Hi is the option <EXTERNAL INTERFACE> in line # Enable Proxy Arp echo 1 > /proc/sys/net/ipv4/conf/<EXTERNAL INTERFACE>/proxy_arp
represent the virtual address of each subnet Thanks -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Mears, Shane Sent: Friday, April 01, 2005 2:10 AM To: [email protected] Subject: Re: [FW-1] Cluster XL Hi Jason, I have two dell splat boxes in HA New Mode. What I did without going into great detail to configure and test the cluster is: 1.) Without being connected to the internet in any way I installed the ANY-to-ANY allow rule. 2.) Place spare computers in each DMZ and set their default gateway setting to the fw cxl address. I then used icmp pings, trace routes, net use, ssh, and telnet from each system to the other. 3.) I repeated the above process and failed(1.rebooted 2. unplug an interface 3. member stop in SmartView Status) one firewall at a time to verify that there was no packet loss. 4.) Installed the Rule Base that I preconfigured for production. 5.) Since I am using 10/100/1000 Cisco switches I set the modules.conf file to only auto-negotiate at 1000/Full. options <Network Driver Name> Speed=1000,1000,1000,1000,1000,1000,1000,1000,1000 Duplex=0,0,0,0,0,0,0,0,0 6.) Set network routes, host routes, and edited the /etc/ethers file to setup static arp entries for manual natting. 7.) Put the following lines at the bottom of the /etc/rc.local file: # Enable Proxy Arp echo 1 > /proc/sys/net/ipv4/conf/<EXTERNAL INTERFACE>/proxy_arp # Set Static ARP entries arp -f /etc/ethers 8.) Configured the discntd.if file to disable the interfaces I am not using. One problem I ran into: The Cisco 4500 series switch gave me loads of problems with auto negotiation. However the Cisco 3750 and 6500 series worked fine. ________________________________________________________________________ __ I also did a icmp ping to the virtual address on the Fw cluster and when I reboot the one box there is no drop in icmp responses but when I reboot the other there are timeouts until it comes up. With nokia ip clustering I did not have this problem. Any ideas ?? **** Need a little more info on this issue. You are using Load Sharing which usually requires you to edit the cam table on the switch for the multicast mac address of the cluster. Has this been done? **** ________________________________________________________________________ __ VPNx is a process that takes advantage of Multiple Processors for VPN acceleration ________________________________________________________________________ __ Yes: you need to purchase additional licenses for multiprocessor firewalls. I chose not to use the second processor because I wanted to see how well the firewall handled traffic with one. It's fine... Only purchase what you need. It's easy to go back and buy additional licenses to take advantage of additional processors. ________________________________________________________________________ __ Also with Nokia Ip clustering one could do a cluster safe reboot via http browser page to the virtual address but if I try browse to the virtual address via http on secureplat **** My knowledge of Nokia IP Clustering is limited. But SPLAT has a webui that allows you to do some basic configuration changes and reboot the firewall. So if you want to reboot firewall_B you would use it's real address not the clustered one to reboot it using the webui. If you left the webui enabled then you would connect to it's webui using your browser over https. **** ________________________________________________________________________ __ In my past life I ran a Checkpoint Loadsharing Cluster using StoneBeat. It was a pain in the you know what to implement and manage. That's why I chose the HA New Mode this time around. Best of luck with your implementation. Regards, Shane -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Jason Cameron Sent: Thursday, March 31, 2005 3:46 AM To: [email protected] Subject: [FW-1] Cluster XL Hi All , I have purchased two Sun-iforce boxes with Secureplatform . I have also setup the boxes with Clusterxl in Load sharing> Multicast. I have tested it via the cphaprob cmds and fw ctl pstat. Some questions. 1. Is there a procedure or best practice to test Load sharing,high avalabilty and failover. I have tested by doing icmp ping to all intrerfaces on subnet . Eg int 1 --- Ping -response - Fw a Int1 - ping - no response - Fw B Vitrual Address - Ping -- response I also did a icmp ping to the virtual address on the Fw cluster and when I reboot the one box there is no drop in icmp responses but when I reboot the other there Are timeouts until it comes up. With nokia ip clustering I did not have this problem. Any ideas ?? 2. What is vpnx ?? . How can I implement it and what is its effect on clustering ?? I need to get as close to possible with clusterxl as to Nokia's Ip clustering - Load sharing,high avalabilty and failover. Is there any best practice to Test Load sharing,high avalabilty and failover ?? I also have multiple cpu's is a special license for this ? Also with Nokia Ip clustering one could do a cluster safe reboot via http browser page to the virtual address but if I try browse to the virtual adresss via http on secureplat I cant get the page .. Any advice Thanks ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
