Agree with Greg's point about the IPSO version.
I wouldn't manually copy any files - when you say "no management console"
do you mean the IP440 is just an enforcement module? If thats the case
then I would just load IPSO, load CP and run cpconfig on the standby. Then
push the policy from the management station to it. Obviously you'll either
need to take the first firewall off-line or build a test lab as the two
firewalls have the same IP address.
Huiqi
"Pendergrass, Greg"
<[EMAIL PROTECTED]> To: [EMAIL PROTECTED]
Sent by: Mailing list for cc:
discussion of Firewall-1 Subject: Re: [FW-1]
Directories/Files required for configuring redundant
<[EMAIL PROTECTED] N okia IP440 firewall
KPOINT.COM>
16/12/2003 11:08
Please respond to Mailing list
for discussion of Firewall-1
You have to match the version of IPSO with the version of checkpoint you
want to run. IPSO 3.7 is for NG-AI only, so run a version compatible with
checkpoint 4.1 SP6, which is IPSO 3.5.
Since this unit is going to be a cold-swap you want to match software
versions exactly so there will be nothing to chance when it is used.
GP
-----Original Message-----
From: Alan Choyna [mailto:[EMAIL PROTECTED]
Sent: 16 December 2003 05:18
To: [EMAIL PROTECTED]
Subject: [FW-1] Directories/Files required for configuring redundant
Nokia IP440 firewall
Hey guru's,
l'm in the process of building a redundant (cold swap) firewall for one of
my clients.
Our client just has the one Nokia IP440 firewall with no management
console, and since they don't wish to pay for a 2nd license, the redundant
firewall will be cold swap.
The original and the new redundant FW's are both Nokia IP440's, the
original with ipso 3.5-FCS10 the redundant will come with ipso 3.7. With
the exception of the original IP440 having the disk mirroring option, they
are both physically configured identically.
What l intend to do is ensure that they both have the same version of FW
(4.1 sp6), and then copy across the conf, database and state directory
files from the original FW to the new FW's equivalent directories, as well
as any files modified in the lib directory. Then l apply the licences to
the new Firewall.
Does this sound correct? Have l missed anything? Can anyone forsee any
problems l may encounter?
Your advice will be greatly appreciated.
Another way l could do this would be to take one of the mirrored disks from
the original IP440 (it came with the mirroring option), and place it in the
new firewall. The only thing stopping me from doing this is the doubt
regarding how the mirroring is done (software vs hardware). As the
redundant firewall does not come with the mirroring option, would this
method work? Does anyone know how the mirroring is done?
If l could do that, then l would place the disk from the redundant firewall
into the original firewall when it realizes that a disk is missing
(emulating a disk failure) and requests a replacement disk.
Thanks in advance.
Alan
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
