NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] How to Install HA on Solaris



Thanks Mario for your informations.

But I tried to installed the HA on a set of Solaris Boxes and It does'nt work.
Here follow is what I did and the problems I encounter.

1) I installed the two boxes with the same configuration (same external IP @ and
same internal IP @)
As you told me I used only one license for the set of boxes. This is an
evaluation license, so I should have no problem with the HA module.
The IP @ of the license is the IP @ of the external interface.

2) My secured Interfaces are : hme0 and also hme1 (it's a test) on both
machines.

3) I change the mac @ on the slave. I associated the same mac @ of the master
with the IP @ of the slave.
So now the boxes have the same IP @ (check with ifconfig -a) and checkpoint
knows only one set of mac @. (change only on the slave machine)

4) I changed the sync.conf It's no longer CPHAP but TCP sync.

5) When I tried to launch a cphaprob command  I had the following message :
"Failed to get HA status from kernel" or the message "Failed to register failure
detection mechanism: Invalid argument" when I try ./cphaprob -d fw0 -t 5 -s ok
register    ???!!!


Any Idea ???

Thanks for your help







Mario Kadastik a écrit :

> Hello Guillaume
>
> > Just few questions on HOW to install HA with Checkpoint FW-1 4.1 onto
> Solaris.
> >
> > 1°) How to recognize that the license is available for HA ???
> It's just that you need 2 standard licenses for firewall modules and 1 HA
> license.
> The HA license is given to 2 host ID-s ... so you'll have to install the
> same license
> with different strings to those machines.
>
> > 2°) I need two licenses so I need two different IP @. Is it true ???
> Wrong. You'll need 2 licenses for the same IP :) So actually you could use
> just one,
> but I don't know weather HA checks it ...
>
> > 3°) So Now I have 4 different IP @ : two external (one on each FW) and two
> internal
> > (one on each FW). Is it right ???
> Wrong again :) You have on primary and the secondary the same IP
> configuration:
> one IP for external IF and one for internal and they are the same for both
> machines.
>
> > 4°) Do I need two Virtual IP @ ??? I believe I need one for the Cluster
> object but
> > what about the other Side ??? (Internal/External)
> Ehmmm .... No ... The cluster object is with the same IP as the FW modules
> are (external)
> as they are the same. But it'll be distributed so, that both are lisening,
> but the one that is active
> is the only one that allow traffic to pass ...
>
> > 5°) Is the real IP @ used for the routing table ??? Or a virtual one ????
> this question is not valid as you only have one IP :))
>
> > 6°) Once I built my $FWDIR/conf/sync.conf File with "SyncMode=CPHAP must I
> do a
> > #./fw putkey between the members of the cluster ???
> I didn't get the CPHAP to work :) I only got the old one to work, so first
> try with the old one and then
> with the new one. Yes you'll have to do putkeys between all machines (the 2
> FW modules and 1 or many Management modules)
>
> > 7°) How to use cphaprob ???
> cphaprob -a if  shows interfaces
> cphaprob -a list shows devices as far as I can remember ...
>
> Mario Kadastik
> CCSE
> Estonian Telecommunications Co Ltd
> [email protected]
begin:vcard 
n:Schachtele;Guillaume
tel;fax:(+33) 4.42.36.67.60
tel;work:(+33) 4.42.36.65.50
x-mozilla-html:FALSE
url:http://www.gemplus.fr
org:GEMPLUS;Management Information Service
version:2.1
email;internet:[email protected]
title:MIS Security Engineer
note:DMZ administrator
adr;quoted-printable:;;Gemplus  BP 100=0D=0AGEMENOS=0D=0A13881=0D=0AFRANCE;;;;
end:vcard


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.