Checkpoint/Nokia Firewall Clustering. Uh Oh.

17th March 2011 by Greg Ferro 53 Comments

I’ve been reviewing a network that has some CheckPoint firewalls that have been unstable, and while this isn’t surprising (in my experience, it’s common for Checkpoint firewalls to be unstable for some reason or the other), this time I’ve been faced with Checkpoint Clustering. A few years back I tried to make this work but gave up when CheckPoint couldn’t make it work either. A few years later, I find someone brave enough to attempt it. This time it’s different, I’m the one who has to justify why it’s a bad idea.

Here we go.

What is CheckPoint Clustering ?

The premise behind CheckPoint clustering is that having two firewalls in active/standby is a bad idea. This is true for CheckPoint because they are so expensive that you can’t afford to keep buying new units so why waste half of your money with the second firewall doing nothing. Therefore, owning two units, and using them in Active/Active mode is perceived as a way of saving money. To make it worse, this very idea is so ‘kleva’ that CheckPoint engineers are commonly known to suggest the practice as a ‘competitive advantage.

There is one useful feature, the fact that you can cluster up to four units into a ‘single cluster’. However, the operational impact of this is very poor. It is not possible to to determine which firewall is handling a given flow, thus making troubleshooting very hard or impossible. Anyone who thinks that the Tracker tool can be used for troubleshooting needs a good spanking – it’s a good logging tool but not a perfect troubleshooting tool.

How does CheckPoint clustering work ?

In fact, Checkpoint doesn’t do the clustering, the Nokia IPSO software does although it seems that the manual makes no reference to this. You might want to refer to Cluster XL Admin Guide for this much improved( since 2007 when I last couldn’t get the manuals because of a paywall) but mostly unhelpful piece of documentation.

It’s worth noting that CheckPoint is actually a piece of software that runs on many platforms. In the past CheckPoint was used on Solaris, Windows and BayRS routers. Today it runs on Nokia IPSO, SPLAT (custom Linux distro) and Crossbeam. As a result, the CheckPoint software isn’t tightly coupled to the networking features of the underlying platform. Perhaps this explains why the manuals miss out on the networking aspects of firewall functions.

Normal Firewall Operation

So lets set a baseline around normal firewall operation.

In normal operation a firewall works this way:

client sends packet
firewall will receive an ARP from from the router,
respond with MAC address that is shared between the firewalls (and transfers between the active and standby unit on failover).
The firewall will receive the packet and forward it to the internal network. The reverse flow is identical.

All this is standards compliant, expected and operationally easy to maintain and troubleshoot.

Checkpoint Clustering Operation

Obviously, to provide clustering something unusual has to happen because either, or both, firewalls need to receive each and every packet that needs to be forwarded. The purpose of clustering is to enable two or more (up to four ??) firewalls to pass flows in a fully load balanced/shared way. Why would you do this ? My view is that CheckPoint / Nokia firewalls are ~~relatively~~ very expensive compared to Cisco/Juniper equivalents, so customers want to make the most of the “investment”. A shortcut like this looks attractive to double the throughput of the system.

From the Manual

From the manual:

ClusterXL uses unique physical IP and MAC addresses for the cluster members and virtual IP addresses to represent the cluster itself. Virtual IP addresses do not belong to an actual machine interface (except in High Availability Legacy mode, explained later). ClusterXL provides an infrastructure that ensures that data is not lost due to a failure, by ensuring that each cluster member is aware of connections passing through the other members. Passing information about connections and other Security Gateway states between the cluster members is known as State Synchronisation.

IP and MAC addresses

No, really, if you don’t understand these you should not be reading this. Return to school, do not collect $200 etc.

State Synchronisation

This is easy enough. Each flow that traverses the firewall creates a entry in a state database on the firewall, and this state database must/should/depends/your choice to be replicated to other firewalls so that if a failure event occurs, the other unit knows what traffic flows you were forwarding and can keep on going.

State Synchronisation means that for every flow on one firewall, it’s data is replicated to other firewalls. It’s most useful for long held data flows such as SQL and not so much for HTTP (YMMV).

Cluster Control Protocol

There is no standard protocol for synchronising such devices so CheckPoint created something with an imaginative name:

The Cluster Control Protocol (CCP) is the glue that links together the machines in the Check Point Gateway Cluster. CCP traffic is distinct from ordinary network traffic and can be viewed using any network sniffer. CCP runs on UDP port 8116, and has the following roles: – It allows cluster members to report their own states and learn about the states of other members by sending keep-alive packets (this only applies to ClusterXL clusters). – State Synchronisation.

