This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rozkie20
Contributor
‎2025-06-23 09:47 AM

Hardware Compatibility for Adding a gateway to Existing VSX Cluster.

Hi Everyone,

My customer is currently running a Check Point 15400 cluster with VSX, and they are planning to add a new Check Point 9400 appliance to this cluster.

From my understanding, it is technically possible to add a different model to the cluster if we reduce the number of CPU cores on the 9400 to match the 15400, ensuring resource compatibility. However, I have some concerns regarding interface compatibility.

The existing 15400 appliances are using SFP+ port cards, while the new 9400 appliance only has the default 4 onboard ports (fiber). My question is:

If we want to integrate the 9400 into the current cluster, do we need to install a matching SFP+ port card on the 9400, so that VSX can properly recognize and sync the interfaces between members?

Any clarification or experience regarding this type of mixed-model VSX cluster deployment would be highly appreciated.

BR,

0 Kudos
5 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-06-24 04:21 AM

I would suggest to contact CP TAC for this question - your customer relies on having a supported deployment, so this is necessary !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-06-24 05:06 AM

This is not a "supported" configuration the ClusterXL admin guide documents that the hardware & software should be aligned between members. I would also advise against reducing core counts in a VSX environment.

CCSM R77/R80/ELITE
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-06-24 06:01 AM

Also VSX Admin Guide tells us: A VSX Cluster has two or more identical, interconnected VSX Gateways for continuous data synchronization and transparent failover. (https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_VSX_AdminGuide/Content/Topic...)

Identical means that SW & HW is the same...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-24 08:24 AM

Traditional clustering (either with ClusterXL or VSX) requires all cluster members to have identical hardware.
You might be able to make it work with unlike hardware, but it is not supported. 

Note that we are planning to add support for cluster members of different hardware types in ElasticXL (requires R82).

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-06-24 10:10 AM

Exactly this question was asked in another post at around the same time you posted. Are you both posting about the same environment?

It's possible to do this, but the 15400s and the 9400 won't be able to sync. There will be a hard outage when you move traffic from the 15400s to the 9400.

As I described in the other thread, I would recommend using vsx_util change_interfaces to replace all uses of eth[whatever] with bonds. Then in the future, swapping hardware becomes much easier, since the only prep work you need to do on a new member is building the bonds. You'll still have to take the outage when moving between non-identical boxes, but it should be relatively quick.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events