Cluster IP Addresses on Different Subnets

You can configure cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Virtual IP addresses in different subnets than the physical IP addresses of the Cluster Members.

The network "sees" the cluster as one Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. that operates as a network router. The network is not aware of the internal cluster structure and physical IP addresses of Cluster Members.

Advantages of using different subnets:

You can create a cluster in an existing subnet that has a shortage of available IP addresses.
You use only one Virtual IP address for the cluster. All other IP addresses can be on other subnets.

You can "hide" physical Cluster Members' IP addresses behind the cluster Virtual IP address. This security practice is almost the same as NAT.

Note - This capability is available only for ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. clusters.

Traffic sent from Cluster Members to internal or external networks is hidden behind the cluster Virtual IP addresses and cluster MAC addresses. The cluster MAC address assigned to cluster interfaces is:

Cluster Mode	MAC Address
High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA.	MAC address of the Active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. Cluster Member Security Gateway that is part of a cluster.'s interface
Load Sharing A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS. Multicast	Multicast MAC address of the cluster Virtual IP Address
Load Sharing Unicast	MAC address of the Pivot A Cluster Member in the Unicast Load Sharing cluster that receives all packets. Cluster Virtual IP addresses are associated with Physical MAC Addresses of this Cluster Member. This Pivot Cluster Member distributes the traffic between other Non-Pivot Cluster Members. Cluster Member's interface

The use of different subnets with cluster objects has some limitations - see Limitations of Cluster Addresses on Different Subnets.

Configuration:

Follow the steps in Example of Cluster IP Addresses on Different Subnets.