[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Simplifying SecureClient failover functionality.
Hello. We currently use SecureClient with a FW-I 4.1 firewall. Since we don't have a high availability license, we use a second firewall as a cold spare -- it's connected to the management station to receive updated policies, but its other interfaces aren't plugged in unless the primary firewall fails. We've run into a few issues that are making Secure Client VPN failover a more manual process than we'd like, and are wondering if there's an easier way. Here's what we've run into: 1) The first issue involves each firewall's IP address in the 'General' tab of its properties. For security reasons, the management station communicates with the firewalls (fw-1-a (active) and fw-1-b (standby)) on a non-routable isolated segment (10.10.10/24). In the 'General' tab, when doing an SNMP get, it will of course automatically retrieve the firewall's 10.10.10.x address, rather than the external address. Since the IKE key exchange is taking place with whatever IP is listed here, we have to put the firewall's external, routable IP address in the box. Since both firewalls have the same external IP (since one is a cold spare), we figured we could just put the same external IP in the 'General' tab for both firewalls. What we found, however, is of course the pushed policies only go the live IP, not the standby FW. We also tried creating a new workstation, putting the firewall's external ip address in it, and putting it in the Secure Client rule. Right now, the IP we have entered for the cold spare is a non-routable address on the management station network, so we'd have to change this manually in the event of a failover. Also, please note, we have disabled the implied rule "allowed firewall control connections", and explicitly allow the Secure Client connections. So, is there a way around this that we're missing? Is it possible to somehow change the IP that new policies are pushed to (i.e., make the policies go to a different IP than what is listed in the firewall's 'General' tab)? If we could tell them to be pushed to each firewall's management station interface, I think we'd be good to go. Or, is it possible to configure the IKE key exchange to go to, say, the management station's routable IP address as opposed to the IP address in the 'General' tab of live firewall? 2) Relatedly, if we can't change the IP that policies are pushed to, we've found that we have to have a static route on the management station that says traffic destined to the firewall's external IP address (i.e., pushed policies) should be sent to the firewall's management station interface. This poses a problem in the event of a failover since the cold spare has a different management station address -- the route would have to be changed manually. Any way to avoid this if the IP to which policies are pushed to can't be something different than the IP found in each firewall's 'General' tab? 3) Finally, there's an issue with the SecureClient policy. In the Policy Server Properties window, the policy can only be installed on individual hosts as opposed to, say, a group of hosts. This means that, to failover VPN functionality, we have to manually change this setting to install the policy on the backup firewall. Other than installing two policies (one on each firewall; we want to avoid this because the user then has to choose which policy he/she wants to use, which is confusing), is there a way around this? Any help that anyone can offer is very much appreciated. I thank anyone who had the patience to read all of this. Thanks! __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|