> benefit: > - no problem if one node fails (transparent failover) > - updates / maintainance without outages > - updates / maintainance during working hours (because > there is no outage)
On paper, maybe; in the real world, not so much. The transparency of failover depends on: 1) the accuracy of the state table between cluster members Checkpoint software updates are troublesome here because state is frequently not exchanged between members running different software versions (more so for major version upgrades; less so for HFAs, but I've seen this happen with HFAs also). Update your backup member, and reboot, and you'll often find that on promotion to active, no state has been exchanged, and all active connections break. In my experience, zero-downtime upgrades are largely a myth. 2) whether a given protocol is state synchronized at all HTTP for example, is often not state synchronized because of the high rate of very brief connections, and the overall fault tolerance of the protocol. But if it's not synchronized, some longer term HTTP connections like an HTTP file transfer will break on failover. 3) how tolerant particular applications are of the brief period before a backup member becomes active. Not all apps handle 15 seconds of network downtime as well as others. We have a couple high profile niche apps that simply hang on firewall failover. This requires either restarting the application's service, or rebooting the server. Since these are public safety-related, the impact is significant. Because we've been bit by these issues more than once, we no longer perform any upgrades during business hours. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf > Of Reinhard Stich > Sent: Saturday, November 06, 2010 4:52 AM > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Subject: Re: [FW-1] general question about clustering > > hi, > > At 08:24 06.11.2010, you wrote: > >Hi , > > > >I wanna ask for the benefits which we'll gain, and the > problems we may > >have when making up a clustered firewall (especially Checkpoint fw-1 > >of course) > > benefit: > - no problem if one node fails (transparent failover) > - updates / maintainance without outages > - updates / maintainance during working hours (because > there is no outage) > > problems: > - with active-active clustering you have to care about the traffic > that should go through both firewalls - so maybe you have to play > with your switch-config > - I prefer HA clusering (one node active, one standby) > > br > reinhard > > -- > Reinhard Stich r.st...@arrowecs.at > Arrow ECS Internet Security AG, 1100 Wien, Wienerbergstrasse 11 > Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-ow...@ts.checkpoint.com > ================================================= > > Scanned by Check Point Total Security Gateway. > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway.
