----- Original Message -----
From: "vijay" <[EMAIL PROTECTED]>
To: "'Fw-1-Mailinglist (E-mail)" <[EMAIL PROTECTED]>
Sent: Friday, June 02, 2000 2:45
PM
Subject: [FW1] FW-1 checkpoint, Nokia HA
query
>
>
> > Hello All
> >
> > Can anyone guide me how the Nokia or Checkpoint High availability
> > works?
> Here is the network connectivity.
> >
>
> Internet----Switch ----Checkpoint A--- Switch----LAN
> -----Checkpoint B---
> >
> Both Checkpoints are connected to one switch. Objective is if
> one Checkpoint server fails, the other
> has to take over.
>
>
> > Hello All
> >
> > Can anyone guide me how the Nokia or Checkpoint High availability
> > works?
> Here is the network connectivity.
> >
>
> Internet----Switch ----Checkpoint A--- Switch----LAN
> -----Checkpoint B---
> >
> Both Checkpoints are connected to one switch. Objective is if
> one Checkpoint server fails, the other
> has to take over.
>
The Nokia HA solution utilizes
VRRP.
We have seen ethernet switches get confused
when the virtual IP address
moves from one port on the switch to
another port on the switch. In general,
one might avoid running VRRP across
switches.
> In the IP addressing, I need to know
> >
> > a. If I have to configure different IP address for external and
> > internal interfaces?
On one firewall platform?
Or, do you mean that you need unique IP
addresses for both of the firewalls?
You need for both of the Nokia firewalls to
have uniquely addressible IP addresses on each network segment they are
connected to. You then use VRRP to
bring into existence a virtual IP address
that you may perceive to be as a
virtual router.
This virtual router will be associated with
one of the physical firewalls, with the second physical firewall configured to
be a backup of the virtual IP address.
> > (If yes, do I need to have 2 copies of checkpoint?) If not how
> > the IP addressing is done?
Yes, both firewalls will need to be
licensed separately.
> >
> b If one Checkpoint server fails how will the second
> server take over?
> b If one Checkpoint server fails how will the second
> server take over?
VRRP, RFC 2338
> >
> > c . If I am using Nokia box for High availability, will there be
> > any issues if I run protocols like OSPF?
> >
> > c . If I am using Nokia box for High availability, will there be
> > any issues if I run protocols like OSPF?
> >
If you are intenting to run OSPF in your
environment and you want to enable OSPF on your Nokia firewalls,
then it is possible that you will not need to run
VRRP for a basic HA configuration. However, if your configuration includes HA
for VPNs, and you are running FW-1 4.1 SP1, then VRRP will be required to
support the use of the Gateway Cluster object, which you may consider to be a
virtual firewall, which is then associated with the virtual router supported by
VRRP.
--- Jerald Josephs
