F1LL
2006-02-02 16:26:20 UTC
Hello all,
I have been tasked with implementing a failover solution for our Nokia
IP350 running Checkpoint express ngx, paired with one of our IP130's
that we have left over from when it was upgraded to the IP350.
wanted to check wether having two different nokia platforms, one
running IPSO 3.8 one running 3.8.1 and on the checkpoint side one
running NGX and one running NG R54 is going to cause me great
problems.Unfortunately it seems that i do not have access to any
software subscription licenses, so upgrading is not ideal but possible
if necessary.
While i am here, a few more questions on the subject. I understand that
adding the live gateway into a gateway cluster is not simple, as it is
used in the rule base therefore does not appear in the available
gateway list. Are there any hints or tips you can give me on how to
progress?
And just to make sure this is not completely pointless due to a
misunderstanding of it all does the following configuration sound
sensible.
/-----IP350\
Internet-----Switch---- ------Switch-----DMZ
\-----IP130/
Then all comunications from the DMZ outbound are pointed towards the
internal VIP, and all incoming connections will be pointed to the
external VIP by DNS records. Then the active firewall will handle all
traffic sent to the VIP, unless it has failed and the secondary
firewall will take over.
Many thanks,
F1LL
I have been tasked with implementing a failover solution for our Nokia
IP350 running Checkpoint express ngx, paired with one of our IP130's
that we have left over from when it was upgraded to the IP350.
From what i have read using VRRP should be failry simple. I have poked
around Voyager and all seems to make sense. But before i start i justwanted to check wether having two different nokia platforms, one
running IPSO 3.8 one running 3.8.1 and on the checkpoint side one
running NGX and one running NG R54 is going to cause me great
problems.Unfortunately it seems that i do not have access to any
software subscription licenses, so upgrading is not ideal but possible
if necessary.
While i am here, a few more questions on the subject. I understand that
adding the live gateway into a gateway cluster is not simple, as it is
used in the rule base therefore does not appear in the available
gateway list. Are there any hints or tips you can give me on how to
progress?
And just to make sure this is not completely pointless due to a
misunderstanding of it all does the following configuration sound
sensible.
/-----IP350\
Internet-----Switch---- ------Switch-----DMZ
\-----IP130/
From what i understand you create a virtual Ip address that is shared
by both external interfaces, and the same for both internal interfaces.Then all comunications from the DMZ outbound are pointed towards the
internal VIP, and all incoming connections will be pointed to the
external VIP by DNS records. Then the active firewall will handle all
traffic sent to the VIP, unless it has failed and the secondary
firewall will take over.
Many thanks,
F1LL