Just got finished trying to make some topology changes
on a firewall cluster. Note "trying." Had some problems
that kept me from finishing in the maintenance window.
I think I have workarounds for these R60 clusters and
SmartCenter, but I was wondering if anyone can confirm
or deny whether these issues are fixed in later versions.
Automated topology downloads doesn't understand gateways
on directly connected networks that aren't local to the
interface IP. For example (on a Solaris box), I've got an
interface with a network and IP of, 192.168.100.193/28,
and the network 192.168.100.120/29 is directly connected,
# route add -net 192.168.100.120 -netmask 255.255.255.248
192.168.100.193 -iface
Now there are a bunch of networks routed through a gateway
on that network,
# route add -net 10.2.3.0 -netmask 255.255.255.0 192.168.100.121
But an automated topology download doesn't understand that
10.2.3.0/24 is off of that interface. The networks just get
ignored.
The next problem is with anti-spoofing choosing the most
specific route. This is the most annoying. It makes automated
topology downloads useless. If I have the network 172.16.0.0/15
off of one interface, but any subnets, even one host 172.16.45.6,
from that network off of another, I can't do automated downloads.
Although this is trivial to do for routing,
# route add -net 172.16.0.0 -netmask 255.254.0.0 192.168.100.121
# route add 172.16.45.6 192.168.200.1
It doesn't work in the topology. I need to break down the supernet
into all of the smaller components necessary to specify the networks
with no overlap,
172.16.0.0/19
172.16.32.0/21
172.16.40.0/22
172.16.44.0/24
172.16.45.0/30
172.16.45.4/31
--> 172.16.45.6/32 <-- Here it is!
172.16.45.7/32
172.16.45.8/29
172.16.45.16/28
172.16.45.32/27
172.16.45.64/26
172.16.45.128/25
172.16.46.0/23
172.16.48.0/20
172.16.64.0/18
172.16.128.0/17
172.17.0.0/16
Which, as shown, can be very, very painful.
Anyone know if these are fixed in any versions >R60?
BĀ¼information contained in this e-mail message is confidential, intended
only for the use of the individual or entity named above. If the reader
of this e-mail is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that any review, dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this e-mail
in error, please contact [EMAIL PROTECTED]
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
