I have client with this config except on the inside interface,
we have VRRP on 3 interfaces. The inside interface was facing
a ATM network so we could not establish the VRRP circuit earlier.
recently, client siwtched to a Cisco network and switch. we turned
on VRRP on the inside network. we had websense UFP server running on the
same Nokia box. as soon as the number of connections crossed 3500,
cpu idle time on Nokia box would reach 0%, the 6 http security
servers were above 15%! this reading was for prolonged period of timespan.
we reset the http sec. server to no avail.
my question , does turning on VRRP increase the load on the box?
cheers
- ----- Original Message -----=20
From: "vijay" <[EMAIL PROTECTED]>
To: "'Fw-1-Mailinglist (E-mail)" =
<[EMAIL PROTECTED]>
Sent: Friday, June 02, 2000 2:45 PM
Subject: [FW1] FW-1 checkpoint, Nokia HA query
>=20
>=20
> > Hello All
> >=20
> > Can anyone guide me how the Nokia or Checkpoint High availability
> > works?
> Here is the network connectivity.=20
> > =20
>=20
> Internet----Switch ----Checkpoint A--- Switch----LAN
> -----Checkpoint B--- =20
> >=20
> Both Checkpoints are connected to one switch. Objective is if
> one Checkpoint server fails, the other
> has to take over.
>=20
The Nokia HA solution utilizes VRRP.
We have seen ethernet switches get confused when the virtual IP address
moves from one port on the switch to another port on the switch. In =
general,
one might avoid running VRRP across switches.
> In the IP addressing, I need to know
> >=20
> > a. If I have to configure different IP address for external and
> > internal interfaces?
On one firewall platform?
Or, do you mean that you need unique IP addresses for both of the =
firewalls?
You need for both of the Nokia firewalls to have uniquely addressible IP =
addresses on each network segment they are connected to. You then use =
VRRP to
bring into existence a virtual IP address that you may perceive to be as =
a
virtual router.
This virtual router will be associated with one of the physical =
firewalls, with the second physical firewall configured to be a backup =
of the virtual IP address.
> > (If yes, do I need to have 2 copies of checkpoint?) If not how
> > the IP addressing is done?
Yes, both firewalls will need to be licensed separately.
> >=20
> b If one Checkpoint server fails how will the second
> server take over? =20
VRRP, RFC 2338
> > =20
> > c . If I am using Nokia box for High availability, will there be
> > any issues if I run protocols like OSPF?
> >=20
If you are intenting to run OSPF in your environment and you want to =
enable OSPF on your Nokia firewalls,
then it is possible that you will not need to run VRRP for a basic HA =
configuration. However, if your configuration includes HA for VPNs, and =
you are running FW-1 4.1 SP1, then VRRP will be required to support the =
use of the Gateway Cluster object, which you may consider to be a =
virtual firewall, which is then associated with the virtual router =
supported by VRRP.
- --- Jerald Josephs
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
