[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Gabriel needs help setting up Nokia IP650s with VRRP fo r high availability
Hi, Here is some brief notes from memory. Any problems, drop me a line but try to research along these lines. Ensure your NOkia's are running ipso 3.3 and Fw-1 4.1 sp2 build 24 or Fw-1 4.1 sp3 Step one Get 3 ips for each interface of the IP650's Fw-a, Fw-b and the vrrp IP address Use monitored circuits and not the vrrp configuration On the primary firewall (fw-a) For the outside interface create a virtual router ID (this should match the one for that interface on fw-b) with a priority of 200 and a hello interval of 2 add a backup IP address (this is the vrrp virtual IP (set the same on fw-b) for each interface on this firewall that is active, select monitor interface and give it a setting of 100 Repeat the above steps for each interface, monitoring all other interfaces. On the secondary firewall For the outside interface create a virtual router ID (this should match the one for that interface on fw-a) with a priority of 150 and a hello interval of 2 add a backup IP address (this is the vrrp virtual IP (set the same on fw-a) Don't monitor any interfaces Reserve one interface for a crossover cable to ensure state tables are synched Note: Check using voyager vrrp -> vrrp monitor -> interface to see that the primary is master on all interfaces and the secondary is slave Key Tips Now using the interface -> arps option select all outside IP's, i.e. web server addresses etc and use the VRRP mac (can get it from ifconfig -a on the primary) for proxy arp ensure for all NAT's that the outside address is configured to the inside real address with a 32 bit mask Step 2 Activate Firewall-1 on both Nokia's. create a file in /$FWDIR/conf called sync.conf and put the IP of the other Firewall This will ensure state table sync. do a putkey between both nokias fw putkey -p password ip_of_other_nokia On Firewall-1 gui create a gateway cluster object with the IP of the vrrp address for the outside interface and add both Firewalls to it. You do not need checkpoint HA and this will give you active / standby failover Caveats In a switched environment, ensure that spanning tree is turned off on Firewall ports and portfast is set if they are cisco catlysts. Nokia training notes are hub based and result in issues in the real world Also try using SSH and SSL or SSH and tunnel voyager for extra security. kind regards Inti -----Original Message----- From: gf b [mailto:[email protected]] Sent: 07 April 2001 15:06 To: [email protected] Subject: [FW1] Gabriel needs help setting up Nokia IP650s with VRRP for high availability Hi All, Has anyone set up two Nokia IP650s with VRRP for high availability? I'm a bit confused as to how to set it up the best way. I presumed it is set up by assigning a single, shared external IP (1 default external gateway, assigning a single, shared internal IP (1 default internal gateway) and a unique ip on each fw so that the management station can administer each box. You can then configure Synchronization on the fws to keep rules and objects up to date. But, after looking at an official Nokia IP650 support doc, it recommended the following VRRP scenario: The primary fw and secondary fw have unique external and internal IPs. Should the primary fw die, the secondary will assume the ip of the primary fw. You could also have a scenario where both fws backup each other and network objects and all traffic is split equally between them. This method surely creates additional administration and configuration overhead. So, does anyone have a recommended approach to setting up VRRP between two fw 4.1s SP3, and do you recommend combining this with Check Point High Availabilty module with Synchronization?? Thank you kindly, Gabriel _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|