Check Point Firewall Appliances

Darden, Patrick S. darden at
Wed Dec 19 19:52:56 UTC 2012

Watch out for licensing gotchyas.

In active/active ClusterXL situations (load sharing multicast mode) be
careful of multicast--make sure any traversed switches and routers are
compatible with Ethernet Multicast (make sure they don't partition ports
due to high broadcast traffic).  Active/Active clustering can also make
troubleshooting a pain--which unit has state for which flow, etc..
Also, minimize lag time between State Synchronization nodes or suffer
myriad hard to isolate problems.  I advise you to minimize the number of
cluster nodes per vlan or you will effectively DOS your attached
network--think broadcast storms.

If you use unicast active/active clusterxl, you can run into pivot

They are great firewalls, but like all systems they have their

--Patrick Darden

-----Original Message-----
From: Blake Pfankuch [mailto:blake at] 
Sent: Wednesday, December 19, 2012 2:36 PM
To: NANOG (nanog at
Subject: Check Point Firewall Appliances

                I am just getting into an environment with a large Check
Point deployment and I am looking for a little bit of feedback from
other real world admins.  Looking for what people like, what people
don't (why hopefully).  Also for those of you who might run Check Point
devices in your environments what to dig into first as far as getting
more experience on the devices and a better understanding of how not to
break them.  I am slowly going through all of the official
documentation, but would also like to hear a real world opinion.

Thanks in advance!


More information about the NANOG mailing list