Re: [fw-wiz] Nokia and Cluster for Checkpoint

• Previous message: Monkman, Brian: "[fw-wiz] New List - SSL-TLS Public Discussion"
• Maybe in reply to: A. Louw: "[fw-wiz] Nokia and Cluster for Checkpoint"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: alouw@ICTive.com
Date: Wed, 18 Jun 2003 00:17:12 -0400

I'm actually in the process of evaluating Nokia's CryptoCluster
(active-active) technology in IPSO 3.6, so I'll share some of the more
interesting things that I've come across:
1) A Nokia cluster can only scale to a total of four nodes.
2) Each node in the cluster will require a minimum of four interfaces:
internal LAN, Internet or external LAN , FW-1 State Sync, and Nokia Cluster
Sync.
3) One Cluster VIP address is required for each segment represented by an
interface. So yes, each of the sync subnets will require a Cluster VIP.
4) Nokia's security appliances running Check Point were designed to act as
firewall modules only, not as Management Stations. Although it is
technically possible to achieve this, it may noy be feasible due to limited
disk size (logging) and moreover the fact that there is no patch/hotfix
support for Mgt Stations on IPSO.
5) There's much more than meets the eye to properly configure a Nokia/Check
Point cluster even if it is offline in a lab environment. The IPSO versions
are tighly integrated with a corresponding version of Check Point. For
example, because Check Point has been modifying its code thereby delaying
the release of FP4 (aka AI), Nokia developers have had to re-write portions
of their code in their release of IPSO 3.7.
6) There are no options in the event of a failover - meaning you cannot
specify alternate interfaces to send the cluster traffic over. See #2
above.

As far as disecting the 'cluster' traffic, recall that there are two
components here: fw state and cluster. For a quick peak you can simply use
the Log Viewer. To dig a little deeper you can either run tcpdump or the
Check Point command 'fw monitor'. Within Nokia Voyager, you can look at
Cluster Monitor but that only shows the health and various stats of the
cluster. The big thing that seems to be missing is how to tell, without a
shadow of a doubt, that the FW-1 state tables are in sync. The only thing
(so far) we've been able to come up with is to open two terminal windows,
then enter a command in one window before toggling to the other.

Hope that helps - good luck!

Chris

Hi,

I'd like some pointers on building up a cluster of firewalls (2 for =
starters) with four interfaces (all should be VRRP/HSRP alike) and a =
seperate management box on Nokia's.

The idea is to have (per box); 1 int Bad Guys 1 int DMZ 1 int
LAN 1 int Management

The management should contain all synch traffic between the boxes
(pref. = in load balancing mode) and the other interfaces should have
as little = synch traffic as possible.

Now, setting up the Nokia cluster isn't that hard, the Checkpoint =
cluster itself isn't that hard, but where can I find info on the
traffic = generated by the clustering itself ? Can we force just to
use the = Management interface for all synch traffic and does a
failover (or down = situation) will occur when any of the interaces
will go down ?

T.i.a.

--- A. Louw louw@xs4all.nl
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Monkman, Brian: "[fw-wiz] New List - SSL-TLS Public Discussion"
• Maybe in reply to: A. Louw: "[fw-wiz] Nokia and Cluster for Checkpoint"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]