Re: [FW-1] Suggestions for how to manage cold standby server.

[Hal Dorsman <hdorsman@FW1-NOSPAMRMEF.ORG>]

Sorry, guess I don't explain myself well trying to be
brief.  I only want it accessible remotely for remote
maintenance.  Being able to back up my active config
and push it out to my secondary so it is always updated.
In a previous 4.1 env I was able to do this easily as
the license was tied to the outside IP.  I just had my
primary internal numbered 10.0.0.1, and my secondary
was 10.1.1.1, which was on the hme0. I could back up
and push out the primary policy to the secondary which
had all the qfe interaces defined exactly the same. To
fail over, all I had to do was rename hostname.hme0 so
that FW1 didn't try to configure it as an active IF, then
reboot.  By the time the thing had completed the shutdown,
I could be back in the server room and move wires.  The
secondary would boot back up with exactly the same IF
definition and FW configuration and we'ld be up and running.
Now, NG seems to have the licensed tied to the internal
(is this an option, or new rule?).  I am having problems
getting the license to be happy, and getting my box on
my network so I can ssh to it and run the Policy editor to
it.  The most logical solution I can think of is to daisy
chain the secondary off the primary via the hme's, and
get to it via routing through my primary.  Haven't tried
it yet, seems like kinda a pain.  It was so easy under
4.1.

Thanks,

Hal

Hal Dorsman
Network Administrator
Rocky Mountain Elk Foundation
Missoula, Montana USA
hdorsman@rmef.org> -----Original Message-----
> From: Joe Matusiewicz [mailto:joem@NIST.GOV]
> Sent: Friday, February 14, 2003 6:43 AM
> To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
> Subject: Re: [FW-1] Suggestions for how to manage cold standby server.
>
>
> I'm not sure what you mean by having a cold standby firewall
> that you would
> use for remote access.
>
> My cold standby server is an exact replica of my active one
> including ip
> addresses, static routes, etc.  It's always online but it is
> not connected
> to the network.  It takes about 10 seconds to switch to the
> backup and be
> up and running.  This is because of the time it takes to
> switch the wires
> and the time for the backup to announce its presence on the network.
>
> Hope this helps....
>
>
> -- Joe
>
>
> At 04:54 PM 2/13/03, Hal Dorsman wrote:
> >How does everyone manage a second cold standby
> >firewall?  One that you would want to keep on
> >your internal network for remote access.  With the
> >licenses now being tied to the internal IP, you
> >get conflicts if you try to put it on the same net.
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to LISTSERV@lists.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner@ts.checkpoint.com
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================