OK I've enabled and tested HA with state synchronization (and Nokia VRRP) and it works great if I remove an interface cable on my master Nokia or reboot the box.
However - if I stop the fwd on the master or uninstall the policy altogether, traffic still is attempting to be passed through the master fw. It doesn't failover. Now I think with Nokia VRRP (IPSO 3.7) and CP HA, this is the way it is supposed to function. However I would like the functionality of having stateful failover in the event the fw service or policy uninstall is done on the master as well. Can this be done without anything extra? What does Nokia clustering do for me? This will give me load balancing and move me to active/active as opposed to active/passive. Maybe this is what I need to do. Any suggestions? -ms -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Wayne Ho Sent: Thursday, December 09, 2004 12:41 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] High Availability and Nokia IPSO Clustering You don't need ClusterXL, VRRP is fine. --- "Stachowicz,Mark" <[EMAIL PROTECTED]> wrote: > If I didn't want to do load sharing, only automatic failover, would > I still need ClusterXL? I currently have VPN-1 Pro gateway licenses > on my Nokias, I assume that for auto failover capabilities I would > need to replace those licenses with the "Additional VPN-1 Pro Gateways > for Load Sharing and High Availability" licenses? Or are these > licenses an add-on to the VPN-1 Pro license I have now? > > I've tried turning on HA with my current licenses and it does > activate, however if I attempt to check status, it returns an error > saying the HA > module is not installed. This is why I think I > need the license for > HA. > > Thanks! > > -ms > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] > On Behalf Of Will > Zegeer > Sent: Tuesday, December 07, 2004 8:05 AM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] High Availability and Nokia IPSO Clustering > > CP Cluster XL licenses - either HA or Loadsharing. > When NG first came > out (and in the 4.1/4.0 days), it was very cumbersome and didn't work > well. But now, Post R54 releases work very well and it's very easy to > set up. I suggest Secureplatform with cluster xl and read the cluster > xl pdf. > > -Will > > -----Original Message----- > From: Stachowicz,Mark > [mailto:[EMAIL PROTECTED] > Sent: Mon 12/6/2004 11:25 PM > To: > [EMAIL PROTECTED] > Cc: > Subject: [FW-1] High Availability and Nokia IPSO Clustering > > > > I have two Nokia 710 gateways running IPSO > 3.7 and Checkpoint > NG-AI R54 > (FW-1/VPN-1 Pro). I also have a Solaris > 2.8 management station > that > manages both firewalls. > > I only have Nokia VRRP running now to > failover the firewalls in > the > event of a failure, however this will only > work in the event of > a > hardware failure. This does not help if the > master firewall > software > stops working or the policy fails. > > What are my options for high availability > with my Checkpoint > firewalls > to ensure that I always have a failover? > > Can you also provide licenses that I would > need to purchase? > > Thanks very much in advance.. > > -mark stachowicz > > > > ================================================= > To set vacation, Out-Of-Office, or away > messages, > send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > <https://65.242.83.79/http/0/www.checkpoint.com/services/mailing.html> > > ================================================= > If you have any questions on how to change > your > subscription options, email > [EMAIL PROTECTED] > > ================================================= > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
