It's a problem when you rely on a single point of
failure.
It's a problem when you have a single firewall that
you rely on heavily and you need to install a new rule base.
(notice what happens to all those established
sessions?)
Lots of reasons to not rely on a SINGLE
firewall solution.
A six pack is designed at solving problems of load
balancing, availability/reliability, and management.
Usually you will have two routers for internet, two
switches(foundry etc) behind them, two firewalls, and
then two more switches. You can put a bullet in whatever component you choose and your
packets will
still reach their
destination. This also means you can schedule maintenence tasks
easier.
Ideally your core of your network is a fully
redundant switch mesh and as a rule, nothing can connect to the
core without itself being redundant. I guess there
are a million ways to get things done though, this method
keeps the diameter of the network from growing too
quickly and I need my firewalls connected in like fashion.
----- Original Message -----
Sent: Thursday, January 04, 2001 1:28
PM
Subject: RE: FW: [FW1] Platform
Question
Just curious -
What do you mean by a "redunant six pack" setup?
Thanks!
-----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Thursday, January 04, 2001 12:47 PM To:
[email protected]; [email protected];
[email protected]
Subject: Re: FW: [FW1] Platform Question
From what I have seen, the main FW-1 process is NOT
multithreaded. However, there are several processes
seperate from the main FW-1 process and having a 2nd
processor will allow the ELA, http proxy, and other components to
take advantage of the second CPU.
Looking at perfmon graphs under heavy load I see one processor
getting heavy utilization and trending this against
the FW-1 metrics for packets forwarded it is easy to
see a 1 to 1 relationship.
From what I remember in CCSE classes, this is the case for the
Unix builds as well.
RAM is not nearly as much an issue as some people would have
you think unless you have a LOT of connections or
VPN's.
If I had it to do all over again, I would get two 1U compaq
servers and stick a 1GHz processor in each and two
Intel i960 NICs (that provides 2 10/100 on the
systemboard and the 2 extra ISL capable ports) Slap a
foundry switch on either side and build a redundant six pack setup.
If I suddenly needed to run more security server processes, I
can just pop in another 1Gig CPU and there you
go...LOTS LOTS cheaper.
Perhaps the IPSO devices would be a good appliance style
solution as well. I have heard some rumors of Nokia
distancing themselves from Checkpoint lately.
----- Original Message ----- From:
<[email protected]> To:
<[email protected]>;
<[email protected]> Sent:
Thursday, January 04, 2001 11:18 AM Subject: RE: FW:
[FW1] Platform Question
> > Well the switch was to free
up the Sun box for database operations PLUS our >
staff is much more NT literate than Unix. Our load is very LOW, T1x2 to
> internet and at MAX 20 simultaneous SecureRemote
users. > > So, that
being said... here are answers to your questions -- appreciate
> everyone's help, have gotten lot's of responses now
:) > > It's FW-1 sp2 -
still have not got a definitive answer as to whether this > supports SMP or not. > The 220R was a
single 450Mhz > The Intel NICs are set to AUTO, but
both their diags and SNMP report they > are running
at Full Duplex > >
Thanks again to everyone for trying to work through this with me!
> > -----Original
Message----- > From: [email protected] [mailto:[email protected]]
> Sent: Thursday, January 04, 2001 10:19 AM
> To: [email protected]
> Subject: Re: FW: [FW1] Platform Question
> > I'm not trying to be a
smart a$$, but I wonder how many people would go >
FROM solaris TO windows. > > I don't know much about anything, but I have heard that Solaris
machines > work much better under HIGH load then
windows machines. Is your server > under high
load? > > I wouldn't be
TOO suprised if your users are actually experiencing a > performance hit. My reasoning here is: > > -What version of FW-1? Is it a
version that supports SMP? > -was the 220R
dual? what CPUs did it have? Two 450's perhaps? > -does the Windows FW-1 version support SMP? If it doesn't
then you are > comparing two boxes with very
similar hardware(assuming worst case > on the # of
CPU's in the 220R)... but one with the overhead of an > expensive qui. > -even though your RAM
has increased, if you weren't using all 128mb on the > Solaris machine... then it wouldn't make any difference.
> > (PS. Have you checked
your speed and duplex on the NICs on the NT >
machine? Autonegociation is worse then useless.) > > On Thu, 4 Jan 2001 [email protected]
wrote: > > >
> > It's funny, I didn't get one single reply on
this... does that mean NO ONE > > has ever run
into this, or is it just something no one wants to talk > about? > > > <SNIP> > > >
================================================================================
> To unsubscribe from this
mailing list, please see the instructions at >
http://www.checkpoint.com/services/mailing.html
>
================================================================================
>
================================================================================
To unsubscribe from this mailing
list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|