ClusterXL Mode Considerations

Choosing High Availability, Load Sharing, or Active-Active mode

Which cluster mode Configuration of Cluster Members to work in these redundant modes: (1) One Cluster Member processes all the traffic - High Availability or VRRP mode (2) All traffic is processed in parallel by all Cluster Members - Load Sharing. to choose depends on the need and requirements of the organization.

A High Availability A redundant cluster mode, where only one Cluster Member (Active member) processes all the traffic, while other Cluster Members (Standby members) are ready to be promoted to Active state if the current Active member fails. In the High Availability mode, the Cluster Virtual IP address (that represents the cluster on that network) is associated: (1) With physical MAC Address of Active member (2) With virtual MAC Address. Synonym: Active/Standby. Acronym: HA. cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. mode ensures fail-safe connectivity for the organization.
A Load Sharing A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS. cluster mode ensures fail-safe connectivity for the organization and provides the additional benefit of increased performance.
An Active-Active A cluster mode (in versions R80.40 and higher), where cluster members are located in different geographical areas (different sites, different cloud availability zones). This mode supports the configuration of IP addresses from different subnets on all cluster interfaces, including the Sync interfaces. Each cluster member inspects all traffic routed to it and synchronizes the recorded connections to its peer cluster members. The traffic is not balanced between the cluster members. cluster mode supports deployment of Cluster Members in different geographical areas (in different networks).

See ClusterXL Mode Comparison.

Considerations for the Load Sharing Mode

Load Sharing Multicast mode is an efficient way to handle a high traffic load, because the load is distributed optimally between all Active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. Cluster Members.

However, not all switches can be used for Load Sharing Multicast mode. Load Sharing Multicast mode associates a multicast Cluster MAC addresses with a unicast Cluster Virtual IP addresses. This ensures that traffic destined for the cluster is received by all Cluster Members.

In response to ARP Request packets for Cluster Virtual IP address, Cluster Members send ARP Replies that contain a unicast Cluster Virtual IP address and a multicast MAC address. Some switches do not accept such ARP Replies. For some switches, adding a static ARP entry for the unicast Cluster Virtual IP address and the multicast MAC address will solve the issue. Other switches do not accept this type of static ARP entry.

Another consideration is whether your deployment includes networking devices with interfaces operating in a promiscuous mode. If on the same network segment there exist two such networking devices, and a ClusterXL Cluster of Check Point Security Gateways that work together in a redundant configuration. The ClusterXL both handles the traffic and performs State Synchronization. These Check Point Security Gateways are installed on Gaia OS: (1) ClusterXL supports up to 5 Cluster Members, (2) VRRP Cluster supports up to 2 Cluster Members, (3) VSX VSLS cluster supports up to 13 Cluster Members. Note: In ClusterXL Load Sharing mode, configuring more than 4 Cluster Members significantly decreases the cluster performance due to amount of Delta Sync traffic. in Load Sharing Multicast mode, traffic destined for the cluster that is generated by one of the networking device could also be processed by the other networking device.

For these cases, use Load Sharing Unicast mode, which does not require the use of multicast MAC address for the Cluster Virtual IP addresses.

In addition, see:

IP Address Migration

If you wish to provide High Availability or Load Sharing to an existing Security Gateways configuration, we recommend taking the existing IP addresses from the Active Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., and make these the Cluster Virtual IP addresses, when feasible. Doing so lets you avoid altering of current IPsec endpoint identities, as well keep Hide NAT configurations the same in many cases.