Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] State synchronization

To: [email protected]
Subject: Re: [FW-1] State synchronization
From: "Prokopinskiy, Igor" <[email protected]>
Date: Sat, 18 May 2002 23:18:47 -0500
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Here is the "preferred" way.

On each firewall:

# cp_conf sic get
// This will show you if SIC is ok... it's needed for synchronization.

# cp_conf ha enable
Enables HA module and associated behavior, such as state sync.

# cpstop; cpstart
// cp_conf will try to do it for you, but every time I tried, I had to
bounce the firewall process anyway.

On the manager:

- Make sure the SIC is running to each firewall;
- Create a Gateway Cluster object, add firewall nodes, click the
Synchronization tab and make sure sync is enabled;
- Make sure that the rulebase allows sync between firewall nodes;
- Push the policy. You should notice that your firewall objects have
disappeared from the list of possible targets, and the cluster object is
available instead.

Open 2 windows, 1 on each firewall, as root, run the following command
"simultaneously":

# fw tab -t connections -s

My co-worker Jim claims he is able to switch between windows using alt-tab
in less then 50ms, which is I believe the default sync interval :) Anyway,
the number of connections should be "the same" within reasonable range...

Let me know if this helps.

Igor Prokopinskiy

> -----Original Message-----
> From: Naoki Takasu [SMTP:[email protected]]
> Sent: Saturday, May 18, 2002 8:13 PM
> To:   [email protected]
> Subject:      [FW-1] State syncronization
>
> Hello all,
>
> I'm working with 2 FW-1 NG FP1 on Solaris 8. One machine has a
> management station and a FW-1 module installed, and the other has a FW-1
> module installed. The management station manages both FW-1 modules.
>
> I'm trying to syncronize those FW-1 modules' state, but no communication
> via port 256 is seen, so they don't seem to communicate each other. I
> have configured below:
>
> a. Both FW-1 modules have the same security policy.
> b. The time of both machines is syncronized with NTP.
> c. $FWDIR/conf/sync.conf lists an IP address of the other FW-1 modules.
>
> I wonder I must install the management station and the FW-1 module on
> different machines. Does anybody have any idea?
>
> Thank you,
>
>
> Naoki Takasu
> [email protected]
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] State syncronization
Next by Date: Re: [FW-1] Cannot load policies on a remote firewall with NG FP2 ?
Previous by thread: [FW-1] State syncronization
Next by thread: Re: [FW-1] State synchronization
Index(es):
- Date
- Thread