Active-Active Mode in ClusterXL

Introduction

R80.40 introduced a new ClusterXLClosed Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. mode called Active-ActiveClosed A cluster mode (in versions R80.40 and higher), where cluster members are located in different geographical areas (different sites, different cloud availability zones). This mode supports the configuration of IP addresses from different subnets on all cluster interfaces, including the Sync interfaces. Each cluster member inspects all traffic routed to it and synchronizes the recorded connections to its peer cluster members. The traffic is not balanced between the cluster members..

This mode is designed for a clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., whose Cluster Members are located in different geographical areas (different sites, different cloud availability zones).

The IP addresses of the interfaces on each Cluster MemberClosed Security Gateway that is part of a cluster. are on different networks (including the Sync interfaces).

Each Cluster Member inspects all traffic routed to it and synchronizes the recorded connections to its peer Cluster Members.

The traffic is not balanced between the members.

Example Topology:

Important:

Limitations

These limitations apply to Active-Active mode in ClusterXL:

Configuring Active-Active mode

Note - This procedure is to configure a new ClusterXL object.

Changing the ClusterXL Mode to Active-Active

Dynamic Routing Failover

By design, a Cluster Member changes its state to DOWNClosed State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster. in these cases:

When the cluster state of a Cluster Member is DOWN, it stops processing the dynamic routing traffic to force the next hop router to update its routing tables. As a result, there may be a network outage, because it takes time for dynamic routing protocols to update their routing tables and propagate the changes.

Note - If it is necessary that Cluster Members change their cluster state because of other Critical Devices, you must manually configure this behavior.