NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Policy question



It depends on various factors.

i) are you running a single, a pair or a cluster? and if running more than
one, have you configured failover exactly correct. For example, we had a
pair of Nokia with many arp proxy entries on both firewalls for various IP's
that were being used. However, the MAC address that was used to proxy the
IP's was not the VRRP IP mac so that every time we switched from one to the
other any connections on those proxied IP's were dropped. Once we changed
the proxy arps to use the VRRP mac, this issue went away.

ii) do the applications you run through the firewall end up in the state
table and are they fully understood by the firewall? Some applications,
despite my best efforts, simply will not stay up due to their use of none
standard IP connections (for example, Bloomberg RDP). I find that non
TCP/UDP protocols are most prone to dropped connections on a policy push or
a firewall failover. You will find that the best way to fix this is to run
the latest version, patches and fixes.

iii) have you tuned up your firewall for the load that it must handle? I
also found that until I performance tuned up the memory for FW-1, I would
sometimes lose a few connections. The dropped connections stopped after the
tune up.

Hope this helps,

Mike H

> -----Original Message-----
> From: Arvanitis, Steve [SMTP:[email protected]]
> Sent: Tuesday, April 09, 2002 5:00 PM
> To:   [email protected]
> Subject:      [FW-1] Policy question
>
> Is it possible to install a policy without dropping all the clients that
> are connected to Firewall-1?
> If so... how?
>
>
> Thanks
> Steve
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
>
<<Disclaimer>>

This electronic mail is intended only for the use of the addressee(s) named
herein. Unless otherwise specifically stated, the views contained and
expressed in this electronic mail are strictly those of the individual
sender and are not the views of the Company or any of its Directors or other
employees. If you are not the intended recipient of this electronic mail,
you are hereby notified that any dissemination, distribution or coping of
this electronic mail is strictly prohibited. If you received this electronic
mail in error please immediately notify us by return electronic mail and
delete this electronic mail from your system.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.