ConnectControl - Server Load Balancing

Important - Scalable Platforms (Maestro and Chassis) do not support this feature (Known Limitation MBS-14173).

ConnectControl is a Check Point solution for balancing the traffic that passes through Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. towards servers behind the Check Point Security Gateway or Cluster.

ConnectControl does not consume more memory or CPU processing power on Security Gateway or Cluster Members.

ConnectControl Packet Flow

Load-balanced servers are represented by one Virtual IP address.

In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., you define a Logical Server object that represents a group of physical servers.

The Logical Server takes service requests for the load-balanced application and directs the requests to the applicable physical server.

When a client requests access to an application that is load balanced by ConnectControl, the request goes through the Security Gateway or Cluster.




Client request - A client starts a connection with the logical IP address of the application server (the address assigned to the Logical server).


Internet - The service request goes through the Internet.


Security Gateway - The service request arrives at the destination public IP address of the Logical Server, which is on the Security Gateway. The request is matched to the Logical Server ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase.. The Security Gateway directs the request to the internal IP address of the Logical Server group.


Logical Server - ConnectControl determines which server in the Logical Server group is best for the request, based on the selected load-balancing method.

Note - Make sure that rules that allow traffic for services to ConnectControl Logical Servers and that server groups are before Access Control Policy rules that allow traffic for those services.

Configuring ConnectControl

This procedure explains the steps to set up ConnectControl in your environment.