Great. Basics are done.

ClusterXL modes

ClusterXL has four working modes:

Load Sharing Multicast Mode
Load Sharing Unicast Mode
New High Availability Mode
High Availability Legacy Mode

Ok, so there are four possible high availability modes. Two of which are actually “clustering” and two of which are NOT – they are ‘High Availability” active/standby. So we will ignore those.

Checkpoint/Nokia Multicast Clustering

Anything with the word ‘Multicast’ in it automatically means trouble. And, you would be right. Except that Checkpoint does naughty multicast. Well, it’s not IP Multicast it’s Ethernet Multicast. Lets walk it through:

For CheckPoint/Nokia the packet flow works something like this:

client sends packet
router will ARP for the next hop MAC address, all firewalls will respond with a Multicast MAC address.
Router sends Ethernet frame with a Multicast MAC address which the switch must treat as a broadcast to all devices in the VLAN
The Cluster protocol will notify one of the firewalls to forward the flow, and it will reach the server.

Let’s consider the reverse direction:

Server sends an ARP request.
Firewalls respond with Multicast MAC address and transmit Ethernet frame.
Server sends Ethernet frame with a Multicast MAC address which the switch must treat as a broadcast to all devices in the VLAN
The Cluster protocol will notify one of the firewalls to forward the flow, and it will reach the server.

and off to the client it goes.

Multicast Ethernet, Undirected Broadcasts and Denial of Service

CheckPoint has now switched to using Ethernet multicast without using IP Multicast. By default, Ethernet switches are configured with IGMP enabled. Therefore after IGMP Query times have expired (about three minutes), the port will start to block the frames and thus disable the Clustering functionality.

Checkpoint recommends three options to ‘fix’ this:

disable IGMP on the switches
configure static MAC address mappings for the multicast mac address on all ports
install an IGMP agent on the firewall

Disable IGMP on the switches

This is the primary recommendation from CheckPoint engineers and from the manual. To be fair, it’s possibly the best of three bad options although it’s most likely to cause significant problems.

When you disable IGMP on your ethernet switches, you are effectively allowing all multicast packets to be broadcast. That is, a multicast frame becomes a broadcast frame and every packet must be handled by every device in the VLAN. That is, broadcast frames are received by all devices, and the software protocol driver of the device must process the broadcast frame before discarding it thus creating performance problems (bus interrupts, buffer memory, CPU, software cycles, etc etc)

This is more commonly known as a Denial of Service Attack.

Consider this scenario:

Lets assume that you have 100Mbps of inbound traffic on a fairly typical, dual router, dual firewall cluster type of setup like the following diagram. In this case, with IGMP disabled, 100Mbps of traffic will sent to the firewall and the standby router and all other devices on the public facing LAN.

In this scenario, each VPN concentrator is connected to a VLAN with Public IPv4 addresses. Since this is the only VLAN with the public address, you can’t put them anywhere else.

The VPN concentrators will needs to handle 100Mbps of broadcast traffic, in addition to the VPN traffic. Most likely, this will cause intermittent outages and service problems on those devices as the CPU struggles to read and discard that volume of traffic. In the worst case, the VPN concentrator may attempt to report broadcast flood and even shut down.

Server hosting

Lets consider the return path for traffic (because all flows have a return path). In this case, lets have a VLAN directly connected to the CheckPoint / Nokia firewall and some servers connected to that VLAN. Typically, this would be an email server, a web server, maybe a proxy or some other gateway. Most likely it would be several servers on that VLAN.

The server will get a Multicast MAC address for the IP address of any frames destined for firewall (most likely the default gateway) and will dispatch those according to the normal process. However, EVERY OTHER server will receive every packet as a Broadcast.

This will cause serious CPU impacts, and possible stability problems. You can fix this by having a L3 device on the inside of the firewalls, and limiting the impact of the broadcasts to the L2 VLAN that is directly connected to the firewalls, of course. But this limits your design choices, and isn’t helpful in an existing environment.

Configure static MAC address mappings for the multicast mac address on all ports

It’s worth noting that some cheaper Ethernet switches are unable to handle large volumes of multicast or broadcast packets in silicon. They may use the onboard CPU for frame replication which can drive on a few megabits before becoming overloaded. (Less common today, but still applicable on some products).

Lets take a look at configuring static MAC address in your switches. That is, you create manual MAC address entries for each port that has the Checkpoint device connected. This seems like a good solution since it stops the broadcasting outlined previously and tightly controls the packet flow.

