This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_Raska
Advisor
Advisor
‎2020-02-28 02:17 AM
Jump to solution

FULL HA cluster support

Hello mates,

Question:

Is FULL HA Cluster supported on vmware? This sk60443 says yes.  Installation a Upgrade guide R80.40 says only CP appliances, page 134.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-03-10 12:09 PM
Jump to solution

We've updated sk60443 so it is clear this is only supported on physical Check Point appliances.
It is not supported on Open servers or virtualized appliances at all.

View solution in original post

(1)
23 Replies
G_W_Albrecht
Legend Legend
Legend
‎2020-02-28 03:57 AM
Jump to solution

You did not read sk60443 correctly: These guidelines apply to all Check Point appliances running on Gaia OS / SecurePlatform OS, as well as Virtual Appliances running vSEC Virtual Edition on Gaia OS
(Note: this article does not apply to vSEC for Amazon Web Services, vSEC for Microsoft Azure, vSEC for Google Cloud Platform, vSEC for VMware NSX, vSEC for VMware vCloud Air, vSEC for Cisco ACI, vSEC for OpenStack).

Historically, this had never been supported on OpenServer at all, only on (also virtual) appliances.

But i would put my answer like this: On VMWare, Full HA Cluster does make no sense at all !

  • Gateway clustering = Cluster XL HA should be used
  • SMS on VM is easily cloned, different ways of backup are possible, so we do not need Management HA in most cases we could think of
  • Full HA is the solution with many features for less money very often giving big trouble 😞
  • So out of long experience, i always have suggested to keep the hands from fool management haha...
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Martin_Raska
Advisor
Advisor
‎2020-02-28 04:27 AM
In response to G_W_Albrecht
Jump to solution

I read it many times but admin guide says different. It makes sense, the answer is as always money, therefore you have to build FULL HA without separate management. That's it.
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-02-28 05:09 AM
In response to Martin_Raska
Jump to solution

Which Admin Guide says differently ? The sk39345 (from 03-Okt-2019) says: 

Additional restrictions for ClusterXL Full High Availability configuration:

  • Supported only between appliances with the identical Operating Systems (cluster requirement).

Again: For me it makes no sense to have two small appliances with NPM licenses in Fool HA configuration - it turned  to be a PITA much too often...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ian_Cresswell
Contributor
‎2021-12-14 06:34 AM
In response to G_W_Albrecht
Jump to solution

If HA is not available in the Virtual world what is recommended for virtual gateways running on ESX?

If we have two ESX servers with the gateway on one of them, if that ESX server blows up how are the services transitioned to the other ESX server?

0 Kudos
Martin_Raska
Advisor
Advisor
‎2021-12-14 07:22 AM
In response to Ian_Cresswell
Jump to solution

HA is supported, what is not is FULL HA = Standalone HA cluster

0 Kudos
Ian_Cresswell
Contributor
‎2021-12-14 07:31 AM
In response to Martin_Raska
Jump to solution

Not sure what the difference is between HA and Full HA?

Do you mean that when there are two separate gateways, one on each ESX server, similar to there being two appliances in the physical world is supported?

Is there any documentation supporting this, I find documentation on private clouds for virtual appliances is a bit sparse.

0 Kudos
Martin_Raska
Advisor
Advisor
‎2021-12-14 07:50 AM
In response to Ian_Cresswell
Jump to solution

FULL HA is two standalone instalation merged to cluster

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Installation_and_Upgrade_Guide/Top...

 

0 Kudos
Ian_Cresswell
Contributor
‎2021-12-14 07:53 AM
In response to Martin_Raska
Jump to solution

Yeah that's a link to appliances, I will be running virtual servers, so CloudGuard IAAS virtual gateways.

Its easy on physical appliances, there is a wealth of documentation for that.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-12-14 10:15 PM
In response to Ian_Cresswell
Jump to solution

And we only support this on PHYSICAL Check Point appliances (not virtual ones).

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-28 08:23 PM
Jump to solution

This has only ever been supported on physical Check Point appliances, not VMs.
At least as far as I know.
Clearly the SK needs to be updated if for no other reason than to remove the references to vSEC. 😬
Will ask them to clarify this point and update.
Martin_Raska
Advisor
Advisor
‎2020-03-02 12:18 AM
In response to PhoneBoy
Jump to solution

PhoneBoy
"Will ask them to clarify this point and update."

please do.

and others stop flame, my question was not about ClusterXL active/passive, but about FULL HA standalone cluster and what is /not supported.
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-03-02 03:20 AM
In response to Martin_Raska
Jump to solution

I did not notice any flaming here, neither in mine nor someone elses posts, and at least my posts were about fool mgmt ha only 8) - can you please elaborate your last sentence ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Martin_Raska
Advisor
Advisor
‎2020-03-02 03:42 AM
In response to G_W_Albrecht
Jump to solution

Guys, I am not new to CP, I know this solution very well, I don't like it either but the project will be FULL HA standalone setup or different vendor. That's it. I don't need a lection about this solution, I just need correct if it's supported on vmware nothing more.

Thanks

PhoneBoy
Admin
Admin
‎2020-03-02 08:30 AM
In response to Martin_Raska
Jump to solution

Not to fan any flames here, but is the decision to do Full HA a function of cost (i.e. separate management requires another license) versus functionality?
0 Kudos
Wolfgang
Authority
Authority
‎2020-03-02 11:57 PM
In response to Martin_Raska
Jump to solution

Martin,

we too had this requirements from one of our customers end of last year and answer from local Check Point team was  "It's not supported with VMware" only CheckkPoint appliances.

Wolfgang

HeikoAnkenbrand
Champion Champion
Champion
‎2020-02-29 01:40 PM
Jump to solution

There are several ways to install a ClusterXL for R80.30 or R80.40:

Open Server and Appliance:

- sk144293 - Check Point R80.30  or sk160736 - Check Point R80.40

CloudGuard Virtual Edition (VE) OpenStack, KVM, ESXi

sk158292 - CloudGuard for Private Cloud images

CloudGuard for VMware NSX 

sk114518: CloudGuard for NSX

 

More read here:

ClusterXL Installation - OpenServer, Appliance, OpenStack, KVM, ESXi, NSX, AWS, ACI, Azure, Google

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Uri_Lewitus
Employee
Employee
‎2020-03-02 11:30 PM
Jump to solution

Hi Martin

Where in the SK does it state that VMWare is supported for SA? Couldn't find such a statement - can you please point it out.

Thanks

Uri

0 Kudos
Martin_Raska
Advisor
Advisor
‎2020-03-03 12:25 AM
In response to Uri_Lewitus
Jump to solution

the second sentence says:

These guidelines apply to all Check Point appliances running on Gaia OS / SecurePlatform OS,
as well as Virtual Appliances running vSEC Virtual Edition on Gaia OS

 

from how I understand its vSEC=CloudGuard=virtual appliance

0 Kudos
Uri_Lewitus
Employee
Employee
‎2020-03-03 12:31 AM
In response to Martin_Raska
Jump to solution

Thanks Martin

I see - however vSEC is a different product and by definition does not support FULL HA, it is not VMWare ESX

Will ask the SK team to clarify

Ronen_Zel
Mod
Mod
‎2020-03-10 02:51 AM
In response to Uri_Lewitus
Jump to solution

I am happy to say that based on this feedback sk60443 is now updated. Thanks for bringing this to our attention.

James_Lim
Participant
‎2020-10-27 10:03 PM
In response to Ronen_Zel
Jump to solution

Quick question.

Is Active-Active Cluster XL FW supported in Full HA Setup in r80.40?

While Management Components still remain active/standby.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-10-28 01:48 AM
In response to James_Lim
Jump to solution

NO: See sk101539 - ClusterXL Load Sharing mode limitations and important notes  !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
PhoneBoy
Admin
Admin
‎2020-03-10 12:09 PM
Jump to solution

We've updated sk60443 so it is clear this is only supported on physical Check Point appliances.
It is not supported on Open servers or virtualized appliances at all.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events