This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
carl_t
Contributor
‎2021-01-25 12:51 AM

Can you have a cluster, but 1 of them with a lacp bundle to the LAN

Hi All,

Is it possible to have a checkpoint firewall cluster, but on one of them have 2 ports connected to the LAN running LACP and the other firewall 2 would have a single interface not running LACP?

Cheers

0 Kudos
4 Replies
G_W_Albrecht
Legend
Legend
‎2021-01-25 02:40 AM

According to the R80.40 ClusterXL Admin Guide this is not supported: All Cluster Members must run on identically configured hardware platforms.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2021-01-25 07:24 AM

Out of interest why can't you run LACP at one of the sites? 

It should be possible to form a bond even to a single switch.

CCSM R77/R80/ELITE
0 Kudos
carl_t
Contributor
‎2021-01-25 08:19 AM
In response to Chris_Atkinson

We can, It just means an outage window thats all.

Cheers

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-01-25 11:19 AM

Absolutely. There are a few ways to do this.

You can add the interface as non-clustered. This probably isn't what you want to do, but I mention it because it is possible. Cluster members can have "non-monitored private" interfaces which are unique to the member.

You can also make a clustered interface as long as both firewalls see it as a bond. Bonds can be composed of a single interface, and the member with only one interface in the bond can do "round robin" with a single bonded interface. That will cause it to do no special negotiation on the interface (specifically, no LACP), it will just send traffic out directly. I deploy some of my firewalls' interfaces as single-member bonds simply because it makes it so easy to rearrange the traffic on the physical interfaces.

 

If you are particularly unaverse to risk, you can also run a cluster interface with differently-named interfaces on the different members (bond0 on one member, eth7 on the other). This is allowed by the UI and should work, but I guarantee it hasn't been tested to the degree I would feel even remotely comfortable using in production.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 10:00 AM (CEST)

    CheckMates Live BeLux: How Can Check Point AI Copilot Assist You?
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    CheckMates Events