01-06-2010 07:35 AM - edited 03-06-2019 09:10 AM
Hi,
does anybody familiar with design of checkpoint FW Cluster and 2 Cisco routers running GLBP towards the cluster as the DG ?
I suspect it do not work 100%.
is there any recommendation for FHRP protocol working with Checkpoint ? (HSRP, VRRP)
thanks.
Solved! Go to Solution.
01-06-2010 08:23 AM
Aviyoshi10 wrote:
Hi,
does anybody familiar with design of checkpoint FW Cluster and 2 Cisco routers running GLBP towards the cluster as the DG ?
I suspect it do not work 100%.
is there any recommendation for FHRP protocol working with Checkpoint ? (HSRP, VRRP)
thanks.
Avi
If you mean the routers run GLBP and the checkpoint cluster points to the DG of the GLBP then there is no benefit. GLBP works by allocating different mac-addresses to different routers but the checkpoint cluster will always appear as one mac-address so will always go to the same router. So you may as well use HSRP.
Jon
01-06-2010 08:03 AM
Hi Avi
Did you mean GLBP towards the checkpoint cluster ? does this mean the routers point default gateway to checkpoint ?
normally you can run GLBP on the lan interfaces of the routers, and the firewalls would have default towards the router's virtual IP. you can define a AVG to forward data coming from your firewalls.. Im not sure what properietary clustering protocol checkpoint runs, but I was mentioning on the router end ... Do you need help on configurations or just the design?
Regards
Raj
01-09-2010 04:21 AM
01-09-2010 04:50 AM
Hello Avi,
let me to expand Jon's answer.
GLBP works by answering to ARP requests from clients with different virtual MAC addresses (AVF MAC addresses) when they try to resolve the default gateway. This is done by AVG. if there is only one client that is the active FW once it has done its ARP request it uses the answer so there is no load balancing: for all the time the ARP entry stays in ARP table of FW only one router ( the one that is associated to the specific AVF) is used.
if there were multiple clients GLBP would provide a form of outbound load balancing.
Next time FW arps for VIP the AVG will give it a new AVF so over long time both routers are used but this is not considered a true load balancing.
That is the practical result is quite similar to that of HSRP or VRRP.
This doesn't mean any connectivity issue just lack of load balancing.
Hope to help
Giuseppe
01-06-2010 08:23 AM
Aviyoshi10 wrote:
Hi,
does anybody familiar with design of checkpoint FW Cluster and 2 Cisco routers running GLBP towards the cluster as the DG ?
I suspect it do not work 100%.
is there any recommendation for FHRP protocol working with Checkpoint ? (HSRP, VRRP)
thanks.
Avi
If you mean the routers run GLBP and the checkpoint cluster points to the DG of the GLBP then there is no benefit. GLBP works by allocating different mac-addresses to different routers but the checkpoint cluster will always appear as one mac-address so will always go to the same router. So you may as well use HSRP.
Jon
01-06-2010 08:32 AM
Hi Avi,
As i understand your query is divided into two parts with suggestion for you:-
1) If you want GLBP runs at cisco end it will work as checkpoint will be pointing towards the DG of the VIP of GLBP.
2) If Checkpoint Cluster that means on single ip representing two firewall which means in the cluster the firewall will be working in vrrp mode to achive HA.Now at this point both the router can point DG to checkpoint cluster ip of that interface.
Hope that clear your query !!
Regards
Ganesh.H
01-09-2010 05:12 AM
Another option is MHSRP, but this will require the Checkpoint FW to be configured with different default route pointing to different virtual HSRP address. In an enviroment were CP FWs are clustered together and the each cluster member should have the same configurations, this is not possible.
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a0080094e90.shtml
Francisco
05-29-2010 04:00 PM
From this is sounds like we are talking about outbound...like the firewall will only choose
1 way out. Now what about inbound if both of my router connect back to my MPLS WAN.. ? so maybe outbound one way but will inbound 2 ways cause issues with the checkpoint FW.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide