hello rock,

thanks for the update ,

correct me if i am wrong

if i select the prefer connectivity , during the failover it simply switch the connection to standby device it ensure there is no connectivity issue failover 

if i select the prefer security , during the failover it simply drop the current connection it will not ensure the connectivity right 

above i mentioned is correct rock ? 

I attached the screenshot for your reference, hope its helpful.

Andy

You sort of got it : - ). So for prefer connectivity, yes, thats correct, IF your cluster is fully functional, then when failover happens, it will work fine if that option is selected. Now, IF prefer security is selected, does not mean current connections will close, ONLY ones for which IPS signatures can not be applied to/guaranteed. Personally, I would leave it to "prefer connectivity", which is default, as lets be honest, you do NOT want people "screaming" at you because their connections are failing : - )

By the way, sk @Chris_Atkinson provided also explains that. I would listen to him, he is EXCELLENT, very smart guy!

One interesting side effect of "prefer connectivity" is that while the connection will be continued upon ClusterXL failover, it cannot be inspected by streaming (either active or passive) anymore.  As a result the connection will be offloaded into the SXL/Accelerated Path on the newly-active member. 

This looks very strange when you are watching a high-speed transfer that is subject to streaming inspection and a failover occurs; the speed of the transfer doubles or triples!  Interestingly if you fail back over to the original member streaming inspection resumes (assuming the member has not been rebooted or otherwise cleared its state table) and the transfer speed drops back to what it was before.  Was definitely a WTF moment when I first saw this effect, as causing a failover would massively speed up big transfers!  

O wow, thanks for that Tim, thats super interesting 👍

hello

The default on SP/Maestro is prefer connectivity.  At least in R80.30SP the command was asg_ips_failover_behavior {connectivity | security} and you could check the current state with command g_fw ctl get int fwha_ips_reject_on_failover, 0 is prefer connectivity, 1 is prefer security.

Thanks,

I can confirm "connectivity" at least for 64k and R80.20SP Jumbo HFA Take 331

g_fw ctl get int fwha_ips_reject_on_failover
-*- 10 blades: 1_01 1_02 1_03 1_04 1_05 2_01 2_02 2_03 2_04 2_05 -*-
fwha_ips_reject_on_failover = 0

hello

can i get an update from above questions?

I cant give you answers to those, as I never tested option to prefer security, as default one is what everyone leaves it to. You would need to try it out and see the behavior.

hello rock,

thanks for the update .

hi all,

if any one know the behavior and above questions answer .kindly let me know .

The kinds of failures that are being discussed here are related to the clustering technology known as ClusterXL.
Many, many things outside of the control of the Check Point configuration can cause ClusterXL to “fail over” to another device.
It obviously has an impact on the IPS service, which requires the same gateway to process the connection (thus why the Prefer Connectivity/Security option exists).

3 minutes and 11 seconds doesn’t sound unreasonable if their test of “IPS service failure” was a reboot of the primary gateway.
There are other reasons a failover can occur that don’t involve a reboot (for example, disabling/unplugging a cable on a NIC, or something else that prevents the gateways from seeing each other).
I would want to know precisely how they are testing this.