Configuring Services to Synchronize After a Delay

Some TCP services (for example, HTTP) are characterized by connections with a very short duration. There is no point to synchronize these connections, because every synchronized connection consumes resources on ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members, and the connection is likely to have finished by the time a cluster failoverClosed Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over. occurs.

For short-lived services, you can use the Delayed Notifications feature to delay telling the Cluster MemberClosed Security Gateway that is part of a cluster. about a connection, so that the connection is only synchronized, if it still exists X seconds after the connection was initiated. The Delayed Notifications feature requires SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. to be enabled on all Cluster Members (this is the default).

Note - In the Load SharingClosed A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS. Multicast mode, Cluster Members ignore this setting for asymmetric connections - when a response from a server to a client arrives to a different Cluster Member then the one that handled a request from a client to a server.

Procedure:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Objects > Object Explorer.

  2. In the left tree, click the small arrow on the left of the Services to expand this category.

  3. In the left tree, select TCP.

  4. Search for the applicable TCP service.

  5. Double-click the applicable TCP service.

  6. In the TCP service properties window, click Advanced page.

  7. At the top, select Override default settings.

    On Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.: select Override global domain settings.

  8. At the bottom, in the Cluster and synchronization section:

    1. Select Synchronize connections on cluster if State Synchronization is enabled on the cluster.

    2. Select Start synchronizing.

    3. Enter the applicable value.

    Important - This change applies to all policies that use this service.

  9. Click OK.

  10. Close the Object Explorer.

  11. Publish the SmartConsole session.

  12. Install the Access Control Policy on the cluster object.

Note - The Delayed Notifications setting in the service object is ignored, if Connection Templates are not offloaded by the Firewall to SecureXL. For additional information about the Connection Templates, see the R80.40 Performance Tuning Administration Guide.