Create a Post
Showing results for 
Search instead for 
Did you mean: 

Replace large appliance with multiple clusters


We are contemplating replacing a pair of large Checkpoint appliances with a group of smaller boxes.

The existing appliances have effectively 4 interfaces. Inside, Outside, Edge and DMZ

The proposal is to create a pair of firewalls for each of these segments, which meet in the middle.

Does this sound like a really bad idea?

Anybody else done anything like this?



0 Kudos
4 Replies

It doesn't sound like an actively bad idea, but what is the goal of moving to more boxes?

I have an environment a bit like that. We have a core transit per datacenter with a bunch of firewalls leading from that transit to other things. We've split the firewalls into two types: firewalls which own networks where servers live, and firewalls which own a connection to somewhere else (an Internet connection, a WAN link, etc.). The idea for us was to provide segmentation of impact. For example, if one of the Internet firewalls goes down, only some things depend on that Internet connection.

In practice, it has turned out to be a negative. The applications behind these firewalls depend on each other such that if any part goes down, they may as well all go down. We have the extra boxes to maintain without more windows for that maintenance.

0 Kudos

Segmentation of impact was our goal.

We had an incident that took out the big firewalls. We have a cluster but managed to defeat the cluster mechanism at the same time.

Anyway, the theory was if we lose the edge pair, we could still get from inside to outside, or from DMZ to inside.

We would still lose anything that depends on the edge, but that's a partial outage, not a total outage.

That's the idea.

0 Kudos

Depending on the failure that occurred, this might be something that Maestro could help with. That way you can have multiple small boxes working together as a large firewall, but if an appliance fails the rest of the appliances will share its load until it recovers, plus you can just add more appliances in future to scale up performance as needed.

Ultimately though nothing segregates like completely separate clusters, as long as it doesn't overly complicate the architecture and introduce new potential failure points. I'm sure your local sales team would be happy to have a chat around whether Maestro or multiple clusters would be more appropriate here, taking into consideration the failure that occurred and any other failure scenarios you need coverage for.

0 Kudos

Our local sales team already tried to pitch Maestro

The problem I have with that is it moves the failure point from the gateway to the orchestrator. If something happens to the orchestrator (or pair) it doesn't matter how many gateways we have inbetween

It also adds cost

The scenario we had and are trying to engineer away from is catastrophic failure of 1 component leading to a loss of all traffic


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events