Dynamic Routing Protocols in a Cluster Deployment

ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. supports Dynamic Routing (Unicast and Multicast) protocols as an integral part of Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Operating System.

As the network infrastructure views the clustered Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. as a single logical entity, failure A hardware or software problem that causes a Security Gateway to be unable to serve as a Cluster Member (for example, one of cluster interface has failed, or one of the monitored daemon has crashed). Cluster Member that suffered from a failure is declared as failed, and its state is changed to Down (a physical interface is considered Down only if all configured VLANs on that physical interface are Down). of a Cluster Member Security Gateway that is part of a cluster. will be transparent to the network infrastructure and will not result in a ripple effect.

Router IP Address

All Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members use the Cluster Virtual IP address(es) as Router IP address(es).

Routing Table Synchronization

Routing information is synchronized among the Cluster Members using the Forwarding Process of transferring of an incoming traffic from one Cluster Member to another Cluster Member for processing. There are two types of forwarding the incoming traffic between Cluster Members - Packet forwarding and Chain forwarding. For more information, see "Forwarding Layer in Cluster" and "ARP Forwarding". Information Base (FIB) Manager process.

This is done to prevent traffic interruption in case of failover Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over., and used for Load Sharing A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS. and High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA. modes.

The FIB Manager is the responsible for the routing information.

The FIB Manager is registered as a Critical Device A special software device on each Cluster Member, through which the critical aspects for cluster operation are monitored. When the critical monitored component on a Cluster Member fails to report its state on time, or when its state is reported as problematic, the state of that member is immediately changed to Down. The complete list of the configured critical devices (pnotes) is printed by the 'cphaprob -ia list' command or 'show cluster members pnotes all' command. Synonyms: Pnote, Problem Notification. called "FIB". If the routing database goes out of sync, this Critical Device reports its state as "problem". As a result, the Cluster Member changes its state to "DOWN State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster." until the FIB Manager is synchronized.

Wait for Clustering

When Dynamic Routing protocols and/or DHCP Relay are configured on cluster, the "Wait for Clustering" option must be enabled in these cluster modes:
- ClusterXL High Availability
- ClusterXL Load Sharing Unicast
- ClusterXL Load Sharing Multicast
- VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. High Availability
- VSX Load Sharing (VSLS)
When Dynamic Routing protocols and/or DHCP Relay are configured on cluster, the "Wait for Clustering" must be disabled in these cluster modes:
- VRRP Cluster on Gaia OS

For more information, see sk92322.

Failure Recovery

Dynamic Routing on ClusterXL avoids creating a ripple effect upon failover by informing the neighboring routers that the router has exited a maintenance mode.

The neighboring routers then reestablish their relationships to the cluster, without informing the other routers in the network.

These restart protocols are widely adopted by all major networking vendors.

This table lists the RFC and drafts compliant with Check Point Dynamic Routing:

Protocol	RFC or Draft
OSPF Graceful restart	RFC 3623
OSPF LLS	RFC 5613
BGP Graceful restart	RFC 4724