RE: [FW1] Cluster Gateway definition

Fri, 08 Jun 2001 23:49:20 -0700 


  This configuration will not work. There is much more complexity involved
here than a regular VRRP config involving simple Layer 3 devices in which
they can back up each other. The first issue is, FireWall-1 has little
dealings with virtual interfaces. Secondly, there is so much dependence upon
IP addresses and IPSec SA's, objects database, etc... that a firewall module
will be limited to servicing only one virtual router. There are other
reasons but I think you get the idea.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 08, 2001 9:09 AM
To: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [FW1] Cluster Gateway definition


Thank you, but I need more, can't find anything in the notes, take this
VRRPmc
example.

Each fw has 6 virtual ip's which means creating 6 Gateway Clusters, each
interface has two virtual IP for load sharing.  How does one make the
firewall
a member of all these 6 clusters(imposible). In theory this design is sound,
I
just can't get it right on the rulebase, how do I create these gw clusters.
The fwclean is connected to the Internal network. fwnet connects to the
internet and fwdmz is connected to the DMZ.




        |fwnet                                          |fwnet2
______________                          ______|________
|               |  fwclean1             fwclean2|               |
|               |----- ---                      _______|                |
|               |                               |               |
|_____________|                         |____________ |
        |fwdmz1                                         |fwdmz2
        |                                               |

fwnet1                                          fwnet2
ip 10.0.0.1 (real IP)                           ip 10.0.0.2
        vr1 10.0.0.3    priority=50                     vr1 10.0.0.4 p=50
        vr2 10.0.0.4    priority=40                     vr2 10.0.0.3 p=40
fwclean1                                        fwclean1
 ip  192.168.0.1                                        ip  192.168.0.2
        vr3  192.168.0.3  priority=50                   vr4  192.168.0.4 p=50
        vr4   192.168.0.4 priority=40                   vr3  192.168.0.3 p=40
fwdmz1                                          fwdmz1
ip  172.134.0.1                                 ip  172.134.0.2
        vr5  172.134.0.3  priority=50                   vr6  172.134.0.4  p=50
        vr6  172.134.0.4  priority=40                   vr5  172.134.0.3  p=40


Should I Create the Cluster Gateways (CGr1, CGr2....CGr6) objects as a
workstation using the six virtual IP’s (vr1,vr2...vr6) for each
firewall. ??
or Instead of creating (CGr1….CGr6) as above, should I just create
(CGr1  &
CGr2) and defined with all the virtual IP addresses of both firewalls.

in this example the second option of defining CGr1, CGr2....CGr6 means I
have
to install on six cluster gateways, is this the way?

in this design the devices can use any of the two virtual IP as their
default
gateway.




--
Get your firstname@lastname email for FREE at http://Nameplanet.com/?su



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to