There are a few methods (none guaranteed nor
foolproof) to check sync on a pair of FireWall-1 firewalls.
First, look at the file '$FWDIR/conf/sync.conf ' on
both firewalls. This file lists what IP address each firewall will attempt to
sync to. This should be the IP address of the other side of the state sync link
(usually a crossover ethernet connection).
Next, run 'netstat -na' on each machine and look
for a pair of connections with the sync machine. The output should include
something like:
tcp 0 0 10.23.24.1.256 10.23.24.2.1056 ESTABLISHED
tcp 0 0 10.23.24.1.1054 10.23.24.2.256 ESTABLISHED
tcp 0 0 10.23.24.1.256 10.23.24.2.1056 ESTABLISHED
tcp 0 0 10.23.24.1.1054 10.23.24.2.256 ESTABLISHED
The important numbers in the netstat output are the
IP addresses of each of the two firewalls (on the "sync" ports) and the port
'256'. Notice in the above example that port 256 is open on firewall#1 in the
first line and firewall#2 in the second line.
The final method to check proper sync between two
FireWall-1 firewalls is to compare the size of the connections table on each
firewall. Use the command 'fw tab -t connections -s'.
Each firewall will display a table like the one
below:
HOST NAME ID #VALS
localhost connections 14 2143
HOST NAME ID #VALS
localhost connections 14 2143
The two #VALS numbers should be roughly equivalent
on both firewalls. If there are differences, wait a few seconds and try the
command again.
Best Regards,
Victor Barrientos
Tivoli certified Consultant
RSA Security Certified RSA ACE/Server Engineer
) Office: +54 11 4819 3903
) Fax: +54 11 4811 7103
+ Office eMail: [EMAIL PROTECTED]
+ Alternative eMail: [EMAIL PROTECTED]
: Unifon Web Site: http://www.unifon.com.ar
Tivoli certified Consultant
RSA Security Certified RSA ACE/Server Engineer
) Office: +54 11 4819 3903
) Fax: +54 11 4811 7103
+ Office eMail: [EMAIL PROTECTED]
+ Alternative eMail: [EMAIL PROTECTED]
: Unifon Web Site: http://www.unifon.com.ar
----- Original Message -----
From: Sergio Munoz -- Ingeniero de Sistemas (x.219)
<[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 09, 2000 11:11
AM
Subject: [FW1] Sincronizacion.
Hola, como estan?
Gracias a todos por sus respuestas a mis preguntas
anteriores, pero aqui van dos mas:
Tengo FW-1 4.1 distribuido, instalado en dos Ultra 10
con Solaris 2.6, y la consola es un PC NT. Tengo Stonebeat
instalado para tener cluster de alta disponibilidad, pero he
tenido varios problemas con eso.
1. Como veo si mis FW's estan sincronizados ?
2. Si no lo estan, como los sincronizo ?
Y la ultima pregunta:
3. Puede alguien ayudarme con stonebeat ?
Muchas gracias, portense bien.
saludos
-----
Sergio Mu�oz Godoy
Ingeniero de Sistemas
mailto:[EMAIL PROTECTED]
Cientec Computacion S.A. Tel. (56-2) 426 2626
http://www.cientec.cl Fax (56-2) 233 9009
Santiago, CHILE
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
