| Question |
| What exactly is Cluster XL and How does it works ? |
| Answer |
| ClusterXL is a software-based Load Sharing and High Availability solution that distributes network traffic between clusters of redundant Security Gateways. |
|
| Question |
| What is the difference between check point clusterXL and redhat cluster? |
|
| Answer |
| Check Point ClusterXL is CheckPoint Firewall ClusterXL and Redhat Cluster may be you taking about Linux Cluster. Pl correct |
|
| Question |
| Explain Cluster XL protocol in brief ? |
|
| Answer |
|
| The Cluster Control Protocol (CCP) is links together the machines in the Check Point Gateway Cluster. CCP traffic is distinct from ordinary network traffic. CCP runs on UDP port 8116 |
|
| Question |
| How cluster XL differs from Secure XL in checkpoint for improving the performance on the firewall ? |
|
| Answer |
| ClusterXL is a software-based Load Sharing and High Availability solution. SecureXL use to some TCP services are characterized by connections with a very short duration. |
|
| Question |
| In a checkpoint clusterXL in unicast mode- how will the traffic flow.? How the firewall pivot & non-pivot member will decide which traffic to pass..? |
| Answer |
| Checkpoint clusterXL One machine will pivot and Pivot will handle 30% Traffic and Non- Pivot memeber will Handle 70% Network Traffic. Secondly Non-Pivot memeber is not responsible to take decision on trarrfic only Pivot will take decision and also process and forward traffic to Non-Pivot Memeber. That is the reason to Pivot is handle 30% traffic. |
|
| Question |
|
| Is Cluster XL is checkpoint propietery ? |
|
| Answer |
| Yes |
|
| Question |
| What is the recommended way of connecting the two checkpoint devices in cluster running cluster XL ?? |
| Answer |
| Recommended by Check Point is to connect Firewalls Back to Back with Cros over cable and in case more than 2 Members must use dedicated switch to connect the same. |
|
| Question |
| What is the best Example ClusterXL Topology |
|
| Answer |
| High Availability and Load Sharing. Rest depend on bussiness requirment |
|
| Question |
| What is use of sync interface what will happen if it goes down? |
| Answer |
| Sync Interface is used to pass connection synchronization and other state information between cluster members. |
|
| Question |
| What is difference between Loadsharing Multicast mode and unicast mode |
| Answer |
| Multicast Load Sharing – In ClusterXL’s Load Sharing Multicast mode, every member of the cluster receives all of the packets sent to the cluster IP address. Unicast Load Sharing – In ClusterXL’s Load Sharing Unicast mode, one machine (the Pivot) receives all traffic from a router with a unicast configuration and redistributes the packets to the other machines in the cluster |
|
| Question |
| Why is sync network required , what will happen to cluster if it gets down? |
|
| Answer |
| Sync Interface is used to pass connection synchronization and other state information between cluster members. If one Member goes down so other member will take charge for rest of the traffic. |
|
| Question |
| What is diff between unicast & multicast mode in cluster? |
| Answer |
|
| Multicast Load Sharing – In ClusterXL’s Load Sharing Multicast mode, every member of the cluster receives all of the packets sent to the cluster IP address. Unicast Load Sharing – In ClusterXL’s Load Sharing Unicast mode, one machine (the Pivot) receives all traffic from a router with a unicast configuration and redistributes the packets to the other machines in the cluster |
|
| Question |
| In High availabilty mode, what happens when SYNC cable goes faulty, even though both Cluster members are UP. Which Cluster will work as Active. |
| Answer |
| If Sync Cable faulty and both members are up then Check Point ClusterXL will try to choose a single member to continue operating and this is called Active Attention. |
|
| Question |
| In continuation to my early qn: How the Pivot member will decide which traffic it should pass & which traffic to be forwarded to Non-pivot member? |
| Answer |
| This is designed feature in Check Point ClusterXL unicast mode that Pivot will do Decision and process the traffic and Non-Pivot will on Process the traffic. No feature to tell firewall that Pivot will handle this traffic and Non-Pivot will handle this traffic |
|
| Question |
| What is the difference between VRRP and cluster XL. In cluster Xl and VRRP which one is the more reliable |
|
| Answer |
| VRRP : Single virtual MAC floats between cluster members, depending on which is Master ClusterXl : Health checks peer on every physical interface ClusterXL is more robust than VRRP in it’s monitoring of peer nodes and failover. |
|
| Question |
| How good or bad is checkpoint clusterXL compared to hardware clusters (firewall).? |
| Answer |
|
| Please eloborate the question. |
|
| Question |
| Some times checkpoint drops packet showing packet out of state, first packet is not syn. why is that and what is solution ? |
| Answer |
|
| This type of connection is called Non Sticky connection. To isolate such issue we have to enable sticky decision on every Cluster Member so that only that member will handles such connection from which it originates. |
|
| Question |
| If I change a interface ip in smart dashboard and push the policy, will it effect my clusterxl. |
| Answer |
| In that case Policy will not push you have to recreate SIC once again or may be ClusterXL. |
|
| Question |
| If I am using firewall in active standby then all conn handles by the active firewall so why this comes than. |
| Answer |
| It will not come becase all connections are sticky connections and handly by single cluster Member. |
|
| Question |
| What is the CUL_MEMBER pnote mechanism to FREEZE_ON/OFF mechanism ? |
| Answer |
| This Messages about changes in cluster state are printed on all members of and IPSO cluster (VRRP and IP Clustering) on the console and in /var/log/messages file. These messages about changes in cluster state are printed in /var/log/messages file: During policy installation During VRRP failover When running ‘cpstop;cpstart’ commands During boot of a cluster member Messages are printed by the “Cluster Under Load” (CUL) mechanism , which is integrated and enabled by default starting in R75.47 |
