We have a single firewall, currently NG AI running on Solaris 8. It's distributed, one management console, one enforcement point.
We are looking to change our enforcement point to a cluster. We'll be using ClusterXL, no third party products. Currently I'm thinking Load Sharing, probably unicast mode to solve some switch problems. The new cluster will be on new hardware (E250s), so we can keep our existing firewall up as long as needed to aid in transition. The two new cluster firewalls will be built from scratch. The old one won't be touched. Our firewall (oldfw) obviously has multiple interfaces, but for the sake of simplicity let's just say it has inside (10.10.10.1) and internet (192.168.1.1). Lets call the new firewalls clusterfw1 and clusterfw2. In the final state of the cluster, I want the new cluster addresses to use those old firewall addresses, so we don't have to adjust any routers. My question is how to stage all of this. Ideally I'd like to have the current firewall (oldfw) to be up and running while I configure the cluster in the production environment. Then when the cluster is ready and tested, I'll down oldfw, and configure clusterfw to use its addresses. So is it possible to bring up clusterfw1 with 10.10.10.2 & 192.168.1.2 and clusterfw2 with 10.10.10.3 & 192.168.1.3, and a cluster address of 10.10.10.4 & 192.168.1.4. That would allow me to install NG AI, setup ClusterXL, test clustering and failover, etc. Then during the cut-over window I can down oldfw, and reconfigure the cluster object to use the 10.10.10.1 & 192.168.1.1 instead of the .4 addresses. Does this sound like the right approach? Will changing the Cluster IPs be a problem? I assume SIC and licensing will be tied to the real IPs (physical) so changing the cluster addresses isn't a problem? Thanks, TL ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
