There are two issues at play here:
1. state table synchronization; and
2. VRRP configuration
As I understand it, HA is really meant for NON-Nokia equipment that doesn't
have
built-in VRRP capability.
OS Configuration with Voyager or Lynx
1. State table synchronization is best done, in my opinion, with a
dedicated cross-over
cable between the two firewalls, setup with a very
tight private address range, and
enabled with a 100MB link. For example,
eth-s1p1c0 on both firewalls is a Cat 5
cross-over cable setup at 100MB on both ends and
an IP address of
192.168.1.1, netmask 255.255.255.252 on one
firewall and 192.168.1.2,
netmask 255.255.255.252 on the other.
2. Both firewalls should reference the same external or internal time
source; the time
stamps on both firewalls are the same.
3. Make sure you have performed your fw putkey to the
PUBLIC interface on
the other firewall.
Check Point Firewall-1 State Table Configuration
1. I recommend you turn on anti-spoofing for "this net" to be
sure you have integrity
on your state table link. Push the
policy.
2. *IMPORTANT* After restarting the firewall
(power down, power up), run
tail -20 $FWDIR/log/fwd.log on both
firewalls and see if the other firewall is
listed
as connected.
3. netstat -na will show the opposite firewall and that it is in a
CONNECTED state,
not pending or listening.
4. Now use fw stat -s -t connections and see that both firewalls'
connection tables
are the same or nearly the same.
VRRP Configuration
VRRP is an OS, router, and Check Point Firewall-1
software configuration issue. The
design requires that a virtual router be created for the
monitored interface. This is a
design structure, as simply as possible, listed
below:
private network
|
VRRP IP Addr
VRRP rtr
101 |
/ \
monitored crcts /
\
fw-a
fw-b
monitored crcts
\ /
\
/
VRRP rtr
202 |
VRRP IP Addr
|
public
network
fw-a is master
fw-b is backup
1. The virtual router on both
firewalls must configured for the same virtual IP address
and router number. In this scenario, you must pick one firewall to be the
Master for
the link and the
other be the backup (this is done by choosing a higher priority for
the
Master and lower number for the backup).
2. Make sure you have a rule in your rulebase that
specifies the following:
Src
Dest
Service
Action Log
fw-a vrrp.multicast.net VRRP
Accept <none>
fw-b
3. The destination or default route for routers or users will be the
VRRP IP address,
not the physical address of the
firewall.
4. After recycling the firewalls and pushing a new policy, use
ifconfig -a on the master
and check the appropriate interface to be sure
that it has two MAC addresses and
two IP addresses assigned. Voyager, under
Monitor, VRRP will show that the
master belongs to fw-a and backup belongs to
fw-b.
5. Test the configuration by pulling a cable on a monitored interface
on the master firewall.
Depending on the time you setup in the VRRP
monitored circuit configuration, you
should see a complete fail-over of the
firewall to the backup firewall (fw-b). You should
see that the backup firewall is now Master for
VRRP.
6. Put the cable back into the monitored interface and it should fail
back.
David C. Diemer, CCSE Enterprise Security Firewall Engineer Georgia
Department of Administrative Services (DOAS) 200 Piedmont Ave. SE Suite
1420, West Tower Atlanta, GA 30334 [email protected](V) (F)
David C. Diemer, CCSE Enterprise Security Firewall Engineer Georgia
Department of Administrative Services (DOAS) 200 Piedmont Ave. SE Suite
1420, West Tower Atlanta, GA 30334 [email protected](V) (F)
>>> Francisco Cabral < [email protected]>
03/23/01 10:22AM >>> Hi, I'm currently running FW1 4.1
SP3 + IPSO 3.3 on a HA environemment by using VRRP. I was reading an
artice about configuring VRRP over monitored circuits and in that article it
was specified that, in order to check if the state tables of both firewalls
are in sync, you should run the following commands: netstat -na If
I understood correctily, this should show you that the hearbeat interface are
communicating with each other on port 256 fw tab -t connections
-s If you run this command on both fws, you should have roughly the same
# of connections. fw tab -t connections You should see any
connections mirrored on both fws. My problem, as you probably already
have guessed, is that I can't get either of the results expected. Any
suggestions? On the side, does anyone know how to test the VRRP failover
remotely, i.e, without taking the network cable of one of the interfaces?
I've bringing one of the interfaces down but it gets right up again and the
IPs don't have the time to failover. Thanks in
advance Regards, Francisco
Cabral ================================================================================
To unsubscribe from this mailing list, please see the instructions
at
http://www.checkpoint.com/services/mailing.html================================================================================
|