However, the firewall team and network team must be fully aware of this for it to be operationally effective. Consider what happens a year later, when someone upgrades the switches, or replaces a faulty module, some other minor task ? It requires close supervision to keep the static database maintained over time.

This will work for some companies, but for larger companies it’s only a matter time until an outage is caused and therefore, not a good design choice. For smaller companies where just a couple of people manage the firewalls AND the network, the static MAC address can work.

Install an IGMP agent on the firewall

This document on ClusterXL IGMP Membership dated February 14, 2006 (!) explains how to add IGMP support to Checkpoint. However, I’m told by Checkpoint that this is not supported / not recommended (it’s hard to to get a straight answer). It’s requires a number of CLI entries to work, plus specific configuration on the Module configuration.

In short, this option is operationally a disaster. You may struggle to get upgrades completed properly, module configuration on Linux/Windows need changing in the Config/Registry for the IGMP configuration to survive a reboot.

Using Unicast Mode instead

So the second option is to use Unicast instead of Multicast. In this case, the ClusterXL software selects a PIVOT firewall to act as the Master unit, and it will either process the packets itself, or redirect them to another member of the cluster.

The diagram shows this mode of operation using Unicast redirect. Although Unicast redirect doesn’t have the same problems as the Multicast solution discussed above, it does have a problem. The pivot firewall must reserve resources to be able to redirect all flows and ensure that it has enough CPU capacity to send sync data to all other firewalls in the cluster. The pivot firewall therefore handles much less traffic than other members of the cluster.

Troubleshooting

One big challenge of clustering firewalls, is that capturing packets, and troubleshooting becomes relatively more difficult. I’ve had some odd problems using Wireshark and surmise that the volume of broadcast packets was overrunning the workstation network adapter I was using to capture packets. Sadly, I wasn’t able to try with another machine to verify this theory.

Firewall Deployment with Layer Data Centre Interconnect

Apparently, there are a number of people who think that this clustering idea is perfect for data centres that are L2 interconnected. By now, most of you will have realised the problem that clustering will cause when an ethernet segment is extended between two data centres, but lets make a diagram of it anyway. Two data centres, geographically separated, but with a L2 connection between them. Doesn’t much matter how (OTV, VPLS, dark fibre, WDM – all the same for this purpose).

On the interconnect, a multicast CheckPoint ClusterXL, with an active/active firewall configuration, is going to trombone traffic between sites according to some random algorithm.

In addition, the firewall synchronisation traffic must also be given high priority and if the sync data doesn’t occur quickly enough the firewalls seem to fail quite badly (again, apocryphal evidence here, not able to test in a live network).

Finally, Multicast/ Broadcast must flow across the L2 Link on the inside and outside interfaces for every VLANs.

Thus, for 100Megabits of traffic across the firewall, 200Megabits of broadcast traffic is generated, plus the Sync traffic (determined according to firewall rule but usually a lot of traffic).

This isn’t a good idea(tm) since you need that bandwidth for server-server communication as well. Should be obvious, I think.

The EtherealMind View

Experience suggests that the Nokia/CheckPoint clustering works but at relatively low volumes, say up to 10 Mbps at a rough non-educated guess because the customer has a number of existing clusters that do work reliably. However, as load increases on the firewall, it appears that the multicast/broadcast technique causes serious service problems to devices on the same VLAN as the firewalls themselves. Since static mac options require the firewall team and network team to operate closely, this isn’t practical for very large support teams because of the level of specialisation that occurs in those teams. I have deep reservations about larger volumes of clustered traffic and have seen a number of inexplicable problems when clustering is enabled.

I could wish to have done some more testing but project timescales are a bit tight, and there is no way to have a lab of CheckPoint firewalls because of licensing and/or cost.

On the basis of this research, and recent experiences with service difficulties, I can’t recommend CheckPoint Nokia clustering because it appears to be a technology with more drawbacks than capabilities.

Posts Related to this Article

Filed Under: Blessay, Blog, Design, Security

About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

http://www.jonstill.com/ Jon Still

We looked at this a few years back and decided it was just easier to take the hit, get HA licenses for the 2nd device in the cluster and run VRRP on IPSO rather than run active/active.

