Synchronized Cluster Restrictions

These restrictions apply when you synchronize Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members:

• The use of more than one dedicated physical interface for synchronization redundancy is not supported.

  You can use Bonding for synchronization interface redundancy (see Sync Redundancy).

  Synchronization interface redundancy is not supported for VRRP Clusters. See sk92804.

• All Cluster Members must run on identically configured hardware platforms.

• If a Cluster Member Security Gateway that is part of a cluster. goes down State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster., user-authenticated connections through that member are lost.

  Other Cluster Members cannot restore the connection.

  Cluster Members maintain client-authenticated or session-authenticated connections.

  The reason for this restriction is that a user space process on Cluster Members maintains the user authentication state.

  Cluster Members cannot synchronize the user space information in the same way as they synchronize the kernel space information.

  Cluster Members save the states of Session Authentication and Client Authentication in kernel tables, which they synchronize.

• Cluster Members cannot synchronize the connection statutes that use system resources. The reason is the same as for the user-authenticated connections.

• Accounting information for connections is accumulated on each Cluster Member, sent to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., and aggregated.

  In the event of a cluster failover Transferring of a control over traffic (packet filtering) from a Cluster Member that suffered a failure to another Cluster Member (based on internal cluster algorithms). Synonym: Fail-over., the accounting information that is not yet sent to the Management Server, is lost.

  To minimize this risk, you can reduce the time interval when accounting information is sent.

  To do this, in the cluster object > Logs > Additional Logging pane, set a lower value for the Update Account Log every attribute.