Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FW-1 plus load-balancing

To: "FW-1 mailing list" <[email protected]>
Subject: RE: [FW1] FW-1 plus load-balancing
From: "Will Schwartz" <[email protected]>
Date: Thu, 19 Oct 2000 12:34:56 -0400
Importance: Normal
In-reply-to: <[email protected]>
Sender: [email protected]

The load balancing features built into FW1 are showing their age. They just
don't work all that well. They did give us a solution when no one else had
one, but these days I think that most people would agree that a 3rd party
load-balancing solution makes much more sense.

One example of how CheckPoints product seems to misbehave is when a server
goes off-line (down) the load balancing engine does not seem to realize this
and continues to send connections to it anyway.

The CheckPoint Load balancing is handled in software and in some cases you
load an agent on the web servers that you are balancing. There is no need to
setup OSPF or anything silly like that. You basically assign a "virtual"
address for the "group" of servers that you want to balance and then assign
the servers into a group. Your DNS entry points to that virtual address and
the firewall will pick the destination IP address and will (kind-of) NAT
that connection to the destination.

I would say that the CheckPoints solution to the problem isn't really viable
in today's environments. Maybe if you just need simple load balancing it
might be ok. This is just HTTP load balance, not firewall load balancing

I'd look into the slue of hardware based load balancing solutions out there.
Cisco ( http://www.cisco.com ) , Alteon (
http://www.alteonwebsystems.com/ ), Rainfinity, Stonesoft, Foundry,
ArrorPoint. There are about 100 of them it seems.

Checkout the OPSEC section of checkpoints web page for a more complete list.
http://www.checkpoint.com/opsec/performance.html#HA_Load_Balancing

Good Luck.
Will


-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
Thomas Nau
Sent: Thursday, October 19, 2000 2:33 AM
To: FW-1 mailing list
Subject: [FW1] FW-1 plus load-balancing



Hi there.
Two questions about HA and load-balancing solutions:

1. if FW-1 is setup to do LB, is there need for additional hardware like
   a load-balancing switch? How does LB work with routing? Do we need to
   setup OSPF with multiple default routes to the outside or how does the
   cluster handle this on a technical base?

2. which products would you recommend from the performance and
   scalability point of viev? VPN is bo real issue so mainly packet
   filtering inf the 400-1000Mbit range must be offered.

Thanks,
Thomas

====== PGP fingerprint B1 EE D2 39 2C 82 26 DA  A5 4D E0 50 35 75 9E ED
======

	Thought you got rid of all year 2k bugs and problems?
	Here's a new one: Windows 2000



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- RE: [FW1] FW-1 plus load-balancing
  - From: Thomas Nau <[email protected]>

References:
- [FW1] FW-1 plus load-balancing
  - From: Thomas Nau <[email protected]>

Prev by Date: [FW1] VPN FW1 <-> Ascend Pipeline with Secure Access
Next by Date: RE: [FW1] LAN to LAN VPN with same IP scheme
Previous by thread: RE: [FW1] FW-1 plus load-balancing
Next by thread: RE: [FW1] FW-1 plus load-balancing
Index(es):
- Date
- Thread