Print Download PDF Send Feedback

Previous

Next

ClusterXL Modes

Introduction to ClusterXL Modes

ClusterXL has these working modes. This section briefly describes each mode and its relative advantages and disadvantages.

Important:

  • Load Sharing modes are only supported with the required R80.30 Jumbo Hotfix Accumulator. For instructions, see sk162637.
  • To upgrade a ClusterXL that works in a Load Sharing mode from a lower version to R80.30, follow these steps in the same maintenance window:
    1. Upgrade the ClusterXL to R80.30.
    2. Install the required R80.30 Jumbo Hotfix Accumulator. For instructions, see sk162637.
High Availability Mode

The ClusterXL High Availability mode provides basic High Availability capabilities in a cluster environment. This means that the cluster can provide Firewall services even when it encounters a problem, which on a regular Security Gateway results in a complete loss of connectivity. When combined with Check Point State Synchronization, ClusterXL High Availability can maintain connections through failover events, in a user-transparent manner, allowing a flawless connectivity experience. As a result, High Availability provides a backup mechanism, which organizations can use to reduce the risk of unexpected downtime, especially in a mission-critical environment (such as money transactions).

To achieve this, ClusterXL High Availability mode designates one of the Cluster Members as the Active member, while the other Cluster Members remain in Standby mode. The cluster associates the Virtual IP addresses with the physical MAC addresses of the physical interfaces on the Active member (by matching the cluster Virtual IP address with the unique MAC address of the appropriate physical interface). Therefore, all traffic directed at the cluster Virtual IP addresses, is actually routed (and filtered) by the Active Cluster Member.

The role of each Cluster Member is chosen according to its cluster state and Cluster Member priority. Cluster Member priorities correspond to the order, in which they appear in the Cluster Members page of the cluster object in SmartConsole. The top-most Cluster Member has the highest priority. You can modify this ranking at any time (requires policy installation and causes a failover).

In addition to its role as a Firewall, the Active Cluster Member is also responsible for informing the Standby Cluster Members of any changes to its cluster state and kernel tables. This keeps the peer Cluster Members up-to-date with the current traffic passing through the cluster.

Whenever the Active Cluster Member detects a problem that is severe enough to prevent this Cluster Member from working correctly, failover occurs in the cluster. One of the Standby Cluster Members (the Cluster Member with the next highest priority) assumes the role of the Active Cluster Member. If State Synchronization is enabled, the new Active Cluster Member recognizes any open connections and handles them according to their last known state.

Upon the recovery of a failed former Active Cluster Member with a higher priority, the role of the Active Cluster Member may or may not be switched back to that Cluster Member. This depends on the cluster object configuration - Maintain current active Cluster Member, or Switch to higher priority Cluster.

It is important to note that Standby Cluster Members may encounter problems as well. In this case, in the event of a cluster failover, the Standby Cluster Members are not considered for the role of a new Active Cluster Member.

Load Sharing Modes - Multicast and Unicast

Important:

  • Load Sharing modes are only supported with the required R80.30 Jumbo Hotfix Accumulator. For instructions, see sk162637.
  • To upgrade a ClusterXL that works in a Load Sharing mode from a lower version to R80.30, follow these steps in the same maintenance window:
    1. Upgrade the ClusterXL to R80.30.
    2. Install the required R80.30 Jumbo Hotfix Accumulator. For instructions, see sk162637.

Load Sharing Multicast Mode - This is an efficient way to handle a high load because the load is distributed optimally between all cluster members. Load Sharing Multicast mode associates a multicast MAC with each unicast cluster IP address. This ensures that traffic destined for the cluster is received by all members. The ARP replies sent by a cluster member will therefore indicate that the cluster IP address is reachable via a multicast MAC address.

Load Sharing Unicast Mode - Some routing devices will not accept ARP replies. For some routers, adding a static ARP entry for the cluster IP address on the routing device will solve the issue. Other routers will not accept this type of static ARP entry.

Another consideration is whether your deployment includes routing devices with interfaces operating in promiscuous mode. If on the same network segment there exists two such routers and a ClusterXL Security Gateway in Load Sharing Multicast mode, traffic destined for the cluster that is generated by one of the routers could also be processed by the other router.

For these cases, use Load Sharing Unicast Mode, which does not require the use of multicast for the cluster addresses.

28 December 2020
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2020 Check Point Software Technologies Ltd. All rights reserved.