RE: [FW1] Sync.conf syntax

[Daniel Hitchcock <DHitchcock@FW1-NOSPAMbreakwatersecurity.com>]

Title: RE: [FW1] Sync.conf syntax

If using "old-style" (TCP-based) sync, you just add the peer IP addresses, one per line.  For example, if you have 10.1.1.1, 10.1.1.2, and 10.1.1.3, the sync.conf on 10.1.1.1 would be:

10.1.1.2
10.1.1.3

For UDP-based ("new style") state sync, available as of 4.1SP2, the syntax is:

Mode=CPHAP

This is the only line you need enter on all the firewalls.  This will cause the firewalls to start broacasting on UDP8116 to sync the state tables (you must have a control channel i.e. putkey between the firewalls).  NOTE: UDP-based state sync requires a high availability license for each of the modules; TCP-based state sync does not (I'm not sure where this is documented, but I discovered this in testing).

HTH

Dan Hitchcock
CCNA, CCSE, MCSE
Security Analyst
Breakwater Security Associates

dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com

-----Original Message-----
From: Paul.Simons@ihsenergy.com [mailto:Paul.Simons@ihsenergy.com]
Sent: Thursday, May 10, 2001 12:40 PM
To: fw-1-mailinglist@beethoven.us.checkpoint.com
Subject: [FW1] Sync.conf syntax

Does any have the syntax for the 'sync.conf' file when I am running 3
Firewalls in a cluster?
--------------------------------------------------------------------------------------------

C. Paul Simons
Corporate Network Security Services
IHS Energy Group, Englewood, CO.

Main:
Direct:
Fax:
Mobile:

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================