I'm in the middle of designing a Nokia HA solution for a customer. These four IP440's
will be located across a WAN in four different sites each with Internet connectivity.
The companies WAN intersects with the Internet at four points and one Nokia IPSO will
protect each point. The company is utilizing ATM for its' WAN backbone. The thought
is that if the firewall providing Internet access in location X were to die, traffic
could be re-routed across the corporate WAN to location Y to head out through another
firewall. We are looking at the options for high availability and I need to bounce a
few ideas/questions off the mailing list:
1. How does VRRP act when the IPSO firewalls are separated by WAN links?
2. There is a total of 2500 users on the internal network using standard Internet
services, and a few web servers being hosted but not much other inbound traffic.
Overall traffic handled by these firewalls is not extremely high but availability is
important. Would it be unwise to have Checkpoint sync state tables over the WAN?
3. What about using BGP (running it on each Nokia) to route traffic away from a
downed firewall (assuming all firewalls run the same policy)? Without the state
tables synced, existing connections will die, but this may be acceptable.
Any experiences or ideas would be appreciated!
___________________________
Aaron Shilts
eSecurity Consulting, Inc.
phone 847-571-3889
fax 714-364-9983
__________________________
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
