About This Architecture

Check Point CP 1590 dual-unit firewall cluster with active-passive HA provides resilient perimeter defense for on-premises networks using VLAN 10 for WAN uplink and VLAN 20 for internal access-layer segmentation. Traffic flows from ISP through modem and DMZ firewall port into an Aruba distribution switch, which segregates WAN cluster ports (22-23 on VLAN 10) from LAN workstations, servers, storage, and printers (ports 1-20 on VLAN 20) via managed switching. Synchronization between CP 1590 Unit A and Unit B ensures stateful failover and consistent security policy enforcement across both cluster members. This architecture eliminates single points of failure while maintaining strict network segmentation, reducing blast radius and simplifying compliance audits for regulated environments. Fork and customize this diagram on Diagrams.so to match your firewall models, port assignments, and VLAN ranges.

People also ask

How do I design a redundant on-premises firewall cluster with VLAN segmentation using Check Point?

This diagram shows a Check Point CP 1590 dual-unit HA cluster where Unit A and Unit B synchronize state across port 2, with VLAN 10 isolating WAN uplink ports (22-23) and VLAN 20 segmenting internal access-layer devices (workstations, servers, storage, printers). Traffic ingresses through an ISP modem and DMZ firewall port, then distributes via Aruba switch to the managed switch, which enforces VL