Check Point Clustering

ClusterXL

Check Point’s ClusterXL is a software-based Load Sharing and High Availability solution that distributes traffic between clusters of redundant Security Gateways

High Availability
Allows for an Active-Standby setup were one node (Active) passes all the traffic. In the event of failure the Standby node will be promoted to the Active node.

  • New Mode – Both devices have their own IP and MAC addresses. A Virtual IP is used which uses the MAC address of the Active gateway. Traffic is then directed to the VIP and passed to the Active Gateway. Gratuitous ARP is used to update the VIPs MAC address on neighboring devices at point of failover.
  • Legacy Mode – Both gateways use the same IP and MAC address. The standby gateway interfaces remain disabled unless the master fails and the gateway is promoted to master.

Load Sharing
Load sharing distributes the traffic between the nodes so that the traffic load is shared.

  • Multicast – Traffic is sent to both nodes using Multicast (MAC addresses). Between both nodes they then decide which node will process the packet.
  • Unicast – Traffic is sent to only one node. This is called the pivot node. The pivot node then either processes the packet or passes to the other node for processing.

3rd Party Solutions

Both of the 3rd Party solutions are configured primarily within the IPSO operating system. Though there are a few settings that are still required within the Check Point Object such as state synchronization.

  • Nokia VRRP – Interface checking and failover is dealt with by Nokia`s VRRP. This only allows for HA clusters.
  • Nokia IP Clustering – Interface checking and failover is dealt with by Nokias IP clustering. This allows for both HA and Load Sharing cluster configurations.

In both cases above you can use and configure ClusterXL for state synchronization.

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial