Crist Clark wrote:
I know that state synchronization between different versions of FW-1 is not supported. However, that does not necessarily mean that it won't work between very similar versions.
I am going to be upgrading a failover pair from FW-1 NG FP2 to FW-1 NG AI does anyone know from experience whether these two versions can state sync? There are long-lived TCP connections over the pair that it would be nice to not have to break. Enabling fw_allow_out_of_state_tcp is only a partial fix since we have to see something go from inside out before it is turned back off.
To answer my own question, when I actually did the upgrade, I could not get NG FP2 and NG AI to synchronize. Doing a 'fw fcu <other cluster member ip>' as instructed in the Upgrade Guide will fail with a message about the versions being incompatible.
However, a warning about the new cluster anti-spoofing feature. A default Solaris install will look spoofed according to this. So you either need to twiddle some 'ndd' parameters on Solaris, ip_ttl_def and tcp_ipv4_ttl (why TCP has its own...), and keep in mind a change gets applied only to new TCP connections, so existing connections and listening sockets will still have the old TTL, or you need to disable this in Check Point. There is a cluster anti-spoofing checkbox, enabled by default, but unchecking it did not disable the feature for me. I had to go in and,
# fw ctl set int fw_ttl_check 0
To turn it off. I then added 'set fw:fw_ttl_check=0' to /etc/system to keep the change across reboots. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications (408) 933-4387
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
