[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] HA + LoadBalancing with Foundry switches ?
Is it possible to do High Availibility without having to use sophisticted switches in front of our cp firewall? Say hub. Thanks. ----- Original Message ----- From: "Joel Turoff" <[email protected]> To: <[email protected]> Sent: Saturday, March 23, 2002 9:26 AM Subject: Re: [FW-1] HA + LoadBalancing with Foundry switches ? > J. > > I've only seen the foundry switches load balance in a demo - I was quite > impressed with the ease of setup and administration and we did a number of > tests, although we didn't do stateful SecuRemote failovers, which is the > scenario you describe. > > I have a couple of thoughts. First, is whether the Foundries are even > needed in your environment. The IP530 is a relatively powerful unit. With > VRRP configured (no big deal) you would have a fully redundant solution and > would save yourself the cost of four foundries, which I know are expensive > units. You should analyze your bandwidth needs and determine whether you > really need to load balance this traffic. We did this and determined that > we would be fine with just a VRRP High Availability solution. > > It sounds to me like you are not properly synchronizing the state tables. > In order to have stateful failover of SecuRemote connections, you need to > properly setup state synchronization between the two nokias. This is > described in the manual, but basically requires: > > create $FWDIR/conf/sync.conf file > do fw putkeys between the two firewalls > setup an NTP server and get the firewalls synching their clocks from the > NTP server. > > The NTP server is key - the firewalls' clocks need to be within a few > milliseconds of each other and the only way to do this is via NTP. If you > do not have an NTP server in your environment, it is entirely feasible to > setup one Nokia as the NTP master, and another as the NTP slave. (Don't > forget you may need to craft rules to permit your firewalls to talk NTP and > to exchange state (the FW1 service ). > > We usually share state with a dedicated crossover cable shared by each > firewall. By snooping the port, you should see traffic going to and fro on > port 256. Also, you can print out the number of values in the state table > with: > > fw tab -t connections -s > > The last number in the #vals column should be roughly equal on both nokias > if you type this command at the same time. This tells you that each > firewall has the same number of connections in the state table, therefore > along with snooping port to verify bi-directional communication on port > 256, it is confirmation that state synch is working. > > Also, for VPN failovers, I believe that you need to setup Checkpoint > "Gateway Clusters". These are special network objects for gateways where > you combine numerous firewalls into a single cluster object and then use > that object in the "Install On" field of your rulebase. Then the "cluster > object" appears as an option when you go to push out the rulebase. Take a > look at the VPN pdf file that comes with checkpoint (or download another > copy from their website). Take a look at the VPN manual, particularly the > chapter "High Availability for Encrypted Connections". > > I hope this helps. > > Joel > > > > > > At 02:40 PM 3/23/02 +0000, you wrote: > >Hi, > > > >Does anybody have any experience with a VPN-1/FW-1 load-balancing solution > >using Foundry ServerIron Layer 4 switches ? > > > >Our FW modules are installed on Nokia IP530s, but VRRP is not in use. HA is > >being handled by the Foundry switches, as is the load-balancing. > > > >Regular services are working fine, and are being failed over correctly when > >one FW goes down. But SecuRemote sessions are set up correctly, but are lost > >when the FW module through which the connection is going goes down. The only > >way to re-establish the tunnel is to restart SecuRemote and start over. > > > >If anybody out there has dealt with a similar scenario and got SR to work > >flawlessly, I'd love to ask him/her some specific questions...! > > > >I look forward to finding somebody who has swam in these waters previously. > > ;-) > > > >Thanks and regards, > > > >J. > > > >_________________________________________________________________ > >Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > >================================================= > >To set vacation, Out Of Office, or away messages, > >send an email to [email protected] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[email protected] > >================================================= > > > > > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|