Javier,
Try this, edit the topology of each firewall object and create new interfaces and
define them as per your VRRP backup address and define their topology
E.g
If
Eth-s1p1c0 = 10.1.1.1/24 and has anti-spoofing like "network defined by this
interface" --- then create a new interface e.g
Eth-s1p1c0-vrrp = 10.1.1.254/24 and define its anti-spoofing like what it needs to be.
Just check in your logs, is the anti-spoofing dropped with a source of one of the
firewalls vrrp addresses?
And then you have your rule as follows
SRC DST SERVICE
ACTION
Firewall Modules host-224.0.0.18 vrrp
accept
-----Original Message-----
From: Javier Diaz [mailto:[EMAIL PROTECTED]
Sent: Thursday, 11 September 2003 4:49 AM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Issues with VRRP IPSO 3.7 and NG AI
Well, i have 2 HA VRRP Nokias with AI, and we have to create a rule accept
vrrp with the 224.0.0.0 net and the modules of the cluster. In the user
guide of ipso 3.7 explain why. There are logs dropping because
spoofing?????
Rgds
Javier D�az Evans
Project Engineer
Etek International Holding Corp - Colombia
ISO 9001 certified
Tel: +57 - (1) - 622 - 7122
Fax: +57 - (1) - 257 - 1520
www.etek.com.co
Mark Pays <[EMAIL PROTECTED]>
Sent by: Mailing list for discussion of Firewall-1
<[EMAIL PROTECTED]>
10/09/2003 11:21 a.m.
Please respond to Mailing list for discussion of Firewall-1
To: [EMAIL PROTECTED]
cc:
Subject: Re: [FW-1] Issues with VRRP IPSO 3.7 and NG AI
thanks for the reply. We already have a rule to allow the traffic and can see it
passing between the Nokias. It just wont work!!
Does anyone actually have IPSO 3.7/NG AI/VRRP HA working? Be interested to hear if you
do.........As I said we have an identical setup working just fine in IPSO 3.6/NG FP3.
-----Original Message-----
From: Hennessy, Robert [mailto:[EMAIL PROTECTED]
Sent: 10 September 2003 16:41
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Issues with VRRP IPSO 3.7 and NG AI
Mark,
I have only read the docs, no experience, but ipso 3.6 permits vrrp
packets
between nokia's without any rule. v.7 requires a rule to permit the
packets
for the backup to go into backup mode.
For testing, maybe permit the vrrp interfaces to talk on any port and
narrow
the ports down if it works
Rob
-----Original Message-----
From: Mark Pays [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 10, 2003 10:25 AM
To: [EMAIL PROTECTED]
Subject: [FW-1] Issues with VRRP IPSO 3.7 and NG AI
Hi,
We are trying to setup a VRRP HA pair using IPSO 3.7 and NG AI on nokia.
We
can get the VRRP working on IPSO before Checkpoint is installed, but once
we
create a cluster object and install a policy the problems begin. We have used Nokia
legacy vrrp configuration rather than the newer ISPO cluster option. Has anyone
actaully got this VRRP HA working? We find in Smart
View
staus the first node is OK, but the second always shows problems under clusterXL and
the node is shown as down. Unfortunately neither the
Smartview
or the logs suggest what the issue may be. We have exactly mirrored
another
working vrrp setup. The only difference is that this is on FP3 and is
using
IPSO 3.6. Does anyone have any experience of VRRP on IPSO 3.7 or NG AI,
any
suggestions would be useful......
Thanks
Mark
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft
Exchange.
For more information, connect to http://www.F-Secure.com/
----------------------------------------------------------------------------
--
The opinions expressed within this email represent those of the individual and not
necessarily those of Gullivers Travel Associates (GTA).
This email and any files transmitted with it are confidential and intended solely for
the use of the individual or entity to whom they are addressed. If you have received
this email in error please notify [EMAIL PROTECTED]
Should you wish to use email as a form of communication, GTA are unable to guarantee
the security of email content outside of our own computer
systems.
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email Security System.
For more information on a proactive email security service working around the clock,
around the globe, visit http://www.messagelabs.com
________________________________________________________________________
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED] =================================================
<font face="Times New Roman" size="3">
<p>-------------------------------------------------------------------------
-----</p>
<p> This e-mail may be privileged and/or confidential, and the sender does not waive
any related rights and obligations. Any distribution, use or copying of this e-mail or
the information it contains by other than an intended recipient is unauthorized. If
you received this e-mail in error, please advise me (by return e-mail or otherwise)
immediately.</p> <p> Ce courriel est confidentiel et prot�g�. L'exp�diteur ne renonce
pas
aux
droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce
message ou des renseignements qu'il contient par une personne autre que le (les)
destinataire(s) d�sign�(s) est interdite. Si vous
recevez
ce courriel par erreur, veuillez m'en aviser imm�diatement, par retour de courriel ou
par un autre moyen.</p> <p>====================================================</p>
</font>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED] =================================================
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft
Exchange.
For more information, connect to http://www.F-Secure.com/
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email Security System.
For more information on a proactive email security service working around the clock,
around the globe, visit http://www.messagelabs.com
________________________________________________________________________
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED] =================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail =================================================
To unsubscribe from this mailing list,
please see the instructions at http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED] =================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
