| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] AW: [FW-1] AW: [FW-1] AW: [FW-1] Stonebeat Sync Problems
- To: [email protected]
- Subject: [FW-1] AW: [FW-1] AW: [FW-1] AW: [FW-1] Stonebeat Sync Problems
- From: "Vogel, Jochen" <[email protected]>
- Date: Mon, 22 Sep 2003 10:49:03 +0200
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcN+yCCu5Fm6lyC3TzmWo/iD5pg67gCHGeZw
- Thread-topic: [FW-1] AW: [FW-1] AW: [FW-1] Stonebeat Sync Problems
hi,
my constelation at the moment,
-Solaris9 (64bit)
-Checkpoint NG AI
-Stonbeat FullCluster 3.0 3-2
Checkpoint says supported
Stonebeat says tested
i say works
OPSEC certified is
-Solaris8
-Checkpoint NG AI
-Stonbeat FullCluster 3.0 3-2
> -----Ursprüngliche Nachricht-----
> Von: Skar [mailto:[email protected]]
> Gesendet am: Freitag, 19. September 2003 13:30
> An: [email protected]
> Betreff: Re: [FW-1] AW: [FW-1] AW: [FW-1] Stonebeat Sync Problems
>
> Excuse me,
> Does stonebeat fullcluster is certified for NG AI? As
> CP doesn't give support; stated that it's not
> certified.
>
> --- "Vogel, Jochen" <[email protected]> wrote:
> > Hi,
> >
> > here is the nice answer from stonebeat
> >
> > FullCluster can be used with firewalls that do not
> > have any state sync mechanism as well as with those
> > firewalls, that have state sync mechanism.
> > Even if firewall has a state sync mechanism, there
> > can be reasons why that mechanism can not be used.
> > During upgrade, when nodes have different versions
> > from firewall software, state sync can crash the
> > system. Some memory structure problems are more
> > easily seen when state information is synced. A bug
> > or limitation in the firewall software can prevent
> > using sync in some platforms or in the case of some
> > special kind of traffic.
> >
> > FullCluster has been designed in a way that it does
> > not need state sync during normal operation. Instead
> > of trusting that state sync fixes problems with
> > asymmetry, connections are handled symmetrically.
> > The role of state sync is only to support fail-over
> > of connections when there is a need to move
> > connections between nodes. If state sync can not be
> > used, then existing connections are lost in such
> > situation.
> >
> > State sync is a FW-1 feature, that has been in FW-1
> > for a long time. Currently it is located and
> > configured under ClusterXL settings, even when using
> > state sync does not need any clusterXL license or
> > actual clusterXL functionality. When some FW-1
> > version is tested with FullCluster, it does not mean
> > that this specific FW-1 version is claimed to be
> > free from limitations and bugs. It is tested that
> > FullCluster does not prevent the firewall version
> > from operating at the level that FW-1 version
> > operates. Installing FullCluster does not remove any
> > limitations that FW-1 version might have.
> >
> >
> ------------------------------------------------------
> >
> > today i upgraded all checkpoints to NG AI.
> > it seems to be working fine.
> >
> > regards
> > jo
> >
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Ruiyuan Jiang [mailto:[email protected]]
> > > Gesendet am: Dienstag, 16. September 2003 13:27
> > > An: [email protected]
> > > Betreff: Re: [FW-1] AW: [FW-1] Stonebeat Sync
> > Problems
> > >
> > > Yes, you can install StoneBeat FullCluster 3.0
> > with Solaris 9
> > > but CheckPoint
> > > NG FP3's state sync does not work with Solaris 9
> > and that is where the
> > > problem is.
> > >
> > > Ryan Jiang
> > >
> > > -----Original Message-----
> > > From: Edouard Zorrilla
> > [mailto:[email protected]]
> > > Sent: Monday, September 15, 2003 3:26 PM
> > > To: [email protected]
> > > Subject: Re: [FW-1] AW: [FW-1] Stonebeat Sync
> > Problems
> > >
> > >
> > > So, can I install StoneBeat FullCluster 3.0 with
> > Solaris 9 ?.
