This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Amir_Arama
Advisor
‎2022-01-16 06:57 AM
Jump to solution

Cluster over differnt geo location with different ISPs

Hello everyone.

i want to know what is the best practice of the following

we implementing "Live DR", so we connecting Main site with DR Site by Layer2 in all internal vlans. and also the cluster FW will be 3rd and maybe also 4th members at the DR Site. so Internet/Dmz Cluster will be ni Main and in DR Site.

my quesion is about the Isp's side/Default route site. 

what is the best practice here?

do i have to do Layer 2 Line between Isps between sites (to my knowledge it's must for the cluster), or can i use different ISPs, or same ISPs but with different lines (and also different  public IP subnets)

and let's assume i have L2 between ISPs between sites, what will happend if the Internal Sync /other vlans disconnected between sites, and GWs become active together in Main Site and DR Site, so the ISP will see the same VIP alive in both sites, and it won't work. 

how it's usually implemented ?

i attached draw for general architecture.

Preview file
130 KB
0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2022-01-16 07:42 PM
Jump to solution

Do you have your own ISP independent public IP addressing?

I would be using dynamic routing & routers / perhaps layer-3 switches external to the Firewall.

You are correct that regardless of the number of cluster members involved Layer-2 connectivity is required.

Redundant & diverse paths between sites are recommended in general for such a design.

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-01-16 07:42 PM
Jump to solution

Do you have your own ISP independent public IP addressing?

I would be using dynamic routing & routers / perhaps layer-3 switches external to the Firewall.

You are correct that regardless of the number of cluster members involved Layer-2 connectivity is required.

Redundant & diverse paths between sites are recommended in general for such a design.

CCSM R77/R80/ELITE
0 Kudos
Amir_Arama
Advisor
‎2022-01-18 12:20 AM
In response to Chris_Atkinson
Jump to solution

HI

Yes i have independend ISP ip addresses.

So you are saying to strech layer 2 between sites of the network between external fw interface to a routers/link proof like.

And then use dynamic routes that will inject default route to the fws. And so each fw can also use other site isp's if it's own are down.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events