- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi
so if i need to connect 3rd cluster member and put it in different geo location.
because i want that all dmz servers will have GW if main site is down.
is there a solution for the internet lines? besides streaching internet lines as layer2 to the 2nd site ?
is there a configuration where the cluster can support configuration that each gw has seperate interface for internet etc? i read about the new active-active cluster but i'm not sure it's suite, there is not much info on it. i need that the all dmz vlans will be the same between sites, and only the internet interfaces will be different if possible.
thx
You could test the "Monitored Private" interface type in Cluster XL but there will be caveats around dynamic routing (sk116815), nor is it considered best practice.
i don't want to create a solution based on something that is not healthy.
my question is do checkpoint have any healthy solution for this situation or not?
Do you actually need state sync for this? If the whole cluster at the main site is down, would systems at the main site be able to go out through the other site?
If not, just run a separate firewall and push the same policy to both. It's enormously cleaner than trying to run a multi-site cluster.
the two sites stretched the same networks on a layer 2 line. like it's one network. hosts on site a can communicate with hosts on site b on the same vlan through layer2 line. this is why i can't put two seperate GWs with different addresses, when i move/migrate vm from main site to 2nd site, it will have the same default gw. and i can't put the fws with same ip because it will be duplicate because again the vlans are stretched
Frankly, this kind of problem is exactly why spanning layer 2 domains between datacenters is a bad idea. And it leads to deeply frustrating performance pathologies when latency-sensitive systems in one datacenter try to connect to systems in another datacenter as if they're local.
I'm also extremely skeptical of the utility of moving live VMs from one datacenter to another. Every single time I have seen somebody build an environment with that capability, they have ended up painting themselves into a corner with bad availability design.
Very well said.
The whole cluster can only run in one mode, so you would need to "convert" your 2 node cluster in the first geolocation to active-active also. Thats why i don't think that active-active cluster will work here. How are the internal networks stretched across locations? Maye a third stand-alone appliance with proxy-arp can do the job?
the two sites stretched the same networks on a layer 2 line. like it's one network. hosts on site a can communicate with hosts on site b on the same vlan through layer2 line. so i can't make any duplications on arp's or ip's.
Clustering generally requires that every interface share a Layer 2 domain and have latency no more than 100ms.
Also failover across sites is a LOT more complicated than simply the gateways failing over unless they also share a Layer 2 domain (which they may not).
It usually involves dynamic routing changes, among other things.
An actual diagram showing the proposed environment with traffic flows in the active and “failed over” state would be helpful.
Most likely you’re not going to need a Geo cluster but you’ll need some other solution.
We do have the ability to do this in R80.40 (without the Layer 2 requirement) but these cluster operate a bit differently and are active/active.
See: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ClusterXL_AdminGuide/Topics-...
here is the main idea.
if course it's over simplified here without all the details.
the idea is i have esx servers on main site, and esx servers on 2nd site. lets assume site a goes down, all vm's migrating to esx on 2nd site. they should have the same DG etc. also it could be scenario that i will migrate some vm's to 2nd site parallelly to the vm's active on main site, and they should be on the same l2 domain and communicate with each other totally transparent.
on the lan fw it's simple because it's all lans. the question starts on internet dmz/internet FW which is also involves dmz networks that are shared between sites in the same way and also will have migrations between esx servers. etc. (i only pictured one cluster to simplify the drowing)
thx
Switch the WAN vlans between the 2 sites and configure ISP Redundancy on the 3 node cluster. If one site goes down the other half of the cluster will be active and isp redundancy will route through the right wan link.
sorry i don't follow
isp redundancy is configuration in the cluster object as far i know you can't configure it only for one cluster member, also i don't see how it will solve the issue that healthy cluster needs l2 connectivity on all interfaces
Sorry, english is not my first language. The basic idea is to have 2 WAN lines and bridge both between the DCs, just like the internal vlans. Then configure your 3 node cluster-xl to use both WANs via ISP Redundancy. If one DC goes down, the associated WAN line will be down too, but due to ISP Redundancy the cluster node in the "surviving" DC will just use the other line.
now i get it.
but if i could bridge the internet lines i didn't have any problem. the issue starts because i can't. and i asked if there is a solution for cluster that don't have same wan interfaces.
I am 99.99% sure that is not possible for CP cluster, but I would get official confirmation from TAC.
Are they different Internet connections entirely with different IP address space?
And you might need to do different NAT when using the different Internet connections?
If that's the case, this is not a problem a cluster can solve as connections wouldn't possibly survive a failover anyway. 
let's assume i use external global load balancer for published services that know to work over different locations and subnets facing the outside world. but i would still have different internet connections with different ip address space. is there a healthy solution for cp cluster to work like that?
Not in any way that guarantees a connection will survive a failover across location.
Hi,
so i figured out some topology.
i can insall layer2 line between DCs and transfer the vlan that will be between the internet GW and the router that will be connected to 2 internet lines. there will be a router on each site with it's own internet lines. i want to configure the internet GW (cluster) that 1. if the active member is in site a it will route traffic with priority to site a, and use site b as a backup. and the opossite if the active member now in site b. and i also want that the checkpoint will know to return the packet from the same interface/next hop the packet arrived from (for incoming connections).
i know that isp redundancy is build for this purpose, but it has it's limitations. for example i can't priorities isp based on latency/bandwidth. i need to configure one priority per the whole cluster, and not per member. and also i can't use third isp (which is my case may be helpful as a 3rd option)
how can i accomplish this with dynamic routes/pbr or other features? thx
Tell me more about the requirements please. Do you worry primarily about outgoing (i.e. from server to wan) or incoming connections (i.e. NAT from wan to your servers)? 
Do you need the failover to preserve connections or is it okay for the servers to reestablish connections after failover to another DC? How do you migrate your VMs, is it a hot or cold migration?
Are the DCs active-active or active-passive?
both incoming and outgoing
reestablish connection is also ok.
both hot and cold migration.
2 DCs are active-active
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 22 | |
| 17 | |
| 12 | |
| 10 | |
| 9 | |
| 9 | |
| 7 | |
| 7 | |
| 7 | |
| 5 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY