|
The reason why IPSO does not respond to network
connections that terminate
at a VRRP IP Address is because the implementation
of VRRP adheres to
RFC 2338.
As Scott McMeekin has noted, IPSO is evolving at a
fast rate and an RFE has
been submitted regarding this issue. Note only
would it be useful to be able to
query the virtual firewall in order to determine
which physical firewall is currently
the master, but the ability for IPSO to accept
network connections which terminate
at a VRRP IP address would support the use of the
Nokia Applications platform for
any other mission critical application for which HA
would be justifiable.
Given that a security enforcement perimeter
consists of firewalls, IDS', anti-virus
servers, etc... one would think that it is not only
the firewall for which we would want
a backup system.
I am looking forward to the next release of IPSO
which may include a Network Voyager
switch within the VRRP configuration page which
basically enables IPSO to accept
these connections.
Jerald Josephs
----- Original Message -----
Sent: Tuesday, May 23, 2000 3:53 PM
Subject: RE: [FW1] Nokia failover
When I was at Nokia we had a few customer requests for that
feature.
The whole point is it does tell you something is there, not
necessarily what you think is there but something is responding. For
troubleshooting purposes I could see it being useful to be able to ping or
traceroute to the VIP.
-PaulK
*********************************************
Paul Keser
Network Security Engineer
[EMAIL PROTECTED]
tel: 415.351.4037
fax:
415.474.6017
ShopExpert.com
1375 Sutter Street,
Suite 400
San Francisco, CA 94109
*********************************************
> -----Original Message-----
>
From: Rogue Bolo [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 23, 2000 3:46 PM
> To: Paul Keser; 'McMeekin, Scott'; 'hermit1';
> [EMAIL PROTECTED]
> Subject: RE: [FW1] Nokia failover
>
>
> Why would you want
to ping a virtual anything? It
> tells you nothing
about any piece of hardware, only
> that something
is responding to ICMP requests.
>
> --- Paul Keser <[EMAIL PROTECTED]> wrote:
> > There's no reason it couldn't. All that
is
> > necessary is to either change
> > the RFC or break it...There are definitely
times
> > where pinging the VIP would
> > be very useful.
> >
> > -PaulK
> >
> >
*********************************************
>
> Paul Keser
> > Network Security
Engineer
> > [EMAIL PROTECTED]
> > tel: 415.351.4037
> > fax: 415.474.6017
> >
> > ShopExpert.com
>
> 1375 Sutter Street, Suite 400
> > San
Francisco, CA 94109
> >
*********************************************
>
>
> >
> > >
Well we're in the realms of academic discussion
> > here,
> > > but since
it's
> > > pertinent to fw-1 (sort-of), I'll
continue. In an
> > MC setup,
> > > say you have a
> > >
primary and a secondary firewall participating in
>
> VRRP across the same
> > > subnet. The
primary firewall will effectively
> > "own" or
handle all ARP
> > > requests for the virtual
IP, it routes all traffic
> > for the
> > > VIP, so why can't
> > > it respond to pings?
>
>
>
>
>
__________________________________________________
> Do You Yahoo!?
> Send instant messages
& get email alerts with Yahoo! Messenger.
> http://im.yahoo.com/
>
| 