Cedric is quite correct that, when using synchronization, all
connections will appear in the state table of all firewalls, regardless
of which firewall is actually processing the connection. Normally, this
is not a problem, although each connection does consume a small amount
of memory.
Cedric wrote:
> If you don't synchronize them, you have to be sure each packet
> of a single session goes thru the same firewall. This is done
> mostly by hardware load balancers like RadWARE Fireproof.
It is also possible to do this without a hardware load balancer. For
example, RainWall can be configured to enforce symmetric routing of
traffic among a cluster of firewalls. This will work fine even with
sync turned off, and reduces the size of the connection-table. However,
the downside is that fail-over is not transparent, as Cedric described.
For this reason, we generally recommend that our customers enable FW-1
sync to get the most seamless recovery in the event of failures.
Mark L. Decker
Rainfinity
[EMAIL PROTECTED]
www.rainfinity.com
(408) 382-4870
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
