|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Pix vs FW1
I'm in the middle of doing HA with Rainwall/Checkpoint and my chief beef is the licensing for the management server.. I have 25 human employees but roughly 90 hosts so now I've paid for 2 x100 user lic and still can't have a remote mgt server unless I buy the unlimited lic for what, another $20k? It's crazy that there is no way to have a seperate mgt server without going full boat.. Rainwall in my case will sync the regular traffic but not do VPN failover due to the mgt server issue. So my remote users will get 2 VPN icons and everytime I update my rulebase my cluster will failover until both rulebases are back to beign identical. A pain in the butt, but still better than a SPF. When is Checkpoint going to address this? (are there any plans to?) Can anyone comment? For firms with few employees but critical connectivity needs there has to be a solution made available that makes some kind of business sense. anyhow.. To have the VPN failover with CP you have to have the remote mgt server pushing identical policies to the N firewalls. The one server is necc so that it is cogent of the tunnel state and can move it to the 2nd FW as necc in the event of a failover. Generally I have not heard of any functional reason that Pix is not as good as FW-1. CP has the nicer interface in my exp, is very fast to make ad hoc rule changes to and is easy to explain to mgt etc (just print the rulebase..) Have not used PIX but if it works like at all like a router with the FW IOS version you'll need to plan ahead and have your rules a bit more concrete as making running changes in more cumbersome. Perhaps Cisco has addressed this in the PIX line, I don't know. last - if you have not already - I humbly suggest reading Phoneboy's excellent book 'Essential Firewall 1" which goes into pretty good detail about what goes on in a HA cluster, how quickly it can sync the state tables, how different solutions scale, etc. For a project of this size and $, it's the best $40 you can spend IMHO. GD LK! >>> Ali Port <[email protected]> 12/13/01 09:40AM >>> Hi We're looking into a fault tolerant firewall solution and would appreciate some real world feedback. We need the failover to be 100% stateful, VPNs and all. There cannot be any renegotiation of tunnels if we're in the middle of a transaction, it needs to be seamless. We have narrowed down our options to Cisco PIX and FW-1 using Rainwall. We would use the Cisco version of Enterprise Management Console - I think it is called VMS (VPN Monitoring / Security Management Solution) so management isn't an issue (unless VMS is no good). I appreciate that Rainwall is load balancing instead of failover but it seems to do what we want. Our major issue is that the FW-1 solution is 3-4 times the price of the Cisco solution however if the functionality is so much better we could persuade the powers that be. Any info gratefully received. Ali Port. ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] ================================================= ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
