Configuring Services not to Synchronize

Synchronization of connections incurs a performance cost. Not all connections that go through a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. must be synchronized:

• Protocols that run solely between Cluster Members need not be synchronized. Although you can synchronize them, you do not gain any benefit. This synchronization information does not help during a cluster failover Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over..

• You can decide not to synchronize TCP, UDP and other service types. By default, Cluster Members synchronize all these services.

• The VRRP and the IGMP protocols are not synchronized by default (but you can choose to turn on synchronization for these protocols).

• Broadcast and multicast connections are not, and cannot be, synchronized.

You may choose not to synchronize a service if these conditions are true:

• A significant amount of traffic goes through the cluster. Not synchronizing the service reduces the amount of synchronization traffic, and so enhances cluster performance.

• The service typically opens short connections, whose loss may not be noticed. DNS (over UDP) and HTTP are typically responsible for most connections, frequently have short life, and inherent recoverability in the application level. Services that open long connections, such as FTP, should always be synchronized.

• Configurations that ensure bi-directional stickiness for all connections, do not require synchronization to operate (only to maintain High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA.). Such configurations include:

  • Any cluster in High Availability mode (for example, ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. High Availability, or VRRP on Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems.).

  • ClusterXL in a Load Sharing A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS. mode with clear connections (no VPN, or Static NAT).

  • VPN and Static NAT connections passing through a ClusterXL cluster in a Load Sharing mode (either multicast, or unicast) may not maintain bi-directional stickiness. State Synchronization Technology that synchronizes the relevant information about the current connections (stored in various kernel tables on Check Point Security Gateways) among all Cluster Members over Synchronization Network. Due to State Synchronization, the current connections are not cut off during cluster failover. must be turned on for such environments.

You can have a synchronized service and a non-synchronized definition of a service, and use them selectively in the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. For more information, see the R80.40 Security Management Administration Guide.

To configure a service not to synchronize in a cluster:

1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Objects > Object Explorer.

2. In the left tree, select Services.

3. Double-click the applicable existing synchronized service, for which you need to create a non-synchronized counterpart service.

4. Write down State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster. all the settings from both the General and Advanced pages.

5. Click OK.

6. Click New > Service > > select the applicable service type.

7. Enter the applicable name that distinguishes the new non-synchronized counterpart service from the existing synchronized service.

8. On the General page, configure the same settings as in the existing synchronized service.

9. On the Advanced page:

   1. Configure the same settings as in the existing synchronized service.

   2. In the Cluster and synchronization section, clear Synchronize connections if State Synchronization is enabled on the cluster.

      Important - This change applies to all policies that use this service.

10. Click OK.

11. Close the Object Explorer.

12. Use the synchronized service and the non-synchronized counterpart service in the applicable rules in the applicable Access Control Policies.

13. Publish the SmartConsole session.

14. Install the Access Control Policy on the cluster object.