It really depends upon what internal (from the FW-1 perspective) IP network space
you are trying to protect. What networks you want
to route to with the Firewalls is key. For example if both firewalls are to provide
service to NetworkA, then a route to NetworkA needs
to be announced at each firewall location. If NetworkA is built as a Virtual LAN
(VLAN) which spans the geographic distance, then
both firewalls can concurrently announce the NetworkA route out the external
interfaces of the firewall. If this is not the case, say the
"backup" firewall is a long distance from NetworkA (but can still get to NetworkA if
the "primary" firewalls reachability to NetworkA fails), the
the "backup" firewall can either be configured to advertise a less preferred route
to NetworkA all the time, or source a route when the
"primary" fails (the way to do this is somewhat dependent upon the types of routers,
switches, firewalls, etc.) which you have in place.
The thing to remember with high availability is that ideally it needs to be
completely transparent to the end user. The 2 ways to typically
accomplish this is by ensuring that active routing is always available to the same
IP address ranges, or by doing "zero caching" DNS, so
that the user gets directed to a different NAT location when the main DNS IP address
fails.
It is difficult to detail an exact solution without knowing the components, whether
the address space is public or private, what other
network connections are hooked up to your network (and the affect any changes you
make for HA will have on those connections).
Hope this is somewhat helpful.
Bob Brandt, 3M, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
> Hi all.
>
> There's been quite a lot of traffic here recently about providing HA designs
> for environments using FW-1's based on NT or Unix flavours, either by using
> software based products such as Rainwall or Stonebeat, hardware switches, or the
> basic state sync approach.
>
> What are the options for HA when using Nokia's? From what I have seen s/w
> solutions don't cater for the Nokia's, and hardware (and VRRP) solutions are
> fine if the firewalls are in close proximity to each other, but what about two
> Nokia's, one each in each (distant) location - what then are the options for
> providing a reasonable level of fault tolerance?
>
> Maybe the only option is to have a pair in each location making use of VRRP?
>
> This has some similarities I guess to the recent thread about dual-homing,
> though this is on a private network rather than having to deal with ISP's.
>
> Does anyone have any thoughts? Our integrator is coming in to discuss the
> options, but forewarned is forearmed...
>
> Regards
>
> Simon
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