Funnily enough the problems Check Point have with clustering are very similar (if not damn-near identical) to those associated with Microsoft Network Load Balancing: http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
- Jonathan Webster
  
  We’ve been using a Active/Standby R65 VSX cluster in load sharing mode (VSLS) for years now in our DC without issue.
  Each Virtual System has its own BGP session to two cisco 6509′s (port channel, not full mesh) and fail-over works near instantly as the connections are synced. The only thing we did have an issue with was having to make sure you record the interfaces not to be monitored by CCP in the file discntd.if , such as loopbacks for BGP and the firewalls management interface and you’re away.
  One catch though, you do however need to make sure that your network team don’t go removing vlans from your inside trunks while interfaces are still configured on the firewalls as that will cause the Active/Standby state to go Active/Down… not good for when you need to fail over.Sure they are ‘enterprise devices’ and therefore need more work, however when used properly they do a fantastic job and are super easy to use on a day to day basis.
  - http://etherealmind.com Etherealmind
    
    You say you are using Active/Standby and Load Sharing – this isn’t possible since load sharing implies Active/Active. This post is about active/active and the use of stupid technology by CheckPoint to make it active clustering work because the NG software doesn’t properly integrate with network OS.
    
    I say that Active/Standby is probably OK for CheckPoint since they are using compliant networking technology with VRRP. However most people are choosing other vendors firewalls because the cost of ownership of CheckPoint in licensing and operation is far higher than other vendors.
    - Lindsay Hill
      
      Not necessarily Greg – Jonathan is referring to VSX, where there are multiple virtual firewalls configured (along the lines of VRF-lite). Effectively, each virtual system operates as its own active/passive pair. What VSLS does is distribute the “active” VS of each pair between the physical firewalls, so that under normal circumstances, each physical firewall is doing a roughly similar amount of work. If one physical box failed, all active VSes on that firewall would go active on the other node.
      
      It’s maybe comparable to using MSTP, and/or managing your HSRP configs to spread primary/standby groups across a pair of L3 switches.
      
      VSX is actually pretty good, the only thing that annoys me is it always lags feature-wise compared to the mainstream code.
      - http://etherealmind.com Greg Ferro
        
        Huh. I’ve NEVER heard of anyone using VSX in real life so I’ve not given that any thought. I’ve heard a large number of horror stories about VSX ( my own experiences are from 2006/7 so they aren’t relevant today) and continue to advise customers to not use it.
        
        It sounds horrendous though. I can’t imagine the complexity of the VSX software to make the CheckPoint code actually work in a virtualization platform.
Santino Rizzo

Timely. We just went through our Checkpoint setup today at an OTV CPOC. We use static MACs on inside/outside VLANs dedicated to Checkpoint traffic and are running OK at around 350Mbps over a 3 node cluster. Ran into an issue with OTV testing though. Current Nexus code (at least 7K & 5K) does not allow static multicast MAC entries. Not a problem if your CPs don’t connect to Nexus switches, but in our case they will, or at least we plan on it. A future code release this year is supposed to allow for the entries.
- Tony Kitzky
  
  What NX-OS are you running on your Nexus 7010? I am have been setting up an Active/Standby multicast cluster to a pair of 7010s. The only issue I am having is the requirement to statically assign the mcast arp entry for the cluster IP for every interface adjacent to Check Point IP appliances. This is annoying but not a show-stopper. I am using NX-OS 4.2(4) and am curious if 5.2 will accept mcast arp replies.
  
  By the way… I have two IP565 appliances directly connected using port-channels to each Nexus 7010 chassis. I have disabled IGMP Snooping in just the vlans used for Sync network. My clustering as I said is setup with just “multicast” and not “multicast w IGMP”. I don’t have any issues with cluster itself. Cluster establishes. No issues with master. Master fails over in ~1250 ms. All good. I think the key is to have your Check Point appliances directly connected to the Nexus switch and constrain those sync vlans to just those two Nexus switches.
  
  One other question for you… are you running OSPF by chance on the Check Point appliances? I encountered a strange issue with OSFP adjacencies after a cluster failover. It appears from pkt captures that the Nexus 7k switches are not responding to Hello’s coming from the new master. I see dead-timer expiry on both N7K even though the new master is sending Hello’s. Odd thing is that cluster failover from 2 –> 1 is fine. From 1 –> 2 ospf adj resets. Previous the problem was 2 –> 1 but I rebuilt #1 and problem reversed. Strange… could be some gliche/caveat in 4.2(4).
  
