Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Monitored Circuit Configuration on Nokia

To: [email protected]
Subject: [FW1] Monitored Circuit Configuration on Nokia
From: Mark Hall/St Louis/IBM <[email protected]>
Date: Mon, 19 Feb 2001 11:37:57 -0600
Importance: Normal
Sender: [email protected]

> - -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of Mal
> Herring
> Sent: Thursday, February 15, 2001 9:31 AM
> To: 'Tim Anderson'; '[email protected]'
> Subject: RE: [FW1] Nokia vs. NT
 
> From what I know - No Load balancing unless you configure ½ hosts on one 
and
> other ½ to other fw, and fail-over with VRRP has caused me load of grief 
so
> I am looking to use the Monitored Circuit solution - should anyone have 
any
> knowledge on this - please mail me.

> regards

> mal

Well, this isn't an absolute guide, but a basic so you can get monitored 
circuit working correctly.  This example assumes that you're using two 
firewalls that are mirror images of each other...:

1) Count the # of interfaces with VIRTUAL addresses that you plan to use 
(i'll use 6 for our example).  Make sure your delta is higher than this 
number.  I'm going to assume you are using fewer than 14 interfaces. ;-)
2) For each interface with a VIRTUAL address, check the 'monitored 
circuit' radio buton, and then apply the page.
3) Define a router ID for each virtual address.  Note:  This ID *MUST* be 
unique per network segment.  This router id is used to generate the MAC 
address for the virtual address.  This address will be 0:0:5e:0:1:xx where 
xx is the hex value of the router ID#.  This is WHY you can't have more 
than 1 set of firewalls sharing a VRID on a single network segment, 
otherwise they'll BOTH try to pick up and forward the packets.  In fact, 
we found a problem when we shared a VRID# that forwarding didn't work 
correctly, and two firewalls on the same management station both received 
the same packet - one accepted, one dropped.  got confusing in the logs. 
;-)
4) Once this is done, simply multiply your # of interfaces by something 
like 15 and add some number.  This also must be less than 255 (it's a one 
byte field).  I recommend adding something like 15.  With the 6 interface 
example, my primary's priority will be 100.  Fill out the field per 
interface with the virtual address, the primary's priority, and a hello 
interval of 1 (failover within 3 missed hellos, or 3 seconds).  For the 
secondary, its priority should be somewhat less than the primary's, and 
higher than a single interface's delta.  Remember the multiply by 15 
earlier?  That's the delta we'll use, and the priority for the secondary 
should be higher than this, let's use 95.  If you're using more than 15 
interfaces, 15*15 is higher than 255, so you may need to add a 'negative' 
number to drop the highest end to less than 255.  What this will do when 
they all subtract from your priority I don't know. =-)
5) for each monitored interface, let's use a delta of 15, and select one 
of the other monitored interfaces (i.e. interfaces 4 on 3, 3 on 4, 3 on 5, 
3 on 6, 3 on 7, 3 on 8), then apply.  For the secondary, you cannot use 0 
as a delta, use 1, but do the same thing.
6) apply each other monitored interface to each monitored interface with 
the appropriate deltas.  When any interface on the firewall goes down, 
since every other interface monitors the one that went down, they'll 
cascade shutdown, meaning NONE of your monitored interfaces will be 'up' 
in the priority calculation, resulting in a value of 10.  Then, the 
secondary will have a higher priority, and will take over the virtual 
addresses.  This is how it should work.  So interface 3 should end up 
monitoring 4, 5, 6, 7, 8.  and so on.
Don't forget to add a firewall rule to allow multicast traffic from all 
physical and virtual addresses to talk to 224.0.0.18 with a service type 
other named VRRP with a match of:  ip_p=0x70.
7) Then click on the "VRRP monitor" link at the bottom of the VRRP page. 
The primary should be ALL master, and the secondary should be ALL backup. 
If any don't match correctly on the secondary, those interfaces can't 
communicate.  Try pinging the physicals between them to make sure they 
work.  If it all works, you can 'bounce' the nokia, and the other one will 
pick it up in 3 seconds.  If you IF down an interface, it will fail all 
over to the other machine.  We've had some problems with FW1 working right 
after doing this though.

Oh, one other important thing, remember you CANNOT ping or talk to the 
virtual at all, but you will see its entry in your ARP tables on other 
systems, and if it's working right, the packets will pass through.  i.e. 
you can ping through it, telnet through it, whatever your rules allow.

Hope this helps. :-)

Mark Hall    <><
CheckPoint Certified Security Engineer
Certified AIX System Administrator

Mailstop S306 2182
IBM Global Services - Network Services
325 J.S. McDonnell Boulevard
Hazelwood, MO 63042
Voice:Fax:This message contains an average of 73% post-consumer electrons.


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- Re: [FW1] Monitored Circuit Configuration on Nokia
  - From: CryptoTech <[email protected]>

Prev by Date: Re: [FW1] SecuRemote connects to which fw interface (again)?
Next by Date: Re: [FW1] FireWall-1 and Dual CPU machine
Previous by thread: [FW1] Can I use SMTP Security server to do quarantine
Next by thread: Re: [FW1] Monitored Circuit Configuration on Nokia
Index(es):
- Date
- Thread