This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Solitude
Explorer
2 weeks ago

Question about Sync Interface Routing in Check Point Cluster

Hello team,

I'm new with Checkpoint, and I have a question about the feature in Cluster, hope you can help me answer.

I would like to ask about the possibility of routing through the Sync interface in a Check Point Cluster running in Active-Active mode.

Is there any feature in the cluster_XL that allows data traffic to be transferred via the Sync port between the two appliances?

For example, in the case below:

z6933694410342_5923c541687f2f5c74b1d3aba1169e98.jpg

If the two uplinks (marked with red X) are down, can the host on the lower side still reach the Internet by rerouting traffic through the Sync interface between the two firewalls?

I'm tried to search for a solution but still no luck.

Best Regards.

 

0 Kudos
4 Replies
Danny
Champion Champion
Champion
2 weeks ago

Rerouting traffic is not required if a cluster member fails.
The host always talks to the Virtual Cluster IP (VIP) 192.168.1.1.

Solitude
Explorer
2 weeks ago
In response to Danny

I’m aware of the Virtual IP mechanism but If LAN2 goes down (On the right), is there any way for users to still reach the Internet via the Sync interface (the cluster sync link) as a fallback path?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
2 weeks ago
In response to Solitude

The topology is not valid, all segments should have a VIP hence this shouldn't be a requirement.

In your example the healthiest member will be active-attention.

Utilize bonds for link protection where needed.

CCSM R77/R80/ELITE
emmap
Employee
Employee
a week ago
In response to Solitude

There is no mechanism to allow data traffic to traverse the Sync link. This is by design to isolate critical sync traffic from the rest of the network and to eliminate a possible bottleneck on that link.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events