This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SnafuNL
Participant
‎2026-03-27 11:15 AM
Jump to solution

HA on Spark Devices - No cluster IP required for Active/Inactive?

Hello All

Looking for some clarification on how HA works on the Spark Device, specifically ones managed in Spark Management.

I haven't worked with HA in Check Point for about 10 years, back then each firewall needed it's own IP along with the Cluster IP. Today I was setting up HA on some Spark Management connected devices, and while configuring the primary member I made all the interfaces non-HA with the intent of setting them up after. After I had the peer configured and synced up, I noticed all the interface settings (including IPs) from the primary had came over to the peer (Inactive).  

I know configuring an HA interface with cluster and devices IPs is still an option, but does Check Point now offer a Active/Passive HA similar to say Palo Altos? So, I enable monitor state on each of the primary's interfaces will the peer assume the primary's IP if it goes down

1 Solution

Accepted Solutions
sigal
Employee
Employee
‎2026-03-27 11:30 AM
Jump to solution

Hi,
It is still required to have an IP address on the separate interfaces along with cluster IP (total of 3 addresses per clustered interface).
On the LAN interfaces the IP on the interfaces should be routable. On the internet connections the IPs on the interfaces can be private (non routable), while the cluster IP should be routable.
We had few bugs with non-HA interfaces on R81.10.17 and this is probably why the interface IP was duplicated. Are you using R81.10.17? If yes, I recommend upgrading to R82.00.10.

Thanks.

View solution in original post

6 Replies
the_rock
MVP Diamond
MVP Diamond
‎2026-03-27 11:23 AM
Jump to solution

I believe that is how it indeed works for spark devices HA, not like typical clusterXL, where you do need separate IP addresses.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
sigal
Employee
Employee
‎2026-03-27 11:30 AM
Jump to solution

Hi,
It is still required to have an IP address on the separate interfaces along with cluster IP (total of 3 addresses per clustered interface).
On the LAN interfaces the IP on the interfaces should be routable. On the internet connections the IPs on the interfaces can be private (non routable), while the cluster IP should be routable.
We had few bugs with non-HA interfaces on R81.10.17 and this is probably why the interface IP was duplicated. Are you using R81.10.17? If yes, I recommend upgrading to R82.00.10.

Thanks.

SnafuNL
Participant
‎2026-03-27 11:52 AM
In response to sigal
Jump to solution

Thank you. These are 1590 appliances, so I don't believe R82 is available for them currently.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-27 11:59 AM
Jump to solution

Btw, not sure if you had a chance to have a look at below?

https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Conf...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
SnafuNL
Participant
‎2026-03-27 12:11 PM
In response to the_rock
Jump to solution

Hi 

Follow-up question - Cluster status Monitored. The Admin Guide says

This status is also called private monitored.

The physical interface on this Cluster Member is not coupled with another interface on the other Cluster Member as in High Availability interface mode.

The interface's status is still monitored, and if a problem occurs, the Cluster Member fails over to the other Cluster Member

Does that mean fail over to the peer but the IP from the primary is not assumed?

0 Kudos
sigal
Employee
Employee
‎2026-03-27 12:29 PM
In response to SnafuNL
Jump to solution

An interface can be configured to one of three cluster status:
1. Non-HA (private): each cluster member has its own IP address. When the interface goes down the cluster state is not affected
2. Monitored: each cluster member has its own IP address. When the interface goes down the associated cluster member becomes down
3. Clustered (HA): each cluster member has its own IP address + cluster IP address that is visible to the network. When the interface goes down the associated cluster member becomes down

Since you are using R81.10.17 you can only use the third option.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events