[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] FW-1 state synchronization and VPN
Hi guys, I have a rather theoretical question. Firewall-1 supports clustering in it's newer versions, for HA and load balancing. Many third-party vendors, such as Rainfinity, developed products that make heavy use of the new features. Clustering in CP FW-1 relies on state synchronization feature, when cluster nodes copy their entire connection table to each other, every 50ms or so. When VPN tunnels are involved, each gateway acts as an endpoint for a particular tunnel. It involves key exchange, SA establishment, and so on. My question is whether this information is copied to other cluster members as well. Essentially what I ask is if the standby gateway has the identical set of keys, including the session key, and maintains the identical set of SA's at any given moment. Or maybe the key exchange must happen once again before the tunnel may failover to the backup node. If this information IS transferred during state synchronization, how does the transfer happen? Is it secure at all to transfer key material over a network medium? Personally I think that in the case of node failure SAs must be reestablished. However, someone from CheckPoint said that in v4.1 they DO transmit session keys during state synchronization. Maybe you guys can help me understand the situation. Thanks in advance, Michael. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|