> > > By the way,
> > > somebody has installed SBFC 3.0 with Solaris 9?, i
> > have
> > > serious problems
> > > doing it. I was wandering if you would mind send
> > me some
> > > manual instalation
> > > for it !
> > >
> > > Thanks for your help
> > >
> > > Edouard Zorrilla
> > > ----- Original Message -----
> > > From: "Vogel, Jochen" <[email protected]>
> > > To: <[email protected]>
> > > Sent: Monday, September 15, 2003 12:54 PM
> > > Subject: [FW-1] AW: [FW-1] Stonebeat Sync Problems
> > >
> > >
> > > hi ryan,
> > >
> > > in the release notes solaris9 (64bit) are
> > supported
> > >
> >
> ftp://download.stonesoft.com/web/Support/StoneBeat/PublicDocs/
> > > FullCluster/fw
> > > -1/3.0/release-notes/sbfc30sp3-2relnote.pdf
> > >
> > >
> > >
> > >
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: Ruiyuan Jiang
> > [mailto:[email protected]]
> > > > Gesendet am: Montag, 15. September 2003 19:24
> > > > An: [email protected]
> > > > Betreff: Re: [FW-1] Stonebeat Sync Problems
> > > >
> > > > I think CheckPoint only certifys Solaris 8 with
> > NG FP3. NG
> > > > FP3 does not
> > > > support Solaris 9 with State Sync. You have to
> > downgrade to
> > > > Solaris 8. That
> > > > is what happened to me when I first installed
> > Solaris 9.
> > > >
> > > >
> > > > Ryan Jiang
> > > > Senior UNIX adminstrator
> > > >
> > > > -----Original Message-----
> > > > From: Vogel, Jochen
> > [mailto:[email protected]]
> > > > Sent: Monday, September 15, 2003 12:13 PM
> > > > To: [email protected]
> > > > Subject: [FW-1] Stonebeat Sync Problems
> > > >
> > > >
> > > > Hi,
> > > >
> > > > i use
> > > > -Solaris9
> > > > -Stonebeat3.0SP2
> > > > -CheckpointNG.FP3.HF2
> > > >
> > > > -the cluster object is created and sync enabled
> > > > -the sync is in cpconfig enabled
> > > >
> > > > if i ping from the cluster an other system i get
> > drops from
> > > > one system with
> > > > out of state messages
> > > >
> > > > with fw tab -t connections -f i can see that the
> > state table doesn´t
> > > > correlate.
> > > >
> > > > with fw ctl pstat i can see that the snyc send
> > but didnt receive
> > > > sync new ver working
> > > > sync out: on sync in: on
> > > > sync packets sent:
> > > > total: 16 retransmitted: 0 retrans reqs: 0 acks:
> > 0
> > > > sync packets received:
> > > > total 0 of which 0 queued and 0 dropped by net
> > > > also received 0 retrans reqs and 0 acks to 0 cb
> > requests
> > > >
> > > > if i try to ping the other machine in the
> > heartbeat net i get
> > > > Sep 15 18:02:35 cfwc1n1.activest.de fw:
> > fwstrmod_filter(out):
> > > > no interface
> > > > information (eab1d8)
> > > >
> > > > at boottime i can see
> > > > configuring IPv4 interfaces:NOTICE:
> > sbuwput_proto(29): DL_OUTSTATE
> > > > ip: joining multicasts failed (3) on sbif0 -
> > will use link
> > > > layer broadcasts
> > > > for multicast
> > > >
> > > > ifconfig sbif0 shows
> > > > sbif0:
> > > >
> >
> flags=1001843<UP,BROADCAST,RUNNING,MULTICAST,MULTI_BCAST,IPv4>
> > mtu
> > > > 1500 index 2
> > > > inet 192.168.92.33 netmask fffffff0 broadcast
> > 192.168.92.47
> > > >
> > > > ether 8:0:20:c9:44:49
> > > >
> > > > thx for help
> > > > jo
> > > >
> > > >
> > =================================================
> > > > To set vacation, Out-Of-Office, or away
> > messages,
> > > > send an email to
> > [email protected]
> >
> === message truncated ===
>
>
> =====
> ------------
> Sick Boy
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
