Thanks for responding Carric,
Stuff below:
> -----Original Message-----
> From: Carric Dooley [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 25, 2001 7:57 AM
> To: [EMAIL PROTECTED]
> Cc: Mark Squire; '[EMAIL PROTECTED]'
> Subject: Re: [FW1] Re: Load Ballanced HA?
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
>
> Carric Dooley
> Senior Consultant
> COM2:Interactive Media
>
> "But this one goes to eleven."
> - -- Nigel Tufnel
>
>
> On Wed, 24 Jan 2001 [EMAIL PROTECTED] wrote:
>
> >
> >
> > On Tue, 23 Jan 2001, Mark Squire wrote:
> >
> > > Lets say I have two Nokia boxes and I want to:
> > > 1. Have them running in active-active-standby HA.
> >
> > Nokia VRRP does not allow active-active only active-passive.
>
> Not entirely accurate. While you cannot load balance with
> VRRP, you can
> "load share" by setting up two virtual routers on eachs side
> (one where
> firewall A is primary and firewall B is secondary, and the other where
> firewall B is primeary with firewall A as backup, and then split your
> network into two halves each using one of the VIP's for it's gateway.
This is true but it brings up a burning question of mine. So with normal firewall operations A would fail over for B, or B would fail over for A. They are watching each other's back so to speak. But when you set up virtual routers, you also create Virtual IP addresses. In a situation where B watches A's back, there is only 1 Virtual IP address. But in a situation where both B and A are watching each other's backs, there are two Virtual IP addresses. Here is the question: Which one of those IP addresses should a remote site be pointing to for a Checkpoint VPN connection? Does that make sense? The remote site is only going to be looking for 1 IP address to establish VPN connections to (unless I am missing something) and that would be the external address of the home firewall whether it is a virtual IP or a normal one. Again, unless I am missing something, in that scenario, you are still only using one firewall for VPN until it fails over to the other box, but it is not using the resources of both boxes at the same time.
> >
> >
> > > 2. VPN needs to be able to fail over.
> >
> > With FW-1 4.1 this should work.
> >
> >
> > > 3. SecuRemote needs to be able to fail over.
> >
> > Secureremote connects to the management station not the
> firewall. So you
> > may need two.
> >
>
> I have a document explaining how to setup redundant mgt
> consoles with NT,
> but it is extremely complex, and is more sort of a jury-rigged
> configuration. It involves several scripts that copy stuff from your
> primary to your backup console. While I'm sure it works, and is quite
> ingenious, checkpoint does not provide and packaged solution
> to accomplish
> this.
Really? Maybe I can take a look at that sometime.
Thanks for your input!
C:\Mark
> >
> > > I have been digging and digging for the past couple of
> months for how to do
> > > this. Does anyone either:
> > >
> > > 1. Know how to do this?
> >
> > Yes, you may need a second management station
> >
> >
> > > 2. Know where I can read how to do this?
> >
> > I don't know where this would be documented.
> >
> > Frank Keeney
> > Pasadena, CA
> >
> >
> >
> >
> ==============================================================
> ==================
> > To unsubscribe from this mailing list, please see the
> instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
> ==============================================================
> ==================
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.1
> Comment: Made with pgp4pine 1.75-6
>
> iQA/AwUBOnBM4lUqWOkDpMZ2EQLM7ACfWJ7FOuJssdScomUOlFmYqnTc+tcAoJfP
> KWEA6jWX1y0qWA1uo8R+WQJ7
> =OqBG
> -----END PGP SIGNATURE-----
>
>
>
>
> ==============================================================
> ==================
> To unsubscribe from this mailing list, please see the
> instructions at
> http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
>
