Check Point Software Compatibility

Included Topics ClusterXL Compatibility (Excluding IPS) ClusterXL Compatibility with IPS Forwarding Layer

ClusterXL Compatibility (Excluding IPS)

The following table and accompanying notes present ClusterXL Load Sharing and High Availability compatibility for OPSEC Certified cluster products. Some Check Point products and features are not supported or are only partially supported (as detailed in the footnotes) for use with ClusterXL.

Feature or Product	Feature	LS	HA
Security Management		No	No
firewall	Authentication/Security Servers	Yes (1)	Yes (1)
firewall	ACE servers and SecurID	Yes	Yes
firewall	Application Intelligence protocol inspection (2)	Yes (3)	Yes
firewall	Sequence Verifier	Yes (4)	Yes (1)
firewall	UDP encapsulation	Yes	Yes
firewall	SAM	Yes	Yes
firewall	ISP Redundancy	Yes	Yes
VPN	Third party VPN peers	Yes	Yes
Endpoint Security Client	Software Distribution Server (SDS)	No	No
Endpoint Security Client	IP per user in Office Mode	Yes	Yes
SecureXL or Performance Pack		Yes	Yes
Check Point QoS		Yes (4, 5)	Yes
SmartProvisioning	SmartLSM Security Gateway	No	No
Check Point Security Gateway		Yes	Yes

ClusterXL Compatibility with IPS

The following IPS features are supported by ClusterXL, with the limitations listed in the notes.

Feature	Load Sharing	High Availability
Fragment Sanity Check	Yes (1, 3)	Yes (1)
Pattern Matching	Yes (2, 3)	Yes (2)
Sequence Verifier	Yes (2, 4)	Yes (2)
FTP, HTTP and SMTP Security Servers	Yes (2, 5)	Yes (2)

Footnotes

1. If there is a failover when fragments are being received, the packet will be lost.
2. Does not survive failover.
3. Requires unidirectional stickiness. This means that the same member must receive all external packets, and the same member must receive all internal packets, but the same member does not have to receive both internal and external packets.
4. Requires bidirectional connection stickiness.
5. Uses the forwarding layer, described in the next section.

Forwarding Layer

The Forwarding Layer is a ClusterXL mechanism that allows a cluster member to pass packets to other members, after they have been locally inspected by the firewall. This feature allows connections to be opened from a cluster member to an external host.

Packets originated by cluster members are hidden behind the cluster virtual IP. Thus, a reply from an external host is sent to the cluster, and not directly to the source member. This can pose problems in the following situations:

• The cluster is working in New High Availability mode, and the connection is opened from the stand-by member. All packets from the external host are handled by the active member, instead.
• The cluster is working in a Load Sharing mode, and the decision function has selected another member to handle this connection. This can happen since packets directed at a cluster IP are distributed among cluster members as with any other connection.

If a member decides, upon the completion of the firewall inspection process, that a packet is intended for another cluster member, it can use the Forwarding Layer to hand the packet over to that destination. This is done by sending the packet over a secured network (any subnet designated as a Synchronization network) directly to that member. It is important to use secured networks only, as encrypted packets are decrypted during the inspection process, and are forwarded as clear-text (unencrypted) data.

Packets sent on the Forwarding Layer use a special source MAC address to inform the receiving member that they have already been inspected by another Security Gateway. Thus, the receiving member can safely hand over these packets to the local Operating System, without further inspection. This process is secure, as Synchronization Networks should always be isolated from any other network (using a dedicated network).