[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Policy question
It depends on various factors. i) are you running a single, a pair or a cluster? and if running more than one, have you configured failover exactly correct. For example, we had a pair of Nokia with many arp proxy entries on both firewalls for various IP's that were being used. However, the MAC address that was used to proxy the IP's was not the VRRP IP mac so that every time we switched from one to the other any connections on those proxied IP's were dropped. Once we changed the proxy arps to use the VRRP mac, this issue went away. ii) do the applications you run through the firewall end up in the state table and are they fully understood by the firewall? Some applications, despite my best efforts, simply will not stay up due to their use of none standard IP connections (for example, Bloomberg RDP). I find that non TCP/UDP protocols are most prone to dropped connections on a policy push or a firewall failover. You will find that the best way to fix this is to run the latest version, patches and fixes. iii) have you tuned up your firewall for the load that it must handle? I also found that until I performance tuned up the memory for FW-1, I would sometimes lose a few connections. The dropped connections stopped after the tune up. Hope this helps, Mike H > -----Original Message----- > From: Arvanitis, Steve [SMTP:[email protected]] > Sent: Tuesday, April 09, 2002 5:00 PM > To: [email protected] > Subject: [FW-1] Policy question > > Is it possible to install a policy without dropping all the clients that > are connected to Firewall-1? > If so... how? > > > Thanks > Steve > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > <<Disclaimer>> This electronic mail is intended only for the use of the addressee(s) named herein. Unless otherwise specifically stated, the views contained and expressed in this electronic mail are strictly those of the individual sender and are not the views of the Company or any of its Directors or other employees. If you are not the intended recipient of this electronic mail, you are hereby notified that any dissemination, distribution or coping of this electronic mail is strictly prohibited. If you received this electronic mail in error please immediately notify us by return electronic mail and delete this electronic mail from your system. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|