NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] HA config and port 8116 traffic



At 16:34 22.09.00 +1000, Peter BAKER wrote:
>I have just built a set of HA firewalls (Cp2000 4.1 sp 1) that face
>another organization and everything looks okay, failover, reporting,
>all that kind of thing BUT my Internet firewall is logging and
>dropping packets with no source address the destination address of the
>unique and shared internal of the HA set on port 8116.
>
>The sync is setup on another nic with a crossover cable between the
>two modules so as far as I know the port 8116 traffic should not be
>seen by any other device. I have not yet tested sync on failover.

Hi Peter,

what you see is not the sync traffic which (hopefully) only is being
sent and received over your secured interfaces. CP uses udp port 8116
on all interfaces (docs are not clear about this) to actively check
the network interface status and to check for other HA members on all
attached subnets. CP states that a node does this when using Old Sync
or New Sync, let me add that it also acts this way when doing no sync 
at all...

The IP source address is all bits zero (old-broadcast) and the IP desti-
nation is most of the time set to the subnet's net-id address. Some packets 
also are sent to the shared IP address. The senders MAC address' last byte 
is set to the HA members ID starting with 00.

In a two HA node configuration there are around 3-4 IP packets per sec
broadcasted. CP comment on this is "... can be savely ignored".

Additionally you're going to see ICMP traffic to "randomly" chosen hosts
on your subnets coming from the HA node after it looses contact to its
HA neighbor node(s). This seems to be part of CP's "Interface Active Check"
strategy. The node seems to pseudo-randomly pick nodes on every subnet 
after they attract the nodes attention. This is after a host broadcasts 
ARP requests and therefore has to disclose its own IP address. The HA node
changes its target every time a new ARP challenge is sent out by another
host. If a new target doesn't answer (packet filter in place etc.) the HA 
node repeats polling the old target. All this stops after the failed node(s) 
reappear(s).

If - for what reason ever - no single target host broadcasts ARP requests,
then the node starts sending out ARP requests for all possible IP addresses 
on this particular subnet - until a machine responds. It does this repeatedly
for all valid IP addresses but somebody at Check Point obviously did not know
how IP addresses are counted ;) Given a subnet of 10.1.1.0/24 it will start
with 10.1.1.1 and oops! ends with 10.1.2.0 after hitting 10.1.1.255.
Nevermind...

I'd very much appreciate some more official documentation of the implementa-
tion from CP's side.

HTH,
Hans



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.