  Email me if you’re interested in comparing notes.
  - http://www.vrz.net Gerd Burtscher
    
    Hi Tony,
    I agree with the ospf problems; we have the same issue since more than 1 year with a splat R70. They (Checkpoint) told us now, to increase the ospf timers (dead-intervall, … ) but can’t say to what values. We have a Cisco VSS1440 system and it’s working fine, but when we reboot the pivot member (we use Multicast) of our CKP cluster we see interrupts for several seconds (because the ospf routing process looses the routes during switching back the router from member 2 to the pivot member) and the Cisco then shows “DEAD interval expired” messages for all the interfaces.
    
    Did you already open a case for that or do you have some ideas ?
    
    Thx + rgds
    Gerd
    - 25tolife
      
      Multicast sync or Multicast Load Sharing? If your using multicast load-sharing you don’t have a pivot. (only unicast load-sharing does)
Chris Campbell

CP clustering is always a bad idea and anyone who follows the ‘I don’t want half my kit sat doing nothing’ approach needs firing.
- Alienbaby
  
  Seconded. Active/Active clustering of any type introduces significant challenges to the supportability and stability of the network.
  
  Next stop on a Active/Active stupid train, Cisco VSS and Juniper Q-Fabric.
http://www.workingfrommyshed.co.uk Stuart Howlette

Just reading through some of the “approaches” this takes makes me want to cry. What were the developers thinking when they came up with this?
Will B.

There’s a lot of misunderstanding here, but I’ll basically break down the various “active/standby” modes in a couple of lines for each.

If you are using the IPSO platform, you should probably use VRRP. This will work similar to HSRP in a router environment and generally works as expected. The only scenarios I’ve encountered where this doesn’t work well are the same where HSRP doesn’t work well – generally, in places where devices take some Layer 2/3 shortcuts when forwarding packets.

If you are using SPLAT, then you have HA New Mode and HA Legacy Mode.

HA New Mode uses three IP addresses per interface – primary, secondary, and floating. The floating IP address uses the MAC address of the the active firewall, and relies on gratuitous ARPs to update device ARP cache’s. This works better in some situations than others as some devices work better with gratuitous ARPs than others.

HA Legacy Mode uses one IP address per interface – similar to how a Cisco ASA functions when you don’t configure a secondary IP address. The MAC address is set to the hardware address of the primary unit and does not change on failover. This works well in almost all situations, but is very difficult to configure and maintain. If the standby device generates traffic of any kind, you will get ARP collisions on your network and potentially cause an outage. You have to make sure all of your management traffic uses a management interface, but if you can control that, this mode works without too much issue.
- Fernando
  
  Disclosure: I am currently an SE with Crossbeam. My contributions here are as an individual, not representing the company.
  
  The other approach to this is to use VRRP, just like IPSO and Crossbeam. In the Crossbeam scenario, two chassis use VRRP to determine Master/Backup status for one or more Failover Groups. State synchronization between modules is done over a separate connection, not only between modules on the same chassis but across chassis as well. Depending on how this is deployed you can get both chassis “active” for different failover groups.
  
  There are pros and cons to every vendor’s approach. YMMV.
  
  Respectfully,
  Fernando
Omar Baceski

Hey:

“…is going to trom≠bone traffic between sites…”

with the permission of the author, i will include the new term “traffic tromboning” in my internal presentations from now on

great post. I did some CP clustering in 2005. Documentation was terrible and the support personnel was clueless. I hope it got better at this point in time.

Omar
- http://etherealmind.com Greg Ferro
  
  You have my permission . Ivan talks about here – http://blog.ioshints.info/2011/02/traffic-trombone-what-it-is-and-how-you.html
Paul Chandler

We used nokia IPSO clustering for years and had many troubles. When replacing the fields firewalls recently we changed to VRRP and have had much fewer problems since.
Oliver Gorwits

Just wanted to echo Jon Still’s comment that this smells a lot like Microsoft Network Load Balancing

For those unfamiliar, that’s a very similar brain dead abuse of Ethernet which leaves the network engineer implementing “fixes” and generally running a less stable system. It’s usually implemented on the MS ISA Server platform (but IIRC there is a more modern alternative).

I agree with the recommendation to just use VRRP, always. But watch out for CPU load on the CP boxes, which can disrupt their VRRP hellos and cause active-active to occur.
Daniel

Multicast MACs + Checkpoint? It’s like Stonebeat (from Stonesoft) clustering all over again.

I spent many an hour in my younger days battling with IOS bugs preventing you from doing static multicast MAC entries on 3550s. You needed to do this even for active/standby to work.

