Solved: Checkpoint ClusterXL and Cisco ASA Failover cluste... - Check Point CheckMates

Discover the Future of Cybersecurity:
What’s New in Check Point’s Quantum Firewall R82

Register Now!

Share your Cyber Security Insights
On-Stage at CPX 2025

Learn More

Simplifying Zero Trust Security
with Infinity Identity!

Watch Now

Zero Trust Implementation
Help us with the Short-Term Roadmap

Take the Survey

CheckMates Go:
What's New in R82

LISTEN NOW

Hello!

I configured tunnel from my ASA to Checkpoint Cluster XL.

All work but I not shure about properly work BGP.

I configured some router id on each gateways on the cluster (VIP of the internal interfaces)

Some peer - My ASAs tunnel interface ip

And on active gateway i see:

TEST-CHPSG01> show cluster roles

ID Role

1 (local) Master
2 Non-Master

TEST-CHPSG01> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 1 1 Established 2 0 11:19:06

On second:

Oleg Volkov, [10.10.2024 12:57]
CUDD-CHPSG01> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 1 1 Established 2 0 11:19:06

Oleg Volkov, [10.10.2024 12:57]
TEST-CHPSG02> show cluster roles

ID Role

1 Master
2 (local) Non-Master

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 0 0 Idle 0 0 00:00:00

After I reload active gateway and check BGP session on standby:

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 0 0 Idle 0 0 00:00:00

Multiple times - Idle

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 0 0 Active 0 0 00:00:00

Multiple times Active

TEST-CHPSG02> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.129.4 65312 1 1 Established 2 1 00:00:00

And now established.

I have 3-5 sec (sometimes more) downtime when standby gateway become active

May be I configured it improperly?

Second question is the best way to configure dynamic routing beatwen ClusterXL and cisco/Huawei routers. OSPF/IS-IS/BGP?

What I must do? configure peering to each gateways or to VIP address?

If to each gateways how Cisco will know about which route is prefer (which gateway is active)?

Thank You!

1 Solution

Accepted Solutions

You should configure the routers to use the VIP only.
It may take a couple seconds for the ClusterXL failover to occur.

View solution in original post

4 Replies

You should configure the routers to use the VIP only.
It may take a couple seconds for the ClusterXL failover to occur.

Thank You!

Can You explain me how I can to switch active gateway without reooting?

And second question, which protocol do you recommend as IGP with checkpoint for minimal downtime?

Thank you!

I believe you can execute the command clusterXL_admin down to do this (clusterXL_admin up to reverse it).

The choice of an IGP depends on a number of factors.
From what I see on the community, OSPF is probably the most commonly used.

Make sure BGP port (tcp/179) is allowed in both directions. It should be allowed for VIP IPs.

Kind regards,
Jozko Mrkvicka

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

User

Count

26

19

17

13

8

8

8

5

5

5

Upcoming Events

Sort by:

Virtual

Thu 14 Nov 2024 @ 03:00 PM (CET)

AI Series Part 2: Navigating AI to Balance Cyber Risks and Benefits - EMEA Session

Virtual

Thu 14 Nov 2024 @ 11:00 AM (EST)

Tips and Tricks 2024 #20: When Every Second Counts: Cybersecurity Incident Response

Thu 14 Nov 2024 @ 05:00 PM (CET)

Code Security Strategies for Minimizing Emergency Fixes

Virtual

Thu 14 Nov 2024 @ 02:00 PM (EST)

AI Series Part 2: Navigating AI to Balance Cyber Risks and Benefits - Americas Session

In-Person

Tue 19 Nov 2024 @ 10:00 AM (CET)

CheckMates Live Munich - What's new in R82?

In-Person

Tue 19 Nov 2024 @ 12:00 PM (MST)

Salt Lake City: Infinity External Risk Management and Harmony SaaS

Virtual

Thu 14 Nov 2024 @ 03:00 PM (CET)

AI Series Part 2: Navigating AI to Balance Cyber Risks and Benefits - EMEA Session

Virtual

Thu 14 Nov 2024 @ 11:00 AM (EST)

Tips and Tricks 2024 #20: When Every Second Counts: Cybersecurity Incident Response

Virtual

Thu 14 Nov 2024 @ 02:00 PM (EST)

AI Series Part 2: Navigating AI to Balance Cyber Risks and Benefits - Americas Session

Virtual

Wed 20 Nov 2024 @ 05:00 PM (CET)

Under the Hood: DO NOT Renew your WAF without watching THIS!!

Virtual

Thu 21 Nov 2024 @ 03:00 PM (CET)

EMEA: Web Filtering Best Practices

Virtual

Tue 26 Nov 2024 @ 05:00 PM (CET)

Discover the Future of Cybersecurity: What’s New in Check Point’s Quantum Firewall R82

In-Person

Tue 19 Nov 2024 @ 10:00 AM (CET)

CheckMates Live Munich - What's new in R82?

In-Person

Tue 19 Nov 2024 @ 12:00 PM (MST)

Salt Lake City: Infinity External Risk Management and Harmony SaaS

In-Person

Wed 20 Nov 2024 @ 02:00 PM (MST)

Denver South: Infinity External Risk Management and Harmony SaaS

In-Person

Thu 21 Nov 2024 @ 10:00 AM (CET)

CheckMates Live Frankfurt - What's new in R82?

In-Person

Thu 21 Nov 2024 @ 02:00 PM (MST)

Denver North: Infinity External Risk Management and Harmony SaaS

In-Person

Tue 03 Dec 2024 @ 10:00 AM (GMT)

UK Community CNAPP Training Day 1: Cloud Risk Management Workshop

CheckMates Events