Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Amir_Arama
Collaborator

Create Geo cluster in checkpoint?

Hi

so if i need to connect 3rd cluster member and put it in different geo location.

because i want that all dmz servers will have GW if main site is down.

is there a solution for the internet lines? besides streaching internet lines as layer2 to the 2nd site ?

is there a configuration where the cluster can support configuration that each gw has seperate interface for internet etc? i read about the new active-active cluster but i'm not sure it's suite, there is not much info on it. i need that the all dmz vlans will be the same between sites, and only the internet interfaces will be different if possible.

thx

0 Kudos
21 Replies
Chris_Atkinson
Employee
Employee

You could test the "Monitored Private" interface type in Cluster XL but there will be caveats around dynamic routing (sk116815), nor is it considered best practice.

0 Kudos
Amir_Arama
Collaborator

i don't want to create a solution based on something that is not healthy.

my question is do checkpoint have any healthy solution for this situation or not?

Bob_Zimmerman
Advisor

Do you actually need state sync for this? If the whole cluster at the main site is down, would systems at the main site be able to go out through the other site?

If not, just run a separate firewall and push the same policy to both. It's enormously cleaner than trying to run a multi-site cluster.

Amir_Arama
Collaborator

the two sites stretched the same networks on a layer 2 line. like it's one network. hosts on site a can communicate with hosts on site b on the same vlan through layer2 line. this is why i can't put two seperate GWs with different addresses, when i move/migrate vm from main site to 2nd site, it will have the same default gw. and i can't put the fws with same ip because it will be duplicate because again the vlans are stretched 

0 Kudos
Bob_Zimmerman
Advisor

Frankly, this kind of problem is exactly why spanning layer 2 domains between datacenters is a bad idea. And it leads to deeply frustrating performance pathologies when latency-sensitive systems in one datacenter try to connect to systems in another datacenter as if they're local.

I'm also extremely skeptical of the utility of moving live VMs from one datacenter to another. Every single time I have seen somebody build an environment with that capability, they have ended up painting themselves into a corner with bad availability design.

the_rock
Authority
Authority

Very well said.

0 Kudos
Benedikt_Weissl
Advisor

The whole cluster can only run in one mode, so you would need to "convert" your 2 node cluster in the first geolocation to active-active also. Thats why i don't think that active-active cluster will work here. How are the internal networks stretched across locations? Maye a third stand-alone appliance with proxy-arp can do the job?

Amir_Arama
Collaborator

the two sites stretched the same networks on a layer 2 line. like it's one network. hosts on site a can communicate with hosts on site b on the same vlan through layer2 line. so i can't make any duplications on arp's or ip's.

0 Kudos
PhoneBoy
Admin
Admin

Clustering generally requires that every interface share a Layer 2 domain and have latency no more than 100ms.
Also failover across sites is a LOT more complicated than simply the gateways failing over unless they also share a Layer 2 domain (which they may not).
It usually involves dynamic routing changes, among other things.
An actual diagram showing the proposed environment with traffic flows in the active and “failed over” state would be helpful.

Most likely you’re not going to need a Geo cluster but you’ll need some other solution.
We do have the ability to do this in R80.40 (without the Layer 2 requirement) but these cluster operate a bit differently and are active/active.
See: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ClusterXL_AdminGuide/Topics-...

0 Kudos
Amir_Arama
Collaborator

here is the main idea.

if course it's over simplified here without all the details.

the idea is i have esx servers on main site, and esx servers on 2nd site. lets assume site a goes down, all vm's migrating to esx on 2nd site. they should have the same DG etc. also it could be scenario that i will migrate some vm's to 2nd site parallelly to the vm's active on main site, and they should be on the same l2 domain and communicate with each other totally transparent.

on the lan fw it's simple because it's all lans. the question starts on internet dmz/internet FW which is also involves dmz networks that are shared between sites in the same way and also will have migrations between esx servers. etc. (i only pictured one cluster to simplify the drowing)

thx

 

Untitled.jpg

Benedikt_Weissl
Advisor

Switch the WAN vlans between the 2 sites and configure ISP Redundancy on the 3 node cluster. If one site goes down the other half of the cluster will be active and isp redundancy will route through the right wan link.

Amir_Arama
Collaborator

sorry i don't follow

isp redundancy is configuration in the cluster object as far i know you can't configure it only for one cluster member, also i don't see how it will solve the issue that healthy cluster needs l2 connectivity on all interfaces

0 Kudos
Benedikt_Weissl
Advisor

Sorry, english is not my first language. The basic idea is to have 2 WAN lines and bridge both between the DCs, just like the internal vlans. Then configure your 3 node cluster-xl to use both WANs via ISP Redundancy. If one DC goes down, the associated WAN line will be down too, but due to ISP Redundancy the cluster node in the "surviving" DC will just use the other line.

0 Kudos
Amir_Arama
Collaborator

now i get it.

but if i could bridge the internet lines i didn't have any problem. the issue starts because i can't. and i asked if there is a solution for cluster that don't have same wan interfaces.

0 Kudos
the_rock
Authority
Authority

I am 99.99% sure that is not possible for CP cluster, but I would get official confirmation from TAC.

0 Kudos
PhoneBoy
Admin
Admin

Are they different Internet connections entirely with different IP address space?
And you might need to do different NAT when using the different Internet connections?
If that's the case, this is not a problem a cluster can solve as connections wouldn't possibly survive a failover anyway. 

Amir_Arama
Collaborator

let's assume i use external global load balancer  for published services that know to work over different locations and subnets facing the outside world. but i would still have different internet connections with different ip address space. is there a healthy solution for cp cluster to work like that?

0 Kudos
PhoneBoy
Admin
Admin

Not in any way that guarantees a connection will survive a failover across location.

0 Kudos
Amir_Arama
Collaborator

Hi,

so i figured out some topology.

i can insall layer2 line between DCs and transfer the vlan that will be between the internet GW and the router that will be connected to 2 internet lines. there will be a router on each site with it's own internet lines. i want to configure the internet GW (cluster) that 1. if the active member is in site a it will route traffic with priority to site a, and use site b as a backup. and the opossite if the active member now in site b. and i also want that the checkpoint will know to return the packet from the same interface/next hop the packet arrived from (for incoming connections).

i know that isp redundancy is build for this purpose, but it has it's limitations. for example i can't priorities isp based on latency/bandwidth. i need to configure one priority per the whole cluster, and not per member. and also i can't use third isp (which is my case may be helpful as a 3rd option)

how can i accomplish this with dynamic routes/pbr or other features? thx

0 Kudos
Benedikt_Weissl
Advisor

Tell me more about the requirements please. Do you worry primarily about outgoing (i.e. from server to wan) or incoming connections (i.e. NAT from wan to your servers)?
Do you need the failover to preserve connections or is it okay for the servers to reestablish connections after failover to another DC? How do you migrate your VMs, is it a hot or cold migration?
Are the DCs active-active or active-passive?

0 Kudos
Amir_Arama
Collaborator

both incoming and outgoing

reestablish connection is also ok.

both hot and cold migration.

2 DCs are active-active

0 Kudos