Hi,
First I would recommend you to setup non eval licenses, this can be a good
reason for your strange behaviour.
Related with the SIC issue, we have the following setup:
- 2 node NGX R65 Cluster ( Forwarding Mode / Static work assignment ) with
public IP addresses as the main ip's
- Smartcenter NGX R65 in a management network with default gateway set to
the clusters ip address in the management network.
We also have problems with the sic establishment and/or maintenance if we
let this setup without specific routes to the external gateways ip through
the gateways ip in the management network.
We solve this issue setting up two routes on the Smartcenter server so
that traffic to the external ip of each gateway gets routed through the
same gateway.
Example:
Cluster
External IP 1.1.1.1 ( configured as cluster main ip in the
smartcenter cluster setup )
Internal IP 10.10.10.1
Node 1
External IP 1.1.1.2 ( configured as node 1 main ip in the
smartcenter cluster setup )
Internal IP 10.10.10.2
Node 2
External IP 1.1.1.3 ( configured as node 2 main ip in the
smartcenter cluster setup )
Internal IP 10.10.10.3
Smartcenter in internal network:
IP: 10.10.10.4
Default Gateway: 10.10.10.1
Route 1.1.1.2 via 10.10.10.2
Route 1.1.1.3 via 10.10.10.3
I always must set it up this way if I dont want to have problems with the
communication between the Smartcenter and the Enforcement modules but I
can not explain why it is this way, I think it is related to local
interface address spoofing. ¿ Does somebody else have this same setup
and/or behaviour ? ¿ Is this normal or I am missing something ?
PS: I just remembered another case related with SIC problems and it was
due to that localhost was not defined locally on the gateways in the
/etc/hosts file ¿?
Regards !
Eric Janz
cisco4ng <[EMAIL PROTECTED]>
Enviado por: Mailing list for discussion of Firewall-1
<[email protected]>
16/05/2008 14:25
Por favor, responda a
Mailing list for discussion of Firewall-1
<[email protected]>
Para
[email protected]
cc
Asunto
[FW-1] Checkpoint SIC trouble. Urgent help please!!!!
Have a situation:
a pair of IBM 3650 dual quad-core processors 3.16 Ghz with 4GB RAM
running in ClusterXL Active/Active Unicast mode. The Checkpoint
software is NGx R65 2.6 kernel
This firewall pair is being managed by Provider-1 NGx R65 2.4 kernel
with HFA_02 running on a Dell 2850 dual processors 3.06 Ghz with 8GB RAM.
Logs on the firewalls are being sent to a Provider-1 MLM and a standalone
CLM.
Provider-1 is NGx R65 with HFA_02 on 2.4 kernel. The stand-alone CLM
is NGx R65 2.6 kernel on a Dell 2950-III box.
Everything is running checkpoint 30 days eval license.
I have about 300 rules in the security policy. I pushed policy to the
pair of firewalls. Everything is working fine and I get no errors when
pushing policy to the firewall
I have a couple of QoS rule in the QoS policy. I see NO errors when
pushing policy to the firewalls.
At this point I start pushing about 900Mbps between the Iperf
client/server
through the firewall.
Here are two issues I have:
1- In SmartView Monitor, it tells me that I hav NO QoS policy installed
on gw1 and gw2,
2- After every two hours, I lose SIC either to the gw1 or gw2 firewall.
I verified this by performing "test SIC" in the cluster members. When
I pushed policy to the firewall, it tells me that policy push failed
either to gw1 or gw2 member. The only way for me to fix is to re-SIC
and reboot the firewall and re-establish SIC with the Provider-1 CMA.
Is this a bug in Checkpoint or something? My setup is a very simple one.
Comment anyone? Thanks.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
--
ADVERTENCIA LEGAL
El contenido de este correo es confidencial y dirigido unicamente a su
destinatario. Para acceder a su clausula de privacidad consulte
http://www.barceloviajes.com/privacy
LEGAL ADVISORY
This message is confidential and intended only for the person or entity to
which it is addressed. In order to read its privacy policy consult it at
http://www.barceloviajes.com/privacy
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
