Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Cluster Gateway definition

To: <[email protected]>, <[email protected]>
Subject: RE: [FW1] Cluster Gateway definition
From: "David Goode" <[email protected]>
Date: Fri, 8 Jun 2001 07:22:30 -0500
Importance: Normal
In-reply-to: <[email protected]>
Sender: [email protected]


    The cluster object itself need only the virtual IP address listed on the
general tab.
In your case this will be the VRRP address. Keep in mind though, the
original
specification of VRRP was to have one of the clustered gateways primary IP
be the VRRP address.
  This had the limitation of in a fail-over scenario the backup gateway
could not
answer traffic destined to the VRRP address since he did not own it. Here,
we want the ability to initiate to the VRRP address even in fail-over mode,
this requires the use
of a non-physical address. Here, the VRRP address should be something other
than any
of the primary external addresses.
    In a VPN configuration where the remote side needs to define his IPSec
policy,
they will need to define more than the VRRP address if the FireWall-1
gateway is
earlier than SP3.
   The reason is, we will do key exchanges to the VRRP address, but the
external header
in all tunnel mode IPSec traffic would contain the address of the primary
interface.
I the other end is a Check Point firewall, this can be accomplished by the
peer
defining a firewall object with the cluster IP on the general tab and all of
the
other primary external addresses on the interfaces tab. The IP on the
interfaces tab
do not need to have the correct device name however.
   If you have SP3 you can make a edit that will cause only the VRRP address
to be
used to overcome this problem. Check the release notes for details.

-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
[email protected]
Sent: Friday, June 08, 2001 4:02 AM
To: [email protected]
Subject: [FW1] Cluster Gateway defination



What IP address should be defined in the Cluster Gateway in a VRRPmc
environment, should one use the primary IP address on the General tab of the
properties window, and add the rest of the interfaces including the virtual
interfaces to the interfaces tab of the firewall module object.

I have read conflicting articles on defining Cluster Gateways on the
rulebase
can someone please set me straight.

--
Get your firstname@lastname email for FREE at http://Nameplanet.com/?su


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Cluster Gateway defination
  - From: [email protected]

Prev by Date: RE: [FW1] Do not fragment bit
Next by Date: Re: [FW1] traffic unflowing...helpers please
Previous by thread: [FW1] Cluster Gateway defination
Next by thread: [FW1] Problems installing IPSO 3.4 and FW-1 4.1 SP 4
Index(es):
- Date
- Thread