Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Re:

To: Francisco Jose Navarro de la Fuente <[email protected]>
Subject: [FW1] Re:
From: Héctor Garza <[email protected]>
Date: Fri, 16 Feb 2001 11:33:21 -0600
Cc: [email protected]
References: <[email protected]>
Sender: [email protected]

As far as routing is concerned, it doesn't matter which
router forwards the packets from the Internet to your
external network segment (aka, virtual cluster IP).  

Also, when packets are leaving your internal
network, one of your firewalls will forward the packets
to the Internet transparently.  Packets 
could be forwarded by FW1 or FW2, each one would
have its route and things will work fine.

The problem will arise when you one of your routers (link
to your ISP) fail.  

The firewall affected would have to be sent offline so that
it stop forwading packets to its default gateway.

In order to achive the offline action you will have to
configure tests.

My suggestion is that you configure tests to ping  some site 
at the Internet so that each firewalls notices when 
its path to the Internet has been lost.

You must configure the test to ping an external site so that
you can detect failures.  If you ping your router you could get
an reply from it, but this doesn't assure you that the link 
to your ISP is up.

Of course it has to be a trusted site and the practice will
carry an over traffic to your link.

If you miss to do this, things will get a little messy.

My two cents.

> 
> I've this:
> 
>     routerA           routerB
>       |                  |
>   -----------------------------
>          |          |
>         FW1        FW2
> 
> The FW's running Solaris 2.6, Firewall-1 4.1 and Stonebeat FullCluster.
> The routers are 3640.
> I want to configure the defaultrouter for:
>    FW1 ---> routerA
>    FW2 ---> routerB
> Are there any problem whit this configuration?
> 
> Thanks in advance
> Paco Navarro
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

-- 
Héctor Gerardo Garza Tapia
Information Security Consultant
CITI
Sendero Sur 285 A 
Col.Contry Monterrey, NL 64860 Mexico
Tel. +52(8) 357-2267 x146  Fax +52(8) 357-8047
Email: [email protected]  WWW: www.citi.com.mx


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [no subject]
  - From: "Francisco Jose Navarro de la Fuente" <[email protected]>

Prev by Date: RE: [FW1] question about solaris boot process
Next by Date: Re: [FW1] Solaris routing concern
Previous by thread: [no subject]
Next by thread: [FW1] empty mesages
Index(es):
- Date
- Thread