Hi Shane
Thanks for your help so far . I seem to battling still with Load sharing
- multicast option with Cluster XL
1. Do I need to add static enteries for virtual ip and Mac for all the
switches my fw cluster is connected to . Eg I can ping the the external
and internal virtual addresses but nothing on the other subnets
2. We have a existing Nokia Ip clustering solution were when I do a
static nat I don't have to do manual arping
With Cluster xl I do . I am not sure how
Eg Host 1 -- Ext ip 196.122.145.5
Inter ip 10.111.2.3
Virtual Mac of Cluster 00:ce:dr:ff
In the Line 7 below
echo 1 > /proc/sys/net/ipv4/conf/<EXTERNAL INTERFACE>/proxy_arp
- Do I put a address in the " External Int " or by "proxy arp" . What do
I do here ??
What about the dynamic arping of the virtual ip addresses
And is the were arping for manual nating will go there a static arp ??
And
Set static arp enteries .
Arp -f /etc/ethers
What do I enter here eg external ip of host + virtual Mac ??
Basically I am asking how to set up a manual nat ( on the dashboard I
know ) but what must I do with the arping
Thanks in advance
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Mears,
Shane
Sent: Friday, April 01, 2005 2:10 AM
To: [email protected]
Subject: Re: [FW-1] Cluster XL
Hi Jason,
I have two dell splat boxes in HA New Mode. What I did without going
into great detail to configure and test the cluster is:
1.) Without being connected to the internet in any way I installed the
ANY-to-ANY allow rule.
2.) Place spare computers in each DMZ and set their default gateway
setting to the fw cxl address. I then used icmp pings, trace routes, net
use, ssh, and telnet from each system to the other.
3.) I repeated the above process and failed(1.rebooted 2. unplug an
interface 3. member stop in SmartView Status) one firewall at a time to
verify that there was no packet loss.
4.) Installed the Rule Base that I preconfigured for production.
5.) Since I am using 10/100/1000 Cisco switches I set the modules.conf
file to only auto-negotiate at 1000/Full.
options <Network Driver Name>
Speed=1000,1000,1000,1000,1000,1000,1000,1000,1000
Duplex=0,0,0,0,0,0,0,0,0
6.) Set network routes, host routes, and edited the /etc/ethers file to
setup static arp entries for manual natting.
7.) Put the following lines at the bottom of the /etc/rc.local file:
# Enable Proxy Arp
echo 1 > /proc/sys/net/ipv4/conf/<EXTERNAL INTERFACE>/proxy_arp
# Set Static ARP entries
arp -f /etc/ethers
8.) Configured the discntd.if file to disable the interfaces I am not
using.
One problem I ran into:
The Cisco 4500 series switch gave me loads of problems with auto
negotiation. However the Cisco 3750 and 6500 series worked fine.
________________________________________________________________________
__
I also did a icmp ping to the virtual address on the Fw cluster and
when I reboot the one box there is no drop in icmp responses but when I
reboot the other there are timeouts until it comes up. With nokia ip
clustering I did not have
this problem. Any ideas ??
****
Need a little more info on this issue. You are using Load Sharing which
usually requires you to edit the cam table on the switch for the
multicast mac address of the cluster. Has this been done?
****
________________________________________________________________________
__
VPNx is a process that takes advantage of Multiple Processors for VPN
acceleration
________________________________________________________________________
__
Yes: you need to purchase additional licenses for multiprocessor
firewalls. I chose not to use the second processor because I wanted to
see how well the firewall handled traffic with one. It's fine... Only
purchase what you need. It's easy to go back and buy additional licenses
to take advantage of additional processors.
________________________________________________________________________
__
Also with Nokia Ip clustering one could do a cluster safe reboot via
http browser page to the virtual address but if I try browse to the
virtual address via http on secureplat
****
My knowledge of Nokia IP Clustering is limited. But SPLAT has a webui
that allows you to do some basic configuration changes and reboot the
firewall. So if you want to reboot firewall_B you would use it's real
address not the clustered one to reboot it using the webui. If you left
the webui enabled then you would connect to it's webui using your
browser over https.
****
________________________________________________________________________
__
In my past life I ran a Checkpoint Loadsharing Cluster using StoneBeat.
It was a pain in the you know what to implement and manage. That's why I
chose the HA New Mode this time around.
Best of luck with your implementation.
Regards,
Shane
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Jason
Cameron
Sent: Thursday, March 31, 2005 3:46 AM
To: [email protected]
Subject: [FW-1] Cluster XL
Hi All ,
I have purchased two Sun-iforce boxes with Secureplatform . I have also
setup the boxes with Clusterxl in Load sharing> Multicast.
I have tested it via the cphaprob cmds and fw ctl pstat.
Some questions.
1. Is there a procedure or best practice to test Load sharing,high
avalabilty and failover. I have tested by doing icmp ping to all
intrerfaces on subnet .
Eg int 1 --- Ping -response - Fw a
Int1 - ping - no response - Fw B
Vitrual Address - Ping -- response
I also did a icmp ping to the virtual address on the Fw cluster and
when I reboot the one box there is no drop in icmp responses but when I
reboot the other there
Are timeouts until it comes up. With nokia ip clustering I did not have
this problem. Any ideas ??
2. What is vpnx ?? . How can I implement it and what is its effect
on clustering ??
I need to get as close to possible with clusterxl as to Nokia's Ip
clustering - Load sharing,high avalabilty and failover.
Is there any best practice to Test Load sharing,high avalabilty and
failover ??
I also have multiple cpu's is a special license for this ?
Also with Nokia Ip clustering one could do a cluster safe reboot via
http browser page to the virtual address but if I try browse to the
virtual adresss via http on secureplat
I cant get the page .. Any advice
Thanks
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
