Where in the SK does it state that VMWare is supported for SA? Couldn't find such a statement - can you please point it out.

Thanks

Uri

0 Kudos
Martin_Raska
Advisor
Advisor

the second sentence says:

These guidelines apply to all Check Point appliances running on Gaia OS / SecurePlatform OS,
as well as Virtual Appliances running vSEC Virtual Edition on Gaia OS

 

from how I understand its vSEC=CloudGuard=virtual appliance

0 Kudos
Uri_Lewitus
Employee
Employee

Thanks Martin

I see - however vSEC is a different product and by definition does not support FULL HA, it is not VMWare ESX

Will ask the SK team to clarify

Ronen_Zel
Mod
Mod

I am happy to say that based on this feedback sk60443 is now updated. Thanks for bringing this to our attention.

James_Lim
Participant

Quick question.

Is Active-Active Cluster XL FW supported in Full HA Setup in r80.40?

While Management Components still remain active/standby.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

NO: See sk101539 - ClusterXL Load Sharing mode limitations and important notes  !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
PhoneBoy
Admin
Admin

We've updated sk60443 so it is clear this is only supported on physical Check Point appliances.
It is not supported on Open servers or virtualized appliances at all.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events