NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Issues with VRRP IPSO 3.7 and NG AI


  • To: [email protected]
  • Subject: Re: [FW-1] Issues with VRRP IPSO 3.7 and NG AI
  • From: Brendan Laws <[email protected]>
  • Date: Thu, 11 Sep 2003 09:46:40 +1000
  • Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
  • Sender: Mailing list for discussion of Firewall-1 <[email protected]>
  • Thread-index: AcN31oclejSVmrJqQzGvQWK+2TVpVQAHoqTw
  • Thread-topic: [FW-1] Issues with VRRP IPSO 3.7 and NG AI

Javier,

Try this, edit the topology of each firewall object and create new interfaces and define them as per your VRRP backup address and define their topology

E.g

If
Eth-s1p1c0 = 10.1.1.1/24 and has anti-spoofing like "network defined by this interface" --- then create a new interface e.g

Eth-s1p1c0-vrrp = 10.1.1.254/24 and define its anti-spoofing like what it needs to be.

Just check in your logs, is the anti-spoofing dropped with a source of one of the firewalls vrrp addresses?

And then you have your rule as follows

SRC                                     DST                             SERVICE                 ACTION

Firewall Modules                        host-224.0.0.18                 vrrp                            accept

-----Original Message-----
From: Javier Diaz [mailto:[email protected]]
Sent: Thursday, 11 September 2003 4:49 AM
To: [email protected]
Subject: Re: [FW-1] Issues with VRRP IPSO 3.7 and NG AI


Well, i have 2 HA VRRP Nokias with AI, and we have to create a rule accept
vrrp with the 224.0.0.0 net and the modules of the cluster. In the user
guide of ipso 3.7 explain why. There are logs dropping because
spoofing?????

Rgds


Javier Díaz Evans
Project Engineer
Etek International Holding Corp - Colombia
ISO 9001 certified
Tel: +57 - (1) - 622 - 7122
Fax: +57 - (1) - 257 - 1520
www.etek.com.co




Mark Pays <[email protected]>
Sent by: Mailing list for discussion of Firewall-1
<[email protected]>
10/09/2003 11:21 a.m.
Please respond to Mailing list for discussion of Firewall-1

        To:     [email protected]
        cc:
        Subject:        Re: [FW-1] Issues with VRRP IPSO 3.7 and NG AI


thanks for the reply. We already have a rule to allow the traffic and can see it passing between the Nokias. It just wont work!!

Does anyone actually have IPSO 3.7/NG AI/VRRP HA working? Be interested to hear if you do.........As I said we have an identical setup working just fine in IPSO 3.6/NG FP3.

-----Original Message-----
From: Hennessy, Robert [mailto:[email protected]]
Sent: 10 September 2003 16:41
To: [email protected]
Subject: Re: [FW-1] Issues with VRRP IPSO 3.7 and NG AI


Mark,

I have only read the docs, no experience, but ipso 3.6 permits vrrp
packets
between nokia's without any rule. v.7 requires a rule to permit the
packets
for the backup to go into backup mode.
For testing, maybe permit the vrrp interfaces to talk on any port and
narrow
the ports down if it works

Rob

-----Original Message-----
From: Mark Pays [mailto:[email protected]]
Sent: Wednesday, September 10, 2003 10:25 AM
To: [email protected]
Subject: [FW-1] Issues with VRRP IPSO 3.7 and NG AI


Hi,

We are trying to setup a VRRP HA pair using IPSO 3.7 and NG AI on nokia.
We
can get the VRRP working on IPSO before Checkpoint is installed, but once
we
create a cluster object and install a policy the problems begin. We have used Nokia legacy vrrp configuration rather than the newer ISPO cluster option. Has anyone actaully got this VRRP HA working? We find in Smart
View
staus the first node is OK, but the second always shows problems under clusterXL and the node is shown as down. Unfortunately neither the
Smartview
or the logs suggest what the issue may be. We have exactly mirrored
another
working vrrp setup. The only difference is that this is on FP3 and is
using
IPSO 3.6. Does anyone have any experience of VRRP on IPSO 3.7 or NG AI,
any
suggestions would be useful......

Thanks

Mark
###########################################

This message has been scanned by F-Secure Anti-Virus for Microsoft
Exchange.
For more information, connect to http://www.F-Secure.com/


----------------------------------------------------------------------------
--
The opinions expressed within this email represent those of the individual and not necessarily those of Gullivers Travel Associates (GTA).

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify [email protected].

Should you wish to use email as a form of communication, GTA are unable to guarantee the security of email content outside of our own computer
systems.



________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email Security System. For more information on a proactive email security service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected] =================================================


<font face="Times New Roman" size="3">
<p>-------------------------------------------------------------------------
-----</p>
<p> This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.</p> <p> Ce courriel est confidentiel et protégé. L'expéditeur ne renonce pas
aux
droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous
recevez
ce courriel par erreur, veuillez m'en aviser immédiatement, par retour de courriel ou par un autre moyen.</p> <p>====================================================</p>
</font>


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected] =================================================
###########################################

This message has been scanned by F-Secure Anti-Virus for Microsoft
Exchange.
For more information, connect to http://www.F-Secure.com/


________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email Security System. For more information on a proactive email security service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected] =================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected] =================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.