[VRRP HA on IPSO 3.7.1 does not fail over on cpstop] >> Now I think with Nokia VRRP (IPSO 3.7) and CP HA, this is the way it is supposed to function. >>
Indeed. >> However I would like the functionality of having stateful failover in the event the fw service or policy uninstall is done on the master as well. >> Not so sure about the policy uninstall, but you can get the "monitor firewall services running" functionality with IPSO 3.8(.1) and R55p. Note you need to move to R55p on the enforcement point, though; R55 is not supported on IPSO 3.8(.1). >> What does Nokia clustering do for me? This will give me load balancing and move me to active/active as opposed to active/passive. Maybe this is what I need to do. >> I highly recommend against that. IP Clustering adds a ton of complexity, and unless you have a very good reason to use it, don't. Also, IP Clustering really gets useful with IPSO 3.8 and up - in 3.7.1 there's just too many "rough edges" to it still. In a nutshell, a good guideline is: "If you have so many VPN connections that your box can't handle them even though you use a hardware crypto accelerator; _and_ your boxes are beefy enough to benefit from load-balancing without the overhead eating the performance gain right back up again (*), then use IP Clustering". (*) Beefy enough used to be defined as IP530 and up. Not sure about IP380 - I'd wager they have enough "oomph" to benefit from LB in "heavy VPN traffic" situations too, but I haven't seen hard data either way. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Wayne Ho Sent: Thursday, December 09, 2004 12:41 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] High Availability and Nokia IPSO Clustering You don't need ClusterXL, VRRP is fine. --- "Stachowicz,Mark" <[EMAIL PROTECTED]> wrote: > If I didn't want to do load sharing, only automatic failover, would > I still need ClusterXL? I currently have VPN-1 Pro gateway licenses > on my Nokias, I assume that for auto failover capabilities I would > need to replace those licenses with the "Additional VPN-1 Pro Gateways > for Load Sharing and High Availability" licenses? Or are these > licenses an add-on to the VPN-1 Pro license I have now? > > I've tried turning on HA with my current licenses and it does > activate, however if I attempt to check status, it returns an error > saying the HA > module is not installed. This is why I think I > need the license for > HA. > > Thanks! > > -ms > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] > On Behalf Of Will > Zegeer > Sent: Tuesday, December 07, 2004 8:05 AM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] High Availability and Nokia IPSO Clustering > > CP Cluster XL licenses - either HA or Loadsharing. > When NG first came > out (and in the 4.1/4.0 days), it was very cumbersome and didn't work > well. But now, Post R54 releases work very well and it's very easy to > set up. I suggest Secureplatform with cluster xl and read the cluster > xl pdf. > > -Will > > -----Original Message----- > From: Stachowicz,Mark > [mailto:[EMAIL PROTECTED] > Sent: Mon 12/6/2004 11:25 PM > To: > [EMAIL PROTECTED] > Cc: > Subject: [FW-1] High Availability and Nokia IPSO Clustering > > > > I have two Nokia 710 gateways running IPSO > 3.7 and Checkpoint > NG-AI R54 > (FW-1/VPN-1 Pro). I also have a Solaris > 2.8 management station > that > manages both firewalls. > > I only have Nokia VRRP running now to > failover the firewalls in > the > event of a failure, however this will only > work in the event of > a > hardware failure. This does not help if the > master firewall > software > stops working or the policy fails. > > What are my options for high availability > with my Checkpoint > firewalls > to ensure that I always have a failover? > > Can you also provide licenses that I would > need to purchase? > > Thanks very much in advance.. > > -mark stachowicz > > > > ================================================= > To set vacation, Out-Of-Office, or away > messages, > send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > <https://65.242.83.79/http/0/www.checkpoint.com/services/mailing.html> > > ================================================= > If you have any questions on how to change > your > subscription options, email > [EMAIL PROTECTED] > > ================================================= > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. http://www.integralis.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
