This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jennyado
Collaborator
‎2025-07-07 11:21 AM

BGP Graceful Restart in HA cluster in Azure

Hi everyone,

I currently have an Azure-deployed Check Point ClusterXL HA environment (Active/Standby) and I’m considering enabling BGP Graceful Restart.

The current topology looks like this:

  • Two Check Point gateways in a ClusterXL HA setup.

  • Each gateway establishes a VPN tunnel (VTI) to an Azure Virtual Network Gateway.

  • Both firewalls are peering via BGP to a private Azure IP (<BGP Peer IP>), which belongs to the Azure Virtual Network Gateway.

  • The Virtual Network Gateway in turn peers with on-prem Cisco routers through another connection.

Everything is working fine as-is.

My question is:

➡️ If I enable BGP Graceful Restart on member A (which is currently active), is there any risk that this could trigger a failover in the cluster before applying the same setting to member B?

I’m concerned whether this change could:

  • Reset the BGP session on the active member.

  • Potentially cause ClusterXL to detect a failover condition (due to lost routes or VTI reachability loss).

Has anyone here performed this adjustment in a similar Azure setup with Cisco routers behind the Virtual Network Gateway?
Would you recommend applying this live, or is it better done during a maintenance window?

Appreciate any advice or shared experience.

Thanks in advance!

0 Kudos
3 Replies
the_rock
MVP Gold
MVP Gold
‎2025-07-07 11:33 AM

I tested this in Azure lab last year and was fine, enabling it did not cause any issues, it actually helped. I have a gut feeling that setting is always needed for BGP to fully function without any network outage.

Andy

Best,
Andy
(1)
jennyado
Collaborator
‎2025-07-07 11:43 AM
In response to the_rock

The test you mention, was it also of a cluster?

According to the following sk https://support.checkpoint.com/results/sk/sk100499
I would just need to check the Graceful Restart box.

jennyado_0-1751913786110.png

 



0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-07-07 11:46 AM
In response to jennyado

Yes and yes 🙂

Best,
Andy
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events