Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DR_74
Collaborator

HA synchronization interface sizing

Hi Community,

We are on the way to refresh our Firewall cluster with new appliances.

We are running few Virtual Systems on 5800 appliances taht will be replaced with new 7000 on 2 separate DC.

We have several 10G interfaces on the new appliances dedicated for traffic and we wonder if the HA synchronization interfaces need to be 10G as well or if a bond with 2x1G is enough for that purpose?

Also in the old times I remember there was some pre-requisites/restrictions when connecting 2 clusters on the same networks?  (we plan to have both clusters in parallel during the migration) Is this still the case with R81.20?

Thanks

 

0 Kudos
8 Replies
emmap
Employee
Employee

Generally speaking, the Sync port on the box is enough. 

You don't have to do anything special with two clusters next to each other anymore, that's all taken care of in the background.

0 Kudos
DR_74
Collaborator

Hi,

Even the Sync HA interface of the new  FW can be on the same VLAN as the former one?

0 Kudos
Bob_Zimmerman
Authority
Authority

As long as they don't use the same IP addresses, that shouldn't cause problems. It's worth avoiding if you can, simply because that's an easy way to guarantee it won't interfere rather than shouldn't. Ounce of prevention and all that.

As for sync capacity, that really depends on the connections per second which the firewall handles. 1g is generally plenty of capacity for the 1U boxes. If you want fault tolerance, bond two 1g interfaces together. I wouldn't bother with 10g for sync unless you're doing some ridiculous stuff like syncing all connections on a firewall in front of a DNS server.

Your comment about the VLAN for sync makes me pretty sure you know this already, but you should run sync through a switch (or a pair of switches for a bonded pair of sync interfaces).

0 Kudos
(1)
the_rock
Legend
Legend

As Bob said, as long as IP is not the same, it should be fine.

Andy

0 Kudos
JozkoMrkvicka
Authority
Authority

If you want to run synchronization over VLAN defined on Check Point (trunk port), then you have to use the lowest VLAN-ID for sychronization network (if there are more VLANs on the interface).

Kind regards,
Jozko Mrkvicka
0 Kudos
emmap
Employee
Employee

It is strongly recommended to keep each cluster's Sync subnet isolated from everything else.

0 Kudos
CheckPointerXL
Advisor
Advisor

Hello Emma,

Can you please elaborate your best practice for bonding sync interface? Merging information from documentation and other checkmates discussion leave me some doubts.

Which design is better? With switch or direct link? Active/Backup, round robin or LACP with l2 hashing?

Thanks a lot

0 Kudos
emmap
Employee
Employee

The ClusterXL Admin guide has some supported topologies for redundant Sync.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ClusterXL_AdminGuide/Content...

Generally I'd recommend active/backup for your sync bond, as it's simpler and there's little value in trying to load share it. It is still supported to connect your sync interfaces directly if using a switch is not feasible. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events