Alternative preferred HA options
There is a reason for “preferred” being included in the heading of this section. Check Point offers ClusterXL with VRRP and Load Sharing using either multicast or unicast as HA modes; however, I cannot recommend them.
The negatives of both Load Sharing modes are perfectly described by Timothy Hall in his book, MAXPOWER: Check Point Firewall Performance Optimization. My experience with these offerings is aligned with his conclusions, and I will only briefly summarize them here:
- Load Sharing Multicast stability is conditional and is based on the compatibility of adjacent routers. In many organizations, some of the routers are provisioned by peers or service providers. Chances are you will run into issues that will affect the stability of this solution sooner or later.
- Load Sharing Unicast is inefficient, as one of the cluster members acts as a “pivot” and must forward traffic to other cluster members. This approach...
