NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Stonebeat and Anti-Spoof with NG FP2



I'm trying to set up a Stonebeat pair running NG FP2. I'm having some
trouble with the anti-spoofing. The only way I seem to be able to get
things to work is to disable anti-spoofing on the control interface.

Each firewall has several internal interfaces, an external interface,
and one "control" interface which only connects the two firewalls.
When working properly, the operating firewall is the only one with
active internal and external connections. The stand-by firewall is
only using the control interface. All traffic to the stand-by firewall
gets routed through the on-line firewall and on to the stand-by via the
control interfaces. (And the reverse has to work as well, obviously.)

The problem is with anti-spoofing. When a firewall is on-line, the
"normal" topology, as if it were not part of a fail-over pair, works
just fine. However, when a firewall is off-line, _all_ traffic is
coming through the control interface.

The specific problem I am having is trying to convince the firewalls
to talk to the management server when in either on-line or off-line
mode. Traffic from the management module actually comes in to the
pair from the external side. If I specify that the management server
lives off of the control interface, the on-line firewall will not talk
to it over the external interface. If I don't specify it on the control
interface, the stand-by firewall will not talk to it over the control
interface.

The documentation that I have found at Stonesoft's website seems to still
be giving 4.x examples. Does anyone have pointers to documents from Stonesoft
or Checkpoint on how to set up Stonebeat HA with NG? How have others gotten
the anti-spoofing to work? As I mentioned, my workaround for now is to disable
anti-spoofing on the control interface. It works, but it is non-ideal.
--
Crist J. Clark                               [email protected]
Globalstar CommunicationsThe information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact [email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.