I was most relieved when we ripped the Solaris boxes out and put in the Nokia boxes with simple VRRP instead.
- Henry
  
  Hello, Daniel,
  
  Believed not allowing mapping unicast IP address to multicast MAC address is not a bug. As it violates the network behavior recommendation, as mentioned by RFC1812 Section 3.3.2
  
  “A router MUST not believe any ARP reply that claims that the Link
  Layer address of another host or router is a broadcast or multicast
  address.
  ”
  Of course, allowing the static mapping by the administrator (as long as the network admin know and remember why) is a workaround for system integration. (but thinking it really brings confusion on the unicast and multicast concept)
Pingback: Checkpoint redundancy vs Cisco ASA ó Jimmys Cyber Corner
http://blogg.kvistofta.nu Jimmy Larsson

Thanks for the most informative blog post this year, Greg! I wrote my own blog post about this…

http://blogg.kvistofta.nu/checkpoint-redundancy-vs-cisco-asa/

Best regards
Jimmy Larsson
http://ccie20728.wordpress.com Michel

Great Post Greg, and Im currently quite happy that we use the CP Firewalls in active/standby .-)
For the Troubleshooting, if you did have access to the Firewall itself, the fw monitor would probably have been better than Wireshark outside the boxes.
You can also import the fw monitor file into Wireshark for easier reading.

regards

Michel
http://www.igazine.com Eric McWilliams

I haven’t worked on checkpoints in long time (7+ years) but if they firewalls supported a transparent mode you might also be able to take your inside and outside routers and pull off of their L3 interfaces into a single L2 VLAN that is bridged together by the firewalls. We do it in an Active/Standby setup but I haven’t had a chance to test a transparent firewall in Active/Active mode yet.
Tony Kitzky

Great post! You hit Check Point / Nokia clustering pretty squarely. There are a few minor confusions, but only because Check Point’s documentation is so poor. You seriously have to build, tear-down, rebuild, tear-down, rebuild, tear-down, update policy, update policy, rebuild… ad-naseum until you completely understand every check box and every configuration parameter in IPSO.

Even after all of that I am still a Check Point phan. I know ASAs are simpler in their networking and redundancy scheme. It would be nice if ASA’s would synch their routing tables so failover would less disruptive to OSPF. The power of Check Points come in their security capabilities and policy management.
- Nairb
  
  I think ASA 8.4 does this now…
  
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_overview.html#wp1097614
  
  Sorry if I misunderstood what you mean..
phil

You guys should really check out pfSense.
Henry

Thanks for good post! we came across problems when doing NG65 upgrade to NG71. Originally, two NG65 clusters (4 physical machines in total, two in each clusters) with their syn. interfaces sit in the same vlan. They just works fine for quite a while (for 3 years by previous staff) before I need to take care them recently. However, when the SI help upgrade one of the cluster to NG71, the updated ones just refused to form clusters. The SI reported that if the newly upgraded NG65 (NG71 now) are doing cluster in an isolated layer 2 (i.e. not seeing another NG65 cluster), the cluster worked. Suspect if it’s due to the the conflict of multicast traffic, e.g. duplicated mulicast group or source mac addr, just wonder what is their default/factory value, looking for the info).

Search quite a while including following info:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk26281
Bal

great post.
Brings me back to when I was working on a network that had two 4 node active/active clusters, and two 2 node active/active clusters. This configuration proved to be as predictable as the weather. Hard-coding multicast mac addresses on the switching infrastructure sucked too. Once we made them all active/standby, the problems left with the active/active clustering.
Brian T Glenn

Please keep in mind that ClusterXL does not run on Nokias except as a State Synchronization mechanism. All of the clustering/failover happens inside the IPSO operating system. ClusterXL is supported on other OSes such as SecurePlatform. You cannot really use the Check Point documentation for ClusterXL as any indication for what to do with IPSO. You should be looking at the IPSO documentation instead.

SecurePlatform and ClusterXL are tightly coupled together to perform gratuitous ARP for proxy ARP and other failover functions including propagating the routing table between memebers when dynamic routing is used. All of IPSO’s functionality is in the OS, and hooks exist to tie monitoring of the Check Point processes into the clustering and VRRP features of IPSO.

We have found that using a small subnet on any transit networks to WAN devices and then either using a static route or dynamic routing to announce the production IP addresses keeps all of the extra noise off of the cluster interfaces themselves, which keeps broadcast and multicast traffic to a minimum. This allows allows for only a single IP address (the virtual IP) to be used making gratuitous ARP only happen for a single IP, which eliminates many situations where the failover could cause traffic to fail.
- http://etherealmind.com Etherealmind
  
  Which is stupid. CheckPoint should implement a proper technology that doesn’t rely on specific design tricks to overcome their limitations. Alternately, they should publicly admit and document the failure in their methods and how to mitigate it.
  
