This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2023-08-28 08:58 AM

Operating ClusterXL in LS mode

Hello, everyone.

Currently, we have a ClusterXL operating in HA mode.

By an explicit request from the customer, it requires to change the operation mode to Load Sharing.

When we try to do this, the following warning message appears.

LS.jpg

Is this "alert" common to all scenarios where the operating mode is changed to LS?

I checked the SK, but currently, the client is not taking advantage of the MOB blades, nor IPsec VPN (these services do not work in the Cluster).

Is it necessary to apply the SK recommendation in this scenario?

Could someone explain me, what is the difference between choosing the LS in a Multicast or Unicast mode?

It is very important to know which of these modes to choose?

Thanks for your comments.

 

 

 

0 Kudos
6 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-08-28 10:10 AM

Yes bro, you need to follow the sk and below is reference for the differences.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ClusterXL_AdminGuide/Content/Topic....

Best,
Andy
0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-08-28 10:41 AM
In response to the_rock

If it makes sense what you are explaining to me.

But you know how customers are, many do not want to pay attention to recommendations.

I understand according to the documentation I have read, that working the LS in Unicast mode, "balances" the traffic load, in a range of 30-70%, for each GW of the Cluster, right?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-08-28 11:24 AM
In response to Matlu

Trust me mate, I had been literally all over the world, so I am very familiar with most cultures : - ). As far as Brazil, I know people can be little hesitant to change (but, in all fairness, most people are like that lol), but having said that, as long as you properly explain to them the downsides, Im sure they will understand.

Out of curiosity, what is their number 1 reason for wanting to do LS mode?

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-28 04:39 PM
In response to Matlu

In Unicast mode, one member is the "pivot" which means it receives all traffic.
It will process 30% of the traffic and forward the rest (70%) to the other node to process.

ElasticXL in R82 will provide better load sharing (similar to Maestro).

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-08-28 10:15 AM

By the way, just me personally, I would NOT recommend they use this mode, specifically due to all the limitations. 

https://support.checkpoint.com/results/sk/sk101539

Also, think about it. Some customer would say to you, yea, but its sharing the load, so its better...um, not exactly. Here is why I say that...in clusterXL, one member will always process traffic and if there is an issue, other one takes over, so its ready to keep processing the traffic and thats more convenient, as there was no load on that firewall at all, until main one faultered.

Makes sense?

Andy

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2023-08-28 11:36 AM

If they're going with load sharing because they have too much load for one member, two members won't be able to carry the load safely. If either member fails, you're down to one member which you know can't carry the load. This actually increases the chance of a whole-cluster failure in the same way RAID 0 increases the chance of the whole volume failing.

Additionally, unicast load sharing only gives about 60% of the single-member throughput capacity per member. Two members gives you about 120% what one member could do. Three members gives you about 180% of what one member could do.

For a load sharing cluster to be effective and to have capacity to tolerate a member failing, they should have a minimum of four members.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events