NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Services to enable VRRP in Checkpoint



On Fri, Oct 06, 2000 at 11:33:15AM +0200, [email protected] wrote:
: 
: I'd like to know which services I have to enable with Checkpoint to permit
: the VRRP protocol between the firewalls (two firewall with a VRRP protocol
: installed in)

You may need to create service objects for VRRP first (I forget if they
started doing that).  If you need to do this, create a service object
of type "Other", call it "vrrp", in the "match" field, put "ip_p = 0x70".
Make another service object called igmp, "ip_p = 0x2".

You'll also need to create a network object of type Workstation for 
vrrp.mcast.net (224.0.0.18).  I'll assume you're doing monitored circuits,
so you don't need to have the secondary routing protocol involved (like you
had to in the 'good old days' - when we had to also use OSPF w/vrrp)..

Make a rule at the top of your rulebase, with source as a group of *EVERY*
interface on both firewalls that will be doing vrrp, yes every single 
one of them.  If you've got quad cards in each box, and are using one as
the sync link, using a crossover, with inside/outside/dmz as your setup,
this group will contain the remaining 6 interfaces.  Make the destination
vrrp.mcast.net, services vrrp and igmp, accept, no log (if you log it, 
your logs will be HUGE!).

fw-interfaces	vrrp.mcast.net	vrrp	Accept
								igmp


If you're doing it old-style, make network objects for ospf.mcast.net and
ospf-dr.mcast.net (224.0.0.5 and 224.0.0.6, respectively), and make similar
rules to let the interfaces on the fw's that are talking ospf talk to those
addresses with the proper services.

-- 
Jason Costomiris <><           |  Technologist, geek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/ 
          Quidquid latine dictum sit, altum viditur.


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.