Special Considerations for ClusterXL in Load-Sharing Mode (High Availability and Clustering) (Check Point)

We have covered the principles of how ClusterXL in Load-Sharing mode works. We now contrast and compare how the special considerations for ClusterXL in Load-Sharing mode differ relative to other cluster modes.

Network Address Translation

ClusterXL in Load-Sharing mode is actually quite forgiving with regard to NAT and how proxy ARP is performed, unlike HA mode. It will handle manual proxy ARP entries fine for NATed IP addresses, as long as you proxy ARP for the cluster multicast MAC address.You enter these static published ARP entries on all members in the cluster. Automatic ARP configuration can be selected in the Policy | Global Properties | Network Address Translation area of the SmartDashboard GUI.This works fine because the multicast MAC address is used for all the automatic ARPs that are required. Manual routes on the ISP router can also be used instead of using proxy ARPs.

To summarize, as long as the multicast MAC address is used in any manual proxy ARPs, there should be no issues with Load-Sharing mode and NAT.

User Authentication and One-Time Passcodes

Like all HA and Load-Sharing clustering solutions, if you are using the Check Point security servers (for SMTP, HTTP, or FTP services) and a failover occurs, you will lose the connection and have to start again through the new member that the traffic is now going through.The security server and remote authentication issues discussed earlier in this topic (comparing single gateway and clustering functionality) apply particularly to Load-Sharing mode, because sessions—with multiple connections—are always likely to be shared between all cluster members, unlike HA, when problems only occur on failover.

Next post:

Previous post: