| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] Nokia/FW1 HA over WAN
I'm in the middle of designing a Nokia HA solution for a customer. These
four IP440's will be located across a WAN in four different sites each with
Internet connectivity. The companies WAN intersects with the Internet at
four points and one Nokia IPSO will protect each point. The company is
utilizing ATM for its' WAN backbone. The thought is that if the firewall
providing Internet access in location X were to die, traffic could be
re-routed across the corporate WAN to location Y to head out through
another firewall. We are looking at the options for high availability and
I need to bounce a few ideas/questions off the mailing list:
1. How does VRRP act when the IPSO firewalls are separated by WAN links?
2. There is a total of 2500 users on the internal network using standard
Internet services, and a few web servers being hosted but not much other
inbound traffic. Overall traffic handled by these firewalls is not
extremely high but availability is important. Would it be unwise to have
Checkpoint sync state tables over the WAN?
3. What about using BGP (running it on each Nokia) to route traffic away
from a downed firewall (assuming all firewalls run the same policy)?
Without the state tables synced, existing connections will die, but this
may be acceptable.
Any experiences or ideas would be appreciated!
___________________________
Aaron Shilts
eSecurity Consulting, Inc.
phonefax__________________________
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
