Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Muhammad_Amin_Z
Explorer

CheckPoint Cluster Failover Query

Hello CP Experts -

I have 2 CheckPoints 5100 in HA. Currently firewall fail-over takes place if primary firewall gets down physically. Now I want to setup in a way that if my WAN interface IP on primary firewall gets unreachable it will shift the traffic flow on the secondary firewall, Means my primary firewall need to be up physically but just due to its WAN interface gets unreachable it should make a route of all network traffic to secondary firewall and on Secondary firewall an alternate ISP starts Natting and making the internet reachable.

I hope I cleared my question. Looking forward for positive reply in this regards.

6 Replies
PhoneBoy
Admin
Admin

Unless both gateways share the same subnet on all interfaces, have a shared IP, and can reach each other on all interfaces, you won't be able to cluster.

The shared IP would have to be reachable on both ISPs, which is not likely the case.

Also a cluster has to have exact the same policy (including NAT) on all members, which is not what you're asking for.

Bottom line: this won't work as a cluster.

PhoneBoy
Admin
Admin

Further, since this thread is in English, I am moving it to the proper space: General Product Topics

0 Kudos
Mikel_Aanstoot
Contributor

Hi, just a quick question, but if you have already an alternate ISP why not connect this to both gateways and have ISP redundancy on both gateways ? So on both gateways (active/passive) both ISP's are connected and in or load sharing mode or in Primary/Backup mode. I think that would make a bit more sense.

0 Kudos
Timothy_Hall
Legend Legend
Legend

From the second edition of my book:

Question: We suffered an upstream network failure that did not occur on the network/VLAN directly adjacent to the firewall.  There was not a failover to the standby member (who had a working network path further upstream) because ClusterXL could not detect this indirect upstream network failure. Can we configure ClusterXL to monitor some upstream IP addresses, and cause a failover to occur when they can no longer be reached?


Answer: Yes! See sk35780: How to configure $FWDIR/bin/clusterXL_monitor_ips script to run automatically on Gaia / Sec....

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Muhammad_Amin_Z
Explorer

Hello everyone thank you for your responses. Further I need to design like this to have both Firewalls in active mode and need to have a failover to the cluster firewall if the WAN link gets unreachable.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You can have both Firewalls in active mode and use two ISPs with ISP redundancy

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events