This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DR_74
Collaborator
‎2024-03-19 08:34 AM

HA synchronization interface sizing

Hi Community,

We are on the way to refresh our Firewall cluster with new appliances.

We are running few Virtual Systems on 5800 appliances taht will be replaced with new 7000 on 2 separate DC.

We have several 10G interfaces on the new appliances dedicated for traffic and we wonder if the HA synchronization interfaces need to be 10G as well or if a bond with 2x1G is enough for that purpose?

Also in the old times I remember there was some pre-requisites/restrictions when connecting 2 clusters on the same networks?  (we plan to have both clusters in parallel during the migration) Is this still the case with R81.20?

Thanks

 

Labels
0 Kudos
8 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-03-19 08:40 AM

Generally speaking, the Sync port on the box is enough. 

You don't have to do anything special with two clusters next to each other anymore, that's all taken care of in the background.

0 Kudos
DR_74
Collaborator
‎2024-03-19 08:48 AM
In response to emmap

Hi,

Even the Sync HA interface of the new  FW can be on the same VLAN as the former one?

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-03-19 11:59 AM
In response to DR_74

As long as they don't use the same IP addresses, that shouldn't cause problems. It's worth avoiding if you can, simply because that's an easy way to guarantee it won't interfere rather than shouldn't. Ounce of prevention and all that.

As for sync capacity, that really depends on the connections per second which the firewall handles. 1g is generally plenty of capacity for the 1U boxes. If you want fault tolerance, bond two 1g interfaces together. I wouldn't bother with 10g for sync unless you're doing some ridiculous stuff like syncing all connections on a firewall in front of a DNS server.

Your comment about the VLAN for sync makes me pretty sure you know this already, but you should run sync through a switch (or a pair of switches for a bonded pair of sync interfaces).

0 Kudos
(1)
the_rock
MVP Platinum
MVP Platinum
‎2024-03-19 12:07 PM
In response to DR_74

As Bob said, as long as IP is not the same, it should be fine.

Andy

Best,
Andy
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-03-19 02:45 PM
In response to DR_74

If you want to run synchronization over VLAN defined on Check Point (trunk port), then you have to use the lowest VLAN-ID for sychronization network (if there are more VLANs on the interface).

Kind regards,
Jozko Mrkvicka
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-03-19 07:10 PM
In response to DR_74

It is strongly recommended to keep each cluster's Sync subnet isolated from everything else.

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2024-04-16 01:36 PM
In response to emmap

Hello Emma,

Can you please elaborate your best practice for bonding sync interface? Merging information from documentation and other checkmates discussion leave me some doubts.

Which design is better? With switch or direct link? Active/Backup, round robin or LACP with l2 hashing?

Thanks a lot

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-04-17 02:44 AM
In response to CheckPointerXL

The ClusterXL Admin guide has some supported topologies for redundant Sync.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ClusterXL_AdminGuide/Content...

Generally I'd recommend active/backup for your sync bond, as it's simpler and there's little value in trying to load share it. It is still supported to connect your sync interfaces directly if using a switch is not feasible. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events