On Fri, 21 May 1999, Jeff Dumrauf wrote:
> Can anybody shed any light on fw-1 syncronization issues I have below..
>
> 1: Is there a good way to determine if the firewalls are syncronized? I
> see packets with source port 256 when running snoop but I don't see any
> informational messages that they are syncronized.
I usually issue a `netstat -an | grep 256` and verify that each gateway
has an ESTABLISHED connection to the other gateways.
> 2: Is there a way we could tweak the 100ms exchange times between the
> boxes to something lower?
I think it is 50ms. The only way I know to tweak it is to use a binary
editor. The offset varies depending upon the version of the binary.
> 3: Any suggestion running xntpd(sample conf files)???? suggestions on
> running different models(master/slave, master/master????)
Setup an internal NTP source as a master (Stratum 1) and use md5 for
authentication. The two gateways (Stratum 2) would prefer the NTP source
and then peer to each other in case the NTP source failed:
# prefered server is the ntp source clock
server ntp_src key 5 prefer
# peer with the other firewall-1 gateway
peer fw1_right key 5
You would also want to use the "restrict" capability of xntpd to control
which capabilities the server and peers have.
- brett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
