RE: [fw-wiz] Sync Firewall Policy (Checkpoint NG FP2)

From: Yinal Ozkan (Yinal.Ozkan_at_Integralis.Com)
Date: 07/30/03

  • Next message: Monkman, Brian: "RE: [fw-wiz] blocking hotmail and microsoft messenger traffic"
    Date: Wed, 30 Jul 2003 15:59:22 -0400

    Since you are planning to synch firewall rulebase, I assume that you are
    planning to synch the management server. You cannot sync only rules, you
    need many other elements (e.g. object repository, certificates). You must
    have a distributed installation which means that your management server and
    the firewall modules must be installed on separate boxes.

    The best way to accomplish this task is to use "Management HA" feature of
    Check Point. The second server must be installed as secondary, if you have
    the correct licenses the rest is simple. If you are interested in this
    feature I may post more information. Management HA only works on identical
    OS and distributed installations.

    Alternate setup without Management HA: Since FW-1 is a certificate authority
    you should copy certificates, and the certificates are bound to the name of
    the hosts, so cold stand-by scenarios are not simple "copy files" setups.
    Both hosts should have the same FQDN (though it doesn't sound logical) In
    FP3 I would recommend using upgrade export import utilities which work
    perfect (you still need to change IPs). In this scenario you may not get
    logs to the secondary when it is not active.

    - yinal ozkan

    -----Original Message-----
    From: Elvie Lee []
    Sent: Wednesday, July 30, 2003 4:33 AM
    Subject: [fw-wiz] Sync Firewall Policy (Checkpoint NG FP2)


    I am setting up a new firewall (Checkpoint NG FP2) at another site (not HA).

    Any idea what is the best way to sync the firewall rulebase between two
    firewall located at two different place?


    Send a fun phone greeting to your friend!

    firewall-wizards mailing list

    Please note that:
    1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information.
    2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices.
    3. The contents of this email are those of the individual and do not necessarily represent the views of the company.
    4. The company does not conclude contracts by email and all negotiations are subject to contract.
    5. The company accepts no responsibility once an e-mail and any attachments is sent.

    firewall-wizards mailing list

  • Next message: Monkman, Brian: "RE: [fw-wiz] blocking hotmail and microsoft messenger traffic"

    Relevant Pages

    • RE: [fw-wiz] Vulnerability Response
      ... >> management effort scales with the number of hosts. ... It scales non-linearly if the problem area is well-defined. ... Now - if you're gonna make a firewall policy for 10,000 desktops ... When someone talks about doing mitigation at the host level, ...
    • Re: Firewall Management
      ... there after or deciding on managing the firewall myself. ... have built this firewall management service into their proposal, ... and event log analysis -- not unless you are a very small organization ...
    • Re: Firewall for laptops, corporation with 1,000 laptops
      ... Most laptops are WIn2000 Prof. ... >> Do you recommend any firewall that I can deploy on the network? ... Probably around $30 a seat. ... It too probably has a central management server. ...
    • Re: [fw-wiz] OT: vendors please respond
      ... 1> Exactly what is this firewall supposed to be protecting? ... A separate IDS? ... 10> Do you need centralized management? ... 1> Features you MUST have. ...
    • Re: Checkpoint disaster Recovery
      ... Mike Vore wrote: ... : can backup onto. ... as working systems without the firewall. ... Store the platform configuration elements on the management console. ...