The answer is simple:
1.- the load balancing of INCOMING packets (left to right in your figure)
is handled by the fireproof which chooses the firewall module thanks to
its load-balancing algorithms for the first packet of a session, and them
sticks to the same firewall for all packets of the session.
2.- now, if a firewall module failure occurs and is detected by the
fireproof, it will direct the packets to another one --actually, you can
load-balance more than 2 modules, especially with the new coming gigabit
version--
3.- on the way back, the packets will be directed by your servers according
to the defined routing parameters (often only a default gateway unless you
want to use other protocols that could bring security holes with them)
4.- the best way to insure a proper fail-over on the way back is to use
another fireproof between the firewall modules and the servers. Such a
module will be session-aware and will insure the packets go back the same
way they arrived without taking any risks about security. Moreover, using
smartnat and sets, this config enables you to hide the firewall structure
and adresses between the fireproofs from the outside worls and apply some
filetering rules before the firewall.
5.- do you need two different physical fireproofs (FP) in this config ?
Well, yes and no: you could use the "fireproof set" feature with a 4-port
fireproof to group the ports 2 by 2 and implement two logical FP units in a
single physical one. You can put switches between the FP and the firewall
modules to spare ports on the fireproof. Now, for redundancy, you can
duplicate the fireproofs (they have an automated failover feature) and
switches to insure no single point of failure.
Go ahead, these devices are reliable and powerful, but carefully plan your
address scheme and network design.
Ir Serge Gosset, Managing Director, ALGOTRONICS SA
Science Park, 4 avenue Einstein, 1348 Louvain-la-Neuve, Belgium
Phone +32 10 485 185 Fax +32 10 458 658
email [EMAIL PROTECTED]
http://www.algotronics.com
Networks, Security and Technology for the e-World
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
