[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] How to Install HA on Solaris
Thanks Mario for your informations. But I tried to installed the HA on a set of Solaris Boxes and It does'nt work. Here follow is what I did and the problems I encounter. 1) I installed the two boxes with the same configuration (same external IP @ and same internal IP @) As you told me I used only one license for the set of boxes. This is an evaluation license, so I should have no problem with the HA module. The IP @ of the license is the IP @ of the external interface. 2) My secured Interfaces are : hme0 and also hme1 (it's a test) on both machines. 3) I change the mac @ on the slave. I associated the same mac @ of the master with the IP @ of the slave. So now the boxes have the same IP @ (check with ifconfig -a) and checkpoint knows only one set of mac @. (change only on the slave machine) 4) I changed the sync.conf It's no longer CPHAP but TCP sync. 5) When I tried to launch a cphaprob command I had the following message : "Failed to get HA status from kernel" or the message "Failed to register failure detection mechanism: Invalid argument" when I try ./cphaprob -d fw0 -t 5 -s ok register ???!!! Any Idea ??? Thanks for your help Mario Kadastik a écrit : > Hello Guillaume > > > Just few questions on HOW to install HA with Checkpoint FW-1 4.1 onto > Solaris. > > > > 1°) How to recognize that the license is available for HA ??? > It's just that you need 2 standard licenses for firewall modules and 1 HA > license. > The HA license is given to 2 host ID-s ... so you'll have to install the > same license > with different strings to those machines. > > > 2°) I need two licenses so I need two different IP @. Is it true ??? > Wrong. You'll need 2 licenses for the same IP :) So actually you could use > just one, > but I don't know weather HA checks it ... > > > 3°) So Now I have 4 different IP @ : two external (one on each FW) and two > internal > > (one on each FW). Is it right ??? > Wrong again :) You have on primary and the secondary the same IP > configuration: > one IP for external IF and one for internal and they are the same for both > machines. > > > 4°) Do I need two Virtual IP @ ??? I believe I need one for the Cluster > object but > > what about the other Side ??? (Internal/External) > Ehmmm .... No ... The cluster object is with the same IP as the FW modules > are (external) > as they are the same. But it'll be distributed so, that both are lisening, > but the one that is active > is the only one that allow traffic to pass ... > > > 5°) Is the real IP @ used for the routing table ??? Or a virtual one ???? > this question is not valid as you only have one IP :)) > > > 6°) Once I built my $FWDIR/conf/sync.conf File with "SyncMode=CPHAP must I > do a > > #./fw putkey between the members of the cluster ??? > I didn't get the CPHAP to work :) I only got the old one to work, so first > try with the old one and then > with the new one. Yes you'll have to do putkeys between all machines (the 2 > FW modules and 1 or many Management modules) > > > 7°) How to use cphaprob ??? > cphaprob -a if shows interfaces > cphaprob -a list shows devices as far as I can remember ... > > Mario Kadastik > CCSE > Estonian Telecommunications Co Ltd > [email protected] begin:vcard n:Schachtele;Guillaume tel;fax:(+33) 4.42.36.67.60 tel;work:(+33) 4.42.36.65.50 x-mozilla-html:FALSE url:http://www.gemplus.fr org:GEMPLUS;Management Information Service version:2.1 email;internet:[email protected] title:MIS Security Engineer note:DMZ administrator adr;quoted-printable:;;Gemplus BP 100=0D=0AGEMENOS=0D=0A13881=0D=0AFRANCE;;;; end:vcard
|