Yeah, you're right about front ending. Just because FW1 CAN do a server load balancer group doesn't necessarily mean that you should. Checkpoint also terminates VPN tunnels and does so nicely for small groups (or larger groups with an accelerator installed), but the more things you force your firewall to do, the more you're going to effect performance. In solutions I propose for small offices (up to 25 people or so) I tell clients to feel free to use all of the facilities that Checkpoint offers and there's usually not a problem (with a beefy enough box). But when you start to push more traffic through it and force additional processor cycles that enhanced functionality demands, you may want to consider taking some of the those duties into other boxes.
Also, if I recall correctly, there's some limits to the Checkpoint session persistence features. I recall there being a time when 128-bit SSL was unable to maintain persistence when source IP floated around (i.e. AOL users) although I think that's fixed now. So check the complexity of your site and compare that carefully to what kind of load balancing functionality FW1 has. Checkpoint includes the functionality as a checklist item (not saying it's not good) whereas F5 does this as their core business. There's something to be said for that and the dollar cost justification can be done by measuring just how expensive an unsatisfactory web user experience can be for your company in lost revenue and brand recognition. The best thing to do in a lot of these situation is to call the vendor of a box you're interested in or one of their resellers and talk about the product. They have the most up to date information and while I totally understand how sometimes sales people can cloud the issue, the engineering resources are invaluable and they can usually swing a demo of some sort in your own lab with your own content.
I am not advocating either solution in a brand specific manner (but I admittedly like both FW-1 and BigIP). Just suggesting that choosing a load balance is a complicated question and the first things you must ask yourself is how complicated is your content and how much load is this going to put on a box that you want as free to do what it's GOOD at as possible.
Good luck. This is a tough decision to make.
Regards,
Scott A. Wozny
Enterasys, NYC
-----Original Message-----
From: Rich Snow [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 27, 2000 9:47 AM
To: [EMAIL PROTECTED]
Subject: RE: Firewalls-Digest V8 #1287
>
> HI
>
> I had a question about server load balance
>
> I know that Checkpoint Firewall-1 now had a new feature
> called connect control , that can do server load balance function.
> for example, firewall-1 can do load balance to web server in DMZ.
> and netscreen can do this ,too.
>
> I just wonder if pix or anyother firewall had the same function?
>
> Thanks
> Vincent Huang
Hi Vincent,
PIX does have a hot redundancy feature (not exactly what
you asked, but useful in 24X7 environment)
FWIW, I've seen such a PIX used to front-end a dedicated load
balancer AKA F5 BigIP - these also have an automated
hot spare feature. Works realy very well all together.
Lots of capability. But those BigIPs cost $40K/pair(!)
Best,
Rich
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
