Solved: FULL HA cluster support

Martin_Raska · ‎2020-02-28

Hello mates,

Question:

Is FULL HA Cluster supported on vmware? This sk60443 says yes. Installation a Upgrade guide R80.40 says only CP appliances, page 134.

PhoneBoy · ‎2020-03-10

We've updated sk60443 so it is clear this is only supported on physical Check Point appliances.
It is not supported on Open servers or virtualized appliances at all.

View solution in original post

G_W_Albrecht · ‎2020-02-28

You did not read sk60443 correctly: These guidelines apply to all Check Point appliances running on Gaia OS / SecurePlatform OS, as well as Virtual Appliances running vSEC Virtual Edition on Gaia OS
(Note: this article does not apply to vSEC for Amazon Web Services, vSEC for Microsoft Azure, vSEC for Google Cloud Platform, vSEC for VMware NSX, vSEC for VMware vCloud Air, vSEC for Cisco ACI, vSEC for OpenStack).

Historically, this had never been supported on OpenServer at all, only on (also virtual) appliances.

But i would put my answer like this: On VMWare, Full HA Cluster does make no sense at all !

Gateway clustering = Cluster XL HA should be used
SMS on VM is easily cloned, different ways of backup are possible, so we do not need Management HA in most cases we could think of
Full HA is the solution with many features for less money very often giving big trouble 😞
So out of long experience, i always have suggested to keep the hands from fool management haha...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Martin_Raska · ‎2020-02-28

I read it many times but admin guide says different. It makes sense, the answer is as always money, therefore you have to build FULL HA without separate management. That's it.

G_W_Albrecht · ‎2020-02-28

Which Admin Guide says differently ? The sk39345 (from 03-Okt-2019) says:

Additional restrictions for ClusterXL Full High Availability configuration:

Supported only between appliances with the identical Operating Systems (cluster requirement).

Again: For me it makes no sense to have two small appliances with NPM licenses in Fool HA configuration - it turned to be a PITA much too often...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Ian_Cresswell · ‎2021-12-14

If HA is not available in the Virtual world what is recommended for virtual gateways running on ESX?

If we have two ESX servers with the gateway on one of them, if that ESX server blows up how are the services transitioned to the other ESX server?

Martin_Raska · ‎2021-12-14

HA is supported, what is not is FULL HA = Standalone HA cluster

Ian_Cresswell · ‎2021-12-14

Not sure what the difference is between HA and Full HA?

Do you mean that when there are two separate gateways, one on each ESX server, similar to there being two appliances in the physical world is supported?

Is there any documentation supporting this, I find documentation on private clouds for virtual appliances is a bit sparse.

Martin_Raska · ‎2021-12-14

FULL HA is two standalone instalation merged to cluster

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Installation_and_Upgrade_Guide/Top...

Ian_Cresswell · ‎2021-12-14

Yeah that's a link to appliances, I will be running virtual servers, so CloudGuard IAAS virtual gateways.

Its easy on physical appliances, there is a wealth of documentation for that.

PhoneBoy · ‎2021-12-14

And we only support this on PHYSICAL Check Point appliances (not virtual ones).

PhoneBoy · ‎2020-02-28

This has only ever been supported on physical Check Point appliances, not VMs.
At least as far as I know.
Clearly the SK needs to be updated if for no other reason than to remove the references to vSEC. 😬
Will ask them to clarify this point and update.

Martin_Raska · ‎2020-03-02

PhoneBoy
"Will ask them to clarify this point and update."

please do.

and others stop flame, my question was not about ClusterXL active/passive, but about FULL HA standalone cluster and what is /not supported.

G_W_Albrecht · ‎2020-03-02

I did not notice any flaming here, neither in mine nor someone elses posts, and at least my posts were about fool mgmt ha only 8) - can you please elaborate your last sentence ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Martin_Raska · ‎2020-03-02

Guys, I am not new to CP, I know this solution very well, I don't like it either but the project will be FULL HA standalone setup or different vendor. That's it. I don't need a lection about this solution, I just need correct if it's supported on vmware nothing more.

Thanks

PhoneBoy · ‎2020-03-02

Not to fan any flames here, but is the decision to do Full HA a function of cost (i.e. separate management requires another license) versus functionality?

Wolfgang · ‎2020-03-02

Martin,

we too had this requirements from one of our customers end of last year and answer from local Check Point team was "It's not supported with VMware" only CheckkPoint appliances.

Wolfgang

HeikoAnkenbrand · ‎2020-02-29

There are several ways to install a ClusterXL for R80.30 or R80.40:

Open Server and Appliance:

- sk144293 - Check Point R80.30 or sk160736 - Check Point R80.40

CloudGuard Virtual Edition (VE) OpenStack, KVM, ESXi

- sk158292 - CloudGuard for Private Cloud images

CloudGuard for VMware NSX

- sk114518: CloudGuard for NSX

More read here:

ClusterXL Installation - OpenServer, Appliance, OpenStack, KVM, ESXi, NSX, AWS, ACI, Azure, Google

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Uri_Lewitus · ‎2020-03-02

Hi Martin

Where in the SK does it state that VMWare is supported for SA? Couldn't find such a statement - can you please point it out.

Thanks

Uri

Martin_Raska · ‎2020-03-03

the second sentence says:

These guidelines apply to all Check Point appliances running on Gaia OS / SecurePlatform OS,
as well as Virtual Appliances running vSEC Virtual Edition on Gaia OS

from how I understand its vSEC=CloudGuard=virtual appliance

Uri_Lewitus · ‎2020-03-03

Thanks Martin

I see - however vSEC is a different product and by definition does not support FULL HA, it is not VMWare ESX

Will ask the SK team to clarify

Ronen_Zel · ‎2020-03-10

I am happy to say that based on this feedback sk60443 is now updated. Thanks for bringing this to our attention.

James_Lim · ‎2020-10-27

Quick question.

Is Active-Active Cluster XL FW supported in Full HA Setup in r80.40?

While Management Components still remain active/standby.

G_W_Albrecht · ‎2020-10-28

NO: See sk101539 - ClusterXL Load Sharing mode limitations and important notes !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2020-03-10

We've updated sk60443 so it is clear this is only supported on physical Check Point appliances.
It is not supported on Open servers or virtualized appliances at all.

Are you a member of CheckMates?

FULL HA cluster support