h

(tp/sw
: ww.r3necto
.m)

(http://sdntraining.com/?
utm_source=FIR3NET &utm_medium=Banner1&utm_campaign=Ad&utm_content=Security)

Home (/)  Articles (/Articles.html)  Firew alls  Check Point (/Firew alls/Check-Point/)
 Check Point Clustering

Check Point Clustering

Written by Rick Donato on 08 April 2010. Posted in Check Point (/Firewal l s/Check-Point/)

ClusterXL

Check Point's ClusterXL is a softw are-based Load Sharing and High Availability solution that distributes
tra c betw een clusters of redundant Security Gatew ays

High Availability
Allow s for an Active-Standby setup w ere one node (Active) passes all the tra c. In the event of failure
the Standby node w ill be promoted to the Active node.

New Mode - Both devices have their ow n IP and MAC addresses. A Virtual IP is used w hich uses the
MAC address of the Active gatew ay. T ra c is then directed to the VIP and passed to the Active
Gatew ay. Gratuitous ARP is used to update the VIPs MAC address on neighboring devices at point of
failover.
Legacy Mode - Both gatew ays use the same IP and MAC address. T he standby gatew ay interfaces
remain disabled unless the master fails and the gatew ay is promoted to master.

Load Sharing
Load sharing distributes the tra c betw een the nodes so that the tra c load is shared.

Multicast - T ra c is sent to both nodes using Multicast (MAC addresses). Betw een both nodes they
then decide w hich node w ill process the packet.
Unicast - T ra c is sent to only one node. T his is called the pivot node. T he pivot node then either
processes the packet or passes to the other node for processing.
3rd Party Solutions
h
(tp/sw
: ww.r3necto
.m)
Both of the 3rd Party solutions are con gured primarily w ithin the IPSO operating system. T hough there
are a few settings that are still required w ithin the Check Point Object such as state synchronization.

Nokia VRRP - Interface checking and failover is dealt w ith by Nokia`s VRRP. T his only allow s for HA
clusters.
Nokia IP Clustering - Interface checking and failover is dealt w ith by Nokias IP clustering. T his allow s
for both HA and Load Sharing cluster con gurations.

In both cases above you can use and con gure ClusterXL for state synchronization.

0 Comments Fir3net.com 
1 Login

Sort by Newest
 Recommend 1 ⤤ Share

Start the discussion…

LOG IN WITH
OR SIGN UP WITH DISQUS ?

Name

Be the first to comment.

✉ Subscribe d Add Disqus to your siteAdd DisqusAdd 🔒 Privacy

back to top