[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Stonebeat and Anti-Spoof with NG FP2
I'm trying to set up a Stonebeat pair running NG FP2. I'm having some trouble with the anti-spoofing. The only way I seem to be able to get things to work is to disable anti-spoofing on the control interface. Each firewall has several internal interfaces, an external interface, and one "control" interface which only connects the two firewalls. When working properly, the operating firewall is the only one with active internal and external connections. The stand-by firewall is only using the control interface. All traffic to the stand-by firewall gets routed through the on-line firewall and on to the stand-by via the control interfaces. (And the reverse has to work as well, obviously.) The problem is with anti-spoofing. When a firewall is on-line, the "normal" topology, as if it were not part of a fail-over pair, works just fine. However, when a firewall is off-line, _all_ traffic is coming through the control interface. The specific problem I am having is trying to convince the firewalls to talk to the management server when in either on-line or off-line mode. Traffic from the management module actually comes in to the pair from the external side. If I specify that the management server lives off of the control interface, the on-line firewall will not talk to it over the external interface. If I don't specify it on the control interface, the stand-by firewall will not talk to it over the control interface. The documentation that I have found at Stonesoft's website seems to still be giving 4.x examples. Does anyone have pointers to documents from Stonesoft or Checkpoint on how to set up Stonebeat HA with NG? How have others gotten the anti-spoofing to work? As I mentioned, my workaround for now is to disable anti-spoofing on the control interface. It works, but it is non-ideal. -- Crist J. Clark [email protected] Globalstar CommunicationsThe information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|