Checkpoint redundancy vs Cisco ASA

 I am a true Cisco ASA-guy. I eat, live and sh…. ASA:s. I have been working with Cisco gear since forever and the first Cisco Firewall I configured was a Cisco 520 with floppy.

Nevertheless, I also know some stuff about other firewalls. I have been working with iptables, Watchguards, Symantec/Raptor/whatever and installed a few Checkpoints. Actually I am certified CCSA and CCSE for checkpoint firewall. Still I try to avoid them. The reason is simple. They are complex, there is only 24h available per day and there are people that know checkpoint better than I do.


Whatever firewall I run into I compare them to ASA:s. I cant avoid it because it is ASA:s that I know by heart. And I have for a while tried to understand the complexity of load-distribution of Checkpoint clusters. Then I run into this incredible blog post by Greg Ferro at And There Was Light.


Instead of trying to explain it again half as good as the original I simply suggest anyone interrested in Checkpoint or other firewalls technology of load sharing to read the blog post above. It is great!


ASA:s doesnt do load balancing(*). A “cluster” can contain only two members and it is always(*) a active/passive solution where the passive member is a hot-standby. It is not as near as sophisticated as the Cluster XL-solution from Checkpoint. But it it simple. And rock solid. If you want to “keep it simple, stupid” the ASA failover-solution is your setup if you ask me. 


It would be interresting to do a cost analysis and compare the cost of purchasing equal setups of ASA:s and Checkpoint-wirewalls for a specific thruput/size. I am already quite sure that it way cheaper to buy one ASA that is big enogh to handle the thruput needed, and one hot-spare, than buying 2 Checkpoint-units with the same performance.


(*) Yes, there is an active/active-solution from Cisco. But it requires multi context. And unless you have need for multiple virtual firewalls you cant make both hardware units in the cluster processing traffic at the same time.


Thanks for the most informative blog post this year, Greg Ferro!



Tagged with: , ,
Posted in Cisco Security
3 comments on “Checkpoint redundancy vs Cisco ASA
  1. Daniel says:

    Hey Jimmy,

    I guess we’re in the same boat -working on different make/models..

    Though I can’t get over the NAT in ASA’s… do you’ve a simple doco explaining it showing the different options in a very simple and straight manner…

    I heard -starting from 8.3- the global command was removed! how valid is tis


  2. 25tolife says:

    Except that that author your referring to doesn’t really comprehend multicast or proper design or any depth in managing a linux box.  As evident by the Naughty Multicast section.  He just knows how to type Cisco commands.

  3. 95Veola says:

    Hi admin, i must say you have very interesting content here.

    Your page can go viral. You need initial traffic boost only.
    How to get it? Search for: Mertiso’s tips go viral

Leave a Reply

Your email address will not be published. Required fields are marked *



[mc4wp_form id="2457"]
Website Security Test