This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Neville_Kuo
Advisor
‎2018-05-25 09:23 AM

OSPF neighbor count

Dear all:

Is there anyone who ever managed over 200 OSPF neighbors and 6 ares before? It's not difficult with Juniper/Cisco or other vendors but what about Check Point?

The customer is using Juniper SSG5200(HA) and doing OSPF over ipsec(Route based VPN) with 200 Juniper SSG350M(2 wan links) for 10 years(Built by me.), if I want to replace with Check Point, can central vpn termination point can handle so many vpn tunnels and OSPF neighbors? I'm afraid of routeD crashes sometimes, that's a nightmare for this kind of network scope.

I know customer can have better choice but I'm wondering can I do the same thing with CP5600(HA) and SMB models like CP1490(For branches)?

4 Replies
XavierBens
Employee
Employee
‎2018-05-26 06:57 AM

I assume your question could be divided on two points:

 - OSPF ability; I assume yes; you can check on sk95968‌ OSPF on Gaia general document and on its related documentations and solutions

- VPN in large environment: will you try Multiple Entry Point (MEP)? If so, look at the dedicated section of the VPN admin guide of your version.

Cybersecurity Evangelist, CISSP, CCSP, CCSM Elite
0 Kudos
Neville_Kuo
Advisor
‎2018-05-27 06:55 PM
In response to XavierBens

Hi:

Actually I'ved tried large number of ospf neighbors and neighbors status start random dropping after over 60 neighbor counts(About 2 years ago with R77.30), that's why I doubt Check Point's routeD stability, and MEP is not what customer need since customer's dual wan should be Active/Active mode.

But still thanks for your replay, hope R80.10 or later version can be better.

XavierBens
Employee
Employee
‎2018-05-28 07:00 AM
In response to Neville_Kuo

So we need to wait concrete feebadck from Check Point: Dameon Welch Abernathy‌ could you help us on this?

Cybersecurity Evangelist, CISSP, CCSP, CCSM Elite
0 Kudos
PhoneBoy
Admin
Admin
‎2018-05-28 04:06 PM
In response to XavierBens

We've made a number of stability improvements in routed over the last two years, including situations where there are a large number of OSPF neighbors.

I believe most of these fixes were rolled into R80.10 as some of these fixes were available in R77.30 as well.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top