I am fairly new to the check point and I am not the security expert either. I am working on the lab design from network prospective and I have a question related to Check Point R80 Clustering.
I have been advised that Check point require a switch in between them to perform the clustering properly or else they will end up in split brain scenario.
My initial design for lab was
cp cluster ( cp a and cp b)
wan 1 --> cp a (Lan and WAN L3 on the CP) --> Lan Switch stack 1--> users
wan 2 --. cp b (LAN and WAN L3 on the CP) --> Lan Switch stack 2--> users
cp a <--> cp b for clustring and LAN and WAN port monitored for failover.
Cp cluster setup Active/ standby.
I have been told it needs to be
wan 1 -- Lan Switch stack 1 -- CP A -- Lan switch stack 1 -- Users
wan 2 -- Lan switch stack 2 -- CP B -- Lan switch stack 2 -- users
cp a <-- lan switch stack 1 / 2 --> cp b
I failed to understand the reason behind this. I have been told that each WAN and LAN interface doe the keep alive like HSRP via switch L2 brodcast domain. Cluster sync is only to share the session information.
if we do the 1st design then if the WAN 1 go down CP don't know if the issue related to the port or the CP it self and it may fail or half fail.
If someone please explain to me following?
- what is the real requirement do we need a L2 switch between cluster or not?
- Can's check point share the port information up/down via sync link and make decesion ( like ASA or FG)
- how the communication and failover happens in the sync or failover scenario.
I would love to understand the mechanics behind it and best practice or validated practice.