This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SallesThiago
Participant
‎2025-02-05 06:04 AM
Jump to solution

Implementing High-Availability Firewall Clusters with Single Public IP Connectivity

Today, we have an internal cluster with two 9100 devices, and everything is working fine.

Now, we are planning to implement two new clusters: 

ClusterExternal.png

Cluster Y

  • Two SMB 1575 devices

  • Only one fixed ISP IP

Cluster Z

  • Two 9100 devices

  • Only one fixed ISP IP

 

 

My question is: how can the clusters communicate using only one public IP?

(2)
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-02-05 06:39 AM
In response to ereche
Jump to solution

You may also wish to consider ElasticXL with R82 as another option (for non Spark) as it doesn't have the same IP address requirements as traditional ClusterXL.

https://youtu.be/Ctx9Su0y-e0?feature=shared

CCSM R77/R80/ELITE

View solution in original post

8 Replies
ereche
Participant
‎2025-02-05 06:06 AM
Jump to solution

I have same issue to solve here.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-02-05 06:39 AM
In response to ereche
Jump to solution

You may also wish to consider ElasticXL with R82 as another option (for non Spark) as it doesn't have the same IP address requirements as traditional ClusterXL.

https://youtu.be/Ctx9Su0y-e0?feature=shared

CCSM R77/R80/ELITE
SallesThiago
Participant
‎2025-02-05 09:16 AM
In response to Chris_Atkinson
Jump to solution

Using the R82 for non-Spark scenarios seems like the best approach. In the case of Spark with 3 valid IPs, will it work? Is this the best practice in this situation? I’m considering requesting additional IPs from the ISP.

ereche
Participant
‎2025-02-21 03:40 AM
In response to Chris_Atkinson
Jump to solution

Thks Chris, it solves our problem.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-02-05 06:12 AM
Jump to solution

The traditional method:

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-...

CCSM R77/R80/ELITE
sigal
Employee
Employee
‎2025-02-05 07:43 AM
Jump to solution

Hi,
Note that on locally managed Spark appliances running R81.10.15, you can just configure routable IP as VIP and physical (private) IPs from different subnet without the need to implement Cluster IP Addresses on Different Subnets.

Thanks.

SallesThiago
Participant
‎2025-02-05 09:17 AM
In response to sigal
Jump to solution

Yes, for other customers, we handle this through local management in Spark and work fine. However, in this case, the manager will operates centrally.

perfect4situa
Participant
‎2025-03-10 12:37 PM
Jump to solution

Unfortunately, we recently have closed a ticket about this, and the solution is:

Quantum Spark Appliances in Centrally Managed mode DO NOT fully support the configuration with Single Routable IP and interfaces on different network even if it's confirmed by documentation (https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Centrally_Managed/EN/Content/Topics/Co...), this seems to be available only for Quantum Force and higher (https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-...).

You can try to configure a new "local transport network" between gateway and router so you can have as many IP as you want to configure in each interface. In this case you cannot access directly each cluster member from internet, but you can do so via DNAT.

Something like that:

Router External: 1.1.1.1

Router Internal: 192.168.1.1/24

Checkpoint External: 192.168.1.2/24

Checkpoint External gateway: 192.168.1.1

 

Hoping to be useful

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events