Introduction to ClusterXL

The Need for Clusters

Security Gateways and VPN connections are business critical devices. The failure of a Security Gateway or VPN connection can result in the loss of active connections and access to critical data. The Security Gateway between the organization and the world must remain open under all circumstances.

ClusterXL Solution

ClusterXL is a Check Point software-based cluster solution for Security Gateway redundancy and Load Sharing. A ClusterXL Security Cluster contains identical Check Point Security Gateways.

  • A High Availability Security Cluster ensures Security Gateway and VPN connection redundancy by providing transparent failover to a backup Security Gateway in the event of failure.

  • A Load Sharing Security Cluster provides reliability and also increases performance, as all members are active.




Internal network


Switch for internal network


Security Gateways with ClusterXL Software Blade


Switch for external networks



How ClusterXL Works

ClusterXL uses State Synchronization to keep active connections alive and prevent data loss when a Cluster Member fails. With State Synchronization, each Cluster Member "knows" about connections that go through other Cluster Members.

ClusterXL uses virtual IP addresses for the cluster itself and unique physical IP and MAC addresses for the Cluster Members. Virtual IP addresses do not belong to physical interfaces.

Note - This guide contains information only for Security Gateway clusters. For additional information about the use of ClusterXL with VSX, see the R81 VSX Administration Guide.

The Cluster Control Protocol

The Cluster Control Protocol (CCP) packets are the glue that links together the members in the Security Cluster.

CCP traffic is distinct from ordinary network traffic and can be viewed using any network sniffer.

CCP runs on UDP port 8116 between the Cluster Members, and has the following roles:

  • It allows Cluster Members to report their own states and learn about the states of other members by sending keep-alive packets (this only applies to ClusterXL clusters).

  • State Synchronization (Delta Sync).

The Check Point CCP is used by all ClusterXL modes.

Important - There is no need to add an explicit rule to the Security Policy Rule Base that accepts CCP packets.

For more information, see: