Maximizing Network Performance and Redundancy
Next Generation Security Gateway Guide R80.20 | 258
Monitored Circuit/Simplified VRRP makes possible a complete node failover by automatically
monitoring all VRRP-enabled interfaces. You configure one VRID, and this VRID is automatically
added to all the VRRP interfaces. If the VRID on any interface fails, the configured priority delta is
decremented on the other interfaces. This allows the backup node to take over as the VRRP
master.
How VRRP Failover Works
Each Virtual Router (VRRP Group) is identified by a unique
Virtual Router ID (VRID)
. A Virtual
Router contains one
Master
Security Gateway, and at least one
Backup
Security Gateway. The
master sends periodic VRRP advertisements (known as
hello messages
) to the backups.
VRRP advertisements broadcast the operational status of the master to the backups. Gaia uses
dynamic routing protocols to advertise the VIP (virtual IP address or backup address) of the Virtual
Router.
If the master or its interfaces fails, VRRP uses a priority algorithm to decide if failover to a backup
is necessary. Initially, the master is the Security Gateway that has the highest defined priority
value. You define a priority for each Security Gateway when you create a Virtual Router or change
its configuration. If two Security Gateways have same priority value, the platform that comes
online and broadcasts its VRRP advertisements first, becomes the master.
Gaia also uses priorities to select a backup Security Gateway upon failover (when there is more
than one backup available). In the event of failover, the Virtual Router priority value is decreased
by a predefined
Priority Delta
value to calculate an
Effective Priority
value. The Virtual Router with
the highest effective priority becomes the new master. The
Priority Delta
value is a Check Point
proprietary parameter that you define when configuring a Virtual Router. If you configure your
system correctly, the effective priority will be lower than the backup gateway priority in the other
Virtual Routers. This causes the problematic master to fail over for the other Virtual Routers as
well.
Note- If the effective priority for the current master and backup are the same, the Gateway with
the highest IP address becomes the master.
Internal Network High Availability
This is a simple VRRP use case, where Security Gateway 1 is the VRRP Master, and Security
Gateway 2 is the VRRP Backup. Virtual Router redundancy is available only for connections to and
from the internal network. There is no redundancy for external network traffic.
To Next Page
Loading...