  As is, CheckPoint is promoting the use of poor technology that actually causes poor practice and system outages.
  - 25tolife
    
    Um ya…So Microsoft should do the same? Oh ya and Cisco has this scheduled to be on the books as well for their ASAs…..Maybe Cisco and Microsoft are both as retarded as Check Point….Again plenty of vendors do this, familiarize yourself with multicast and get on-board with the technology.
    - Replicaa
      
      So i guess probably you are the only one who understands multicast. Here the point is: problem is a problem whatever platform it could be.
      - 25tolife
        
        It isn’t a problem, it is an engineer problem. There are things called IGMP Snooping and static multicast groups that can be configured on switches. Check Point even supports IGMP. This design on this site is like putting a hub in your core and wondering why performance is slow
      - 25tolife
        
        btw, this guy even notes that Check Point recommends the static L2 multicast groups. If he configured them (or at least properly) he wouldn’t DoS his equipment. Just proof that he didn’t follow design recommendations
Thomas M

I want to do my load-balancing downstream with OSPF and VPCs and just maintain state information on the checkpoints without it rerouting it to a different firewall in the process. I am running IPSO 6.2. This doesn’t seem like it should be as complicated as it is. Right now I’m running VRRP on IPSO. I did some static routing tests and found that if I sent traffic out firewall B and it came back in firewall A, firewall A redirected it back to firewall B to send it to the client. Is there any combination of the multiple combinations of IPSO/ClusterXL that will just let the boxes route via OSPF and use a synce state table? Documentation on Checkpoint OSPF design is lacking and there seems to be little support on the topic in the usual places (forums, etc). Is it just a bad idea to even run OSPF on Checkpoints?
- http://etherealmind.com Etherealmind
  
  My experiences of OSPF on CheckPoint is horrendous. Because it’s not on CheckPoint, it’s in Nokia IPSO. It isn’t used by many people and appears to be full of bugs / undiscovered problems.
  
  In general terms, I’ve never found a reliable way to load balance firewalls using routing because of the state issue. It does work, but when failover or route changes happen it tends to get really ugly.
  
  I wouldn’t suggest the approach unless you are tight for cash and put up with regular outages.
http://twitter.com/ccie15672 ccie15672

Greg:

(1) There is a mode that allows State Sync with “external load-balancing.” Its there. Its presence means that the IPSO piece of the clustering has more to do with synchronizing routing-table information. The Checkpoint piece has more to do with actual session state.

(2) On internet facing clusters, something extremely annoying can occur. Suppose you have many VLANs on the outside of your internet facing firewalls. Traffic coming into your data center is routed over several interfaces as it ingresses your site. Traffic leaving your site, however leaves on a single VLAN (whichever logical interface the default route points to). In this scenario non-master cluster members may never transmit packets on the ingress interfaces. What that means is whether you use unicast or multicast the switches in between know nothing of the non-master cluster member’s MAC address. So you have to configure static MAC forwarding entries.

(3) Large rule bases will break clustering at rule-push time. This can cause more than one member to become master simultaneously. Sometimes for minutes. As it happens, this can confuse the shit out of adjacent nodes that are routing with the firewalls. When this happens with Juniper M-Series devices, the JUNOS device can get stuck and the OSPF process must be manually cleared.

(4) When clustered, Checkpoint FWs can no longer inspect TCP sequence numbers. This brings to light a horrible, HORRIBLE behavior that only Checkpoint firewalls engage in (as far as I know): “Smart Connection Reuse.” Essentially even after a RST is seen in a session the firewall does not completely kill it. Instead if a SYN packet is subsequently seen in under 5 minutes (by default its ~5 minutes sometimes less), the firewall will *convert it to an ACK.* Yes you read that right. Think about that. Cisco routers will reuse a source port in a NAT overload as soon as 30 seconds after a session is closed (either by RST or FIN). Under heavy loads the Checkpoint will start killing sessions. There is a timer you can tune down, or you can disable SCR altogether.
Eyefevereye

It was always Nokia that was expensive…the CP appliances that have been around for years now are considerably cheaper than Cisco ASAs. Your site is great, and I have enjoyed it for a long time, but the fact-free CP bashing is getting old. Cisco firewalls are perfectly usable and are in fact superior in some ways, but CP is miles ahead (yes, still) in many ways that are important to consumers of the products.
- Eyefevereye
  
  Oh, and I meant to ask…why are you even concerned at all about Nokia clustering? Nokia is a ghost brand, and IPSO is on the way out. I do agree with you that I wouldn’t recommend Nokia/CP anything, as it’s not going to exist as a platform in a year.
  
