Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
umar7
Contributor

prefer security /prefer connectivity

hello support,

        may i know the scenario and what kind of scenario we can use prefer security ?

and what kind of scenario we can use prefer connectivity ? what are the benefits if we use both of the parameter? 

0 Kudos
17 Replies
the_rock
Legend
Legend

I assume you are referring to IPS blade setting on the gateway...there is an option there which is by default to prefer connectivity upon cluster failover even if IPS protections cant be guaranteed OR prefer security, which would close connections if IPS protections cant be guaranteed. Now, if you are speaking generally, it really depends who you ask. Of course, in todays world, more than ever before, security is way too important to overlook, but then if you think of connectivity, its literally something most companies require constantly. So, all in all, both are super important, but again, opinions might be split on this one.

0 Kudos
umar7
Contributor

hello rock,

thanks for the update ,

correct me if i am wrong

if i select the prefer connectivity , during the failover it simply switch the connection to standby device it ensure there is no connectivity issue failover 

if i select the prefer security , during the failover it simply drop the current connection it will not ensure the connectivity right 

 

above i mentioned is correct rock ? 

0 Kudos
the_rock
Legend
Legend

I attached the screenshot for your reference, hope its helpful.

Andy

Screenshot_1.png

0 Kudos
the_rock
Legend
Legend

You sort of got it : - ). So for prefer connectivity, yes, thats correct, IF your cluster is fully functional, then when failover happens, it will work fine if that option is selected. Now, IF prefer security is selected, does not mean current connections will close, ONLY ones for which IPS signatures can not be applied to/guaranteed. Personally, I would leave it to "prefer connectivity", which is default, as lets be honest, you do NOT want people "screaming" at you because their connections are failing : - )

By the way, sk @Chris_Atkinson provided also explains that. I would listen to him, he is EXCELLENT, very smart guy!

0 Kudos
Timothy_Hall
Champion
Champion

One interesting side effect of "prefer connectivity" is that while the connection will be continued upon ClusterXL failover, it cannot be inspected by streaming (either active or passive) anymore.  As a result the connection will be offloaded into the SXL/Accelerated Path on the newly-active member. 

This looks very strange when you are watching a high-speed transfer that is subject to streaming inspection and a failover occurs; the speed of the transfer doubles or triples!  Interestingly if you fail back over to the original member streaming inspection resumes (assuming the member has not been rebooted or otherwise cleared its state table) and the transfer speed drops back to what it was before.  Was definitely a WTF moment when I first saw this effect, as causing a failover would massively speed up big transfers!  

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

O wow, thanks for that Tim, thats super interesting 👍

0 Kudos
umar7
Contributor

hello

0 Kudos
Chris_Atkinson
Employee Employee
Employee

sk60160 provides some additional insight further to that provided by Andy.

CCSM R77/R80/ELITE
0 Kudos
Alexander_Wilke
Advisor

What to use if you are running a 64k Scalable Plattform which is only a "Single" / "Standard" Gateway Object in SmartConsole and you can not select the options? Probably same for Maestro.

 

However 64k/Maestro may have failovers in the same "Chassis" or from one chassis to another. What will apply?
Prefer connectifity or prefer security?

0 Kudos
Timothy_Hall
Champion
Champion

The default on SP/Maestro is prefer connectivity.  At least in R80.30SP the command was asg_ips_failover_behavior {connectivity | security} and you could check the current state with command g_fw ctl get int fwha_ips_reject_on_failover, 0 is prefer connectivity, 1 is prefer security.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Alexander_Wilke
Advisor

Thanks,

 

I can confirm "connectivity" at least for 64k and R80.20SP Jumbo HFA Take 331

g_fw ctl get int fwha_ips_reject_on_failover
-*- 10 blades: 1_01 1_02 1_03 1_04 1_05 2_01 2_02 2_03 2_04 2_05 -*-
fwha_ips_reject_on_failover = 0

 

0 Kudos
umar7
Contributor

hello

0 Kudos
umar7
Contributor

can i get an update from above questions?

0 Kudos
the_rock
Legend
Legend

I cant give you answers to those, as I never tested option to prefer security, as default one is what everyone leaves it to. You would need to try it out and see the behavior.

0 Kudos
umar7
Contributor

hello rock,

thanks for the update .

0 Kudos
umar7
Contributor

hi all,

if any one know the behavior and above questions answer .kindly let me know .

0 Kudos
PhoneBoy
Admin
Admin

The kinds of failures that are being discussed here are related to the clustering technology known as ClusterXL.
Many, many things outside of the control of the Check Point configuration can cause ClusterXL to “fail over” to another device.
It obviously has an impact on the IPS service, which requires the same gateway to process the connection (thus why the Prefer Connectivity/Security option exists).

3 minutes and 11 seconds doesn’t sound unreasonable if their test of “IPS service failure” was a reboot of the primary gateway.
There are other reasons a failover can occur that don’t involve a reboot (for example, disabling/unplugging a cable on a NIC, or something else that prevents the gateways from seeing each other).
I would want to know precisely how they are testing this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events