This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ndcosta
Explorer
‎2019-08-01 06:23 AM
Jump to solution

Geo Active-active Datacenter firewall architecture

Hi guys,

 

We are checkpoint costumer. Currently we have two VSX clusters in two geographic locations with production and disaster recovery site.

In near future we will change this to active-active architecture streching the network in both geographies using Cisco ACI with VxLAN.

Can you please advise us with the best scenario for firewall?

Do we need two clusters?

Can we have firewall instance in both geographies for the same networking "zone".

 

 

Regards,

Nuno

2 Solutions

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-08-01 01:29 PM
Jump to solution

If you are using a VSX Cluster with gateways at two locations, you must comply with the following ClusterXL parameters:

- maximum sync / CCP packet delay: 100 ms

- maximum sync / CCP packet lost: 0.2%

- Layer 2 connection between the locations

More read here:

ATRG: ClusterXL

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

Wolfgang
MVP Gold
MVP Gold
‎2019-08-01 10:56 PM
Jump to solution

Nuno,

please note the requirements mentioned by Heiko.

If you can use VSLS ( Virtual System Load Sharing) with your VSX you can build a VSX cluster with 4 nodes, two in every location. With VSLS you can distribute your virtual system beetween all nodes. As an example you have 4 VS, you can run one VS on every node in your VSX-cluster.

VSLS can't be used if you are using a virtual-router in your environment.

best regards

Wolfgang

View solution in original post

3 Replies
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-08-01 01:29 PM
Jump to solution

If you are using a VSX Cluster with gateways at two locations, you must comply with the following ClusterXL parameters:

- maximum sync / CCP packet delay: 100 ms

- maximum sync / CCP packet lost: 0.2%

- Layer 2 connection between the locations

More read here:

ATRG: ClusterXL

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Wolfgang
MVP Gold
MVP Gold
‎2019-08-01 10:56 PM
Jump to solution

Nuno,

please note the requirements mentioned by Heiko.

If you can use VSLS ( Virtual System Load Sharing) with your VSX you can build a VSX cluster with 4 nodes, two in every location. With VSLS you can distribute your virtual system beetween all nodes. As an example you have 4 VS, you can run one VS on every node in your VSX-cluster.

VSLS can't be used if you are using a virtual-router in your environment.

best regards

Wolfgang

ndcosta
Explorer
‎2019-08-02 01:48 AM
In response to Wolfgang
Jump to solution

Hi everyone, Thank you for sharing your knowledge! Regarding the number os nodes, do we have limitations for VSLS Cluster? Can we have dynamic routing active with this scenario? best regards, Nuno

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events