  Contact your VAR re: eval’s to do lab work with…I’ve done this regularly for over 10 years with no problems.
  
  Good luck!
Matt

Great document and the comments have been extremely helpful.
Now with fear of being laughed at….

Has anyone successfully clustered CP across datacentres using a QinQ Tunnel?
ie: CP 1 > DMZ Switch 1 > Dot1Qtunnel across WDM to core 2 > Dmz Sw 2 > CP 2
- Lindsay Hill
  
  I’ve done it with VRRP. Trying to do it active/active will _probably_ work, if your latency is low enough, and BW is high enough, but it could be temperamental. If your datacenters are far enough apart to be useful in the event of a major disaster, then you might struggle on the latency front. But then you’ve probably got a whole heap of L2 DCI issues anyway
  - Matt
    
    Thanks for the reply Lindsay,
    
    Its a 10gig WDM L2 link but the issue is duplicated internal & DMZ VLANs so I cannot just span the DMZ vlans across – have to QinQ it. The config is Active/Standby.
    Still possible?
    - Lindsay Hill
      
      Duplicated VLANs in there too? The QinQ part in itself shouldn’t cause problems as long as you’ve dealt with MTU issues.
      
      It is do-able, but it’s not something I’d be rushing into. Pushed into, maybe.
      
      Look at disabling sync for http and dns sessions if you’ve got a high connection setup rate.
      - Matt
        
        Thank you both for the excellent feedback.
        Can you suggest any tests that I can do to ensure the traffic between the two devices? ie: Connectivity over UDP/8116 or bandwidth testing. Cluster is in BROADCOAST mode. Is this optimal?
    - http://etherealmind.com Etherealmind
      
      It’s possible. The CheckPoint doesn’t do a good job of “split brain” handling so expect that at some time. Lots of people do this, and don’t complain about it although I wonder how many little problems happened that didn’t have a root cause because the HA design is so poor.
      - 25tolife
        
        Um checkpoint can handle split brain better than anyone. You can easily integrate your own logic into the ha module. Plus you can have up to 3 sync networks. Learn the product before you make a comment.
25tolife

The only thing that is a fail here is your design plenty of vendors do this (including Microsoft). Re-design your network not to have everything in the same broadcast domain (that is what routers are for). I have seen clustering work in the largest of large environments, provided the engineer who set it up is not an idiot.
- http://etherealmind.com Etherealmind
  
  That’s part of the problem. CheckPoint software design is the other 95%.
SKipp

Hi, I think your post is kinda good. But you are not beign objective. You are implying that CheckPoint is a bad product because you don’t like the way it works. Well, don’t use it. If you have the chance to check more than two or three deployments of CheckPoint Clusters you wil have more info than just a lab. I have seen LARGE deployments of VRRP Clusters with sync along MPLS link (more than 50 miles away) and it runs more than fine !!! 100k concurrent connections. The IT guy that deploys is the one that makes it work and also there are well designed and planned networks, and usually NOT, so I won’t blame the FW for everything. CheckPoint has CCP for SPLAT and VRRP for IPSO with Nokia Appliances. You don’t make that difference (they are NOT the same, VRRP is far better than CCP over SPLAT) and it seems that its all the same crap. Tell me that the other companies are perfect and I will agree with you. In my little experience, Juniper and Cisco are far far away from CheckPoint in a lot of features and experience for firewalls. Cisco is great for switches and routers, period. Try to make another post with a cluster of Juniper, Cisco and FortiGate. CHKP is expensive, yes, you still have to know “how to buy”. As a whole, CheckPoint is better that its competitors (Documentation is fine, not great, and if you need support, try to contact a 2nd or 3rd level engineer, not the first guy that answers your call). Seeya.
- Pramod Dahate
  
  What has VRRP to do with clustering? VRRP is absolutely different mate. I think you have not understood what the author was trying to explain. VRRP is layer 3 based on routing. You can have both firewalls active-active if you have 2 gateways defined. Its like manual active-active.
- http://etherealmind.com Etherealmind
  
  You clearly don’t understand the problem here. I’d suggest that you need to learn some more networking to understand what the problem is.
Prasanth0110

good document..