Philip W

ClusterXL active-active vs active-passive

Discussion created by Philip W on Nov 12, 2018
Latest reply on Nov 12, 2018 by Philip W

Hi CheckMates!

 

We are going to implement new CheckPoint clusters to replace the ageing Juniper firewalls. I was going to install 2 HA Active-Passive clusters, each with 2 IP addresses + VIP per WAN link but the ISP's design does not allow this.

 

ISP is suggesting the following:

- Site1 GW1 uses the Active Layer3 link with IP address a.a.a.x/31 for internet access

- Site1 GW2 uses the Active Layer3 link with IP address b.b.b.x/31 for connections between sites via IPSEC

- Site2 GW1 uses the Active Layer3 link with IP address c.c.c.x/31 for internet access

- Site2 GW2 uses the Active Layer3 link with IP address d.d.d.x/31 for connections between sites via IPSEC

(Apparently "on Juniper you can use a WAN link on the Active member, and another active WAN link on the Passive member")

 

If you ask me, this cannot be done in a CheckPoint Active-Passive setup. At a minimum I'll need an Active-Active load sharing cluster, but then I imagine I'll run into issues using different subnets on the WAN interfaces of each cluster member.

 

What is your opinion? Any suggestions?

 

Kind regards

Ph.

Outcomes