[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] High Availability
We are in the process of testing Check Points High Availability. We are running on ver. 4.1, on sun sparc 10, running Solaris 7. I have 3 questions... 1. Which machine monitors the primary firewall to see if it has failed ? is it the management station, or the secondary firewall ? >From what I understand, the primary machine sends out broadcast heartbeats, UDP 8116. In addition to maintaining control connections with the secondary machine (TCP 256 & 257) to transfer connection and state information. This is done over a network you define in the setup. I believe the secondary firewall will be the one to pick up the failure of the primary firewall, we have had the firewalls loose contact with the management station and not fail over. 2. We have several DMZ's off a quad card on the firewall. If only one of those legs fail, does it fail over ? > Yes, if any one of the interfaces go down, the boxes fail over. 3. In the DMZ's we support several web sites, and must set up ARP's in a start up script so IP's of the web sites are taken by the firewall. Can we be running the ARP's on both the Primary and Secondary firewalls without both machines wanting to take the request, or do we need to manually run the ARP's after the fail over ? > Yes, in fail over mode the interfaces on the secondary box are disabled until fail over, we are adding ARP statements through a script in /etc/rc2.d without a problem. Also, can I get some feed back from the people who have tried checkpoints High Availability solution....good or bad ? > We have been running version 4.1 HA for almost a year in 4 location without any major issues, only encountered some minor false fail over notifications in one of our locations. Still no answer from Checkpoint support :( The setup on Version 4.1 has a lot of tricks to get it working correctly, don't forget to do your putkeys between the primary and secondary FW or state is not maintained. Also getting the MAC addresses synced on the machines may take a few times. Having beta tested the NG product, I can honestly say the HA is much better in this version. Easier setup and seemed to be less flaky. We have only tested in the Lab so far, so I can not say how it perform in production, but all tests have been good so far. Hope this Helps Thanks, Scott Davis Internet Security Specialist T.Rowe Price Thank you very much _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|