Another option is Radware's Linkproof appliance which handles multiple ISP connections
without requiring BGP.
Pat Scopelliti
> ----------
> From: Mark L. Decker[SMTP:[EMAIL PROTECTED]]
> Reply To: [EMAIL PROTECTED]
> Sent: Thursday, November 02, 2000 11:17 PM
> To: 'CryptoTech'
> Cc: 'Gunjan Mathur at 9netave'; [EMAIL PROTECTED]
> Subject: RE: [FW1] Multiple WAN Links.
>
> Agreed. If transparent failover is your top priority, BGP is the better solution.
>If you host web servers internally that need to be reached from the outside world,
>BGP also prevents you from having to play games with DNS to provide access to those
>servers in the event of link failure. BGP has plenty of negatives (uneven load
>sharing, complex configuration, requires AS number and cooperation from both ISPs,
>giant routing tables that eat gobs of router CPU and RAM, etc.), but it is still the
>only solution that provides transparent failover for both inbound and outbound
>sessions in the event of link failure.
>
> RainWall as a multi-homing solution is really most effective as cheap protection and
>link load balancing for outbound Internet access and email (with multiple MX
>records). If you don't care so much that connections have to be re-established after
>failover, it's a viable option. Otherwise, BGP is the way to go.
>
> -----Original Message-----
> From: CryptoTech [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, November 02, 2000 7:40 PM
> To: [EMAIL PROTECTED]
> Cc: 'Gunjan Mathur at 9netave'; [EMAIL PROTECTED]
> Subject: Re: [FW1] Multiple WAN Links.
>
>
> If this will be a cluster configuration -- that is, allowing session failover,
>and if necessary, vpn-failover, then the two boxes will be defined as a cluster,
>therefore each internal subnet must be hidden behind one ip. If you decide to break
>the state synchronization by configuring the two boxes as totally separate entities,
>and allowing yourself to enforce different hide addresses for the same subnet on two
>boxes, you will run into problems with dynamically generated web pages when failover
>occurs, because the source address for a session will change and the remote server
>will be unable to swap the remote association.
>
> Don't get me wrong, Rainfinity is a great product, but to do this solution
>flawlessly, you should still listen to the first response
>
> "Mark L. Decker" wrote:
>
> Actually, there is a way to do this (at least for outbound access and
>mail) without BGP, but it requires two firewalls in a RainWall cluster. You connect
>one firewall to ISP A and the other firewall to ISP B, and both to the same internal
>subnet. The firewall A does NAT using range from ISP A, and firewall B does NAT
>using range from ISP B. Then you set up the RainWall Ping Monitor to watch the ISP
>links. If link to ISP A goes down, RainWall can automatically disable firewall A,
>and move its internal IP address to firewall B, thereby redirecting users out to ISP
>B. This also allows load sharing of outbound traffic between the two links. It does
>not help in the case of inbound access to an internally hosted webserver, but mail
>will still work if you use multiple MX records. Failover is automatic, but not
>transparent (because src/dest pair changes). Not a perfect solution, but then
>neither is BGP.Mark L. DeckerRainfinity [EMAIL PROTECTED](408) 382-4870
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [
>mailto:[EMAIL PROTECTED]]On Behalf Of CryptoTech
> Sent: Thursday, November 02, 2000 6:12 AM
> To: Gunjan Mathur at 9netave
> Cc: [EMAIL PROTECTED]
> Subject: Re: [FW1] Multiple WAN Links.
>
> This can only be handled by BGP and cooperation between the
>ISP's. FireWall-1 will not change it's security policy/nat policy when a wan link
>drops. >
>
> Gunjan Mathur at 9netave wrote: >
>
> I have two WAN links using PPP with static routes
>>from diff. ISP,
> Now I want if my one links goes down then automatical
>second link handel all
> the things and if both are up then load balancing will
>happen.
>
> and I'm using NATting of my LAN traffic on firewall
>with one ISP's IP range.
> If the link of this ISP goes down then all my LAN
>users are unable to access
> the net,b'caz of this NATting.
> How I configure my structure in such a way if one the
>link of NATting ISP's
> is down then second link handel the traffic.
>
>
>
> GM
>
>
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
