cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2159
Views
0
Helpful
7
Replies

GLBP & Checkpoint FW

aviyoshi10
Level 1
Level 1

Hi,

does anybody familiar with design of checkpoint FW Cluster and 2 Cisco routers running GLBP towards the cluster as the DG ?

I suspect it do not work 100%.

is there any recommendation for FHRP protocol working with Checkpoint ? (HSRP, VRRP)

thanks.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Aviyoshi10 wrote:

Hi,

does anybody familiar with design of checkpoint FW Cluster and 2 Cisco routers running GLBP towards the cluster as the DG ?

I suspect it do not work 100%.

is there any recommendation for FHRP protocol working with Checkpoint ? (HSRP, VRRP)

thanks.

Avi

If you mean the routers run GLBP and the checkpoint cluster points to the DG of the GLBP then there is no benefit. GLBP works by allocating different mac-addresses to different routers but the checkpoint cluster will always appear as one mac-address so will always go to the same router. So you may as well use HSRP.

Jon

View solution in original post

7 Replies 7

sachinraja
Level 9
Level 9

Hi Avi

Did you mean GLBP towards the checkpoint cluster ? does this mean the routers point default gateway to checkpoint ?

normally you can run GLBP on the lan interfaces of the routers, and the firewalls would have default towards the router's virtual IP. you can define a AVG to forward data coming from your firewalls.. Im not sure what properietary clustering protocol checkpoint runs, but I was mentioning on the router end ... Do you need help on configurations or just the design?

Regards

Raj

Hi,
the CP FW Cluster will see DG VIP an Vmac from cisco routers running GLBP.
do you familer with any restrictions or problems working in that situation ?

Hello Avi,

let me to expand Jon's answer.

GLBP works by answering to ARP requests from clients with different virtual MAC addresses (AVF MAC addresses) when they try to resolve the default gateway. This is done by AVG. if there is only one client that is the active FW once it has done its ARP request it uses the answer so there is no load balancing: for all the time the ARP entry stays in ARP table of FW only one router ( the one that is associated to the specific AVF) is used.

if there were multiple clients GLBP would provide a form of outbound load balancing.

Next time FW arps for VIP the AVG will give it a new AVF so over long time both  routers are used but this is not considered a true load balancing.

That is the practical result is quite similar to that of HSRP or VRRP.

This doesn't mean any connectivity issue just lack of load balancing.

Hope to help

Giuseppe

Jon Marshall
Hall of Fame
Hall of Fame

Aviyoshi10 wrote:

Hi,

does anybody familiar with design of checkpoint FW Cluster and 2 Cisco routers running GLBP towards the cluster as the DG ?

I suspect it do not work 100%.

is there any recommendation for FHRP protocol working with Checkpoint ? (HSRP, VRRP)

thanks.

Avi

If you mean the routers run GLBP and the checkpoint cluster points to the DG of the GLBP then there is no benefit. GLBP works by allocating different mac-addresses to different routers but the checkpoint cluster will always appear as one mac-address so will always go to the same router. So you may as well use HSRP.

Jon

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi Avi,

As i understand your query is divided into two parts with suggestion for you:-

1) If you want GLBP runs at cisco end it will work as checkpoint will be pointing towards the DG of the VIP of GLBP.

2) If Checkpoint Cluster that means on single ip representing two firewall which means in the cluster the firewall will be working in vrrp mode to achive HA.Now at this point both the router can point DG to checkpoint cluster ip of that interface.

Hope that clear your query !!

Regards

Ganesh.H

Another option is MHSRP, but this will require the Checkpoint FW to be configured with different default route pointing to different virtual HSRP address. In an enviroment were CP FWs are clustered together and the each cluster member should have the same configurations, this is not possible.


http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a0080094e90.shtml

Francisco

wrobbin
Level 1
Level 1

From this is sounds like we are talking about outbound...like the firewall will only choose

1 way out. Now what about inbound if both of my router connect back to my MPLS WAN.. ? so maybe outbound one way but will inbound 2 ways cause issues with the checkpoint FW.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco