Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Watchgaurd firebox and high availability

From: "Andrew Dadmun" <adadmun () mindsolve com>
Date: Thu, 15 Apr 2004 12:30:23 -0400
Please forgive me if this is not the correct forum for this question.  However, a recent post by Jason Haith mentioned 
he was using Watchguard fireboxes and I was hoping maybe someone else out there has some experience with them

My problem is that I am trying to set up two identical fireboxes in high availability mode.  The setup works fine as 
long as the interfaces I use for the heartbeat communication between the fireboxes is on a hub.  Essentially, I have 
the internal interfaces of the fireboxes set up as the ones on which the fireboxes monitor each other's heartbeat - in 
addition to acting as the gateway for our internal machines.

The problem is that instead of using a dumb hub, we want to use managed switches.  I thought I would be able to set up 
a VLAN and have it function the same way as a hub - broadcasting everything to all ports on the VLAN.  The switch is a 
Dell 3324 and its CLI is very much Cisco-like.

Sadly, I have used SNORT to sniff packets and which I am seeing the heartbeat communication when the fireboxes are 
connected to the hub, it just won't work with the switch segmented into VLAN's.

A basic idea of our setup.  I have the 3324 switch set up with 5 VLANs.  VLAN1 is for the gigabit ports and is unused.  
VLAN2 is for our incoming connection from ISP #1 which in turn is connected to two routers (running HSRP and BGP).  
VLAN3 is for another ISP's incoming connection and is also connected to both routers.  VLAN4 is our external VLAN.  
This is where the LAN interfaces of the routers connect and also the external interfaces of the fireboxes.  No problems 
up to this point.  VLAN5 is the VLAN which the internal ports of the fireboxes connect to and this is where the 
heartbeat monitoring occurs.  Again, this works if I put the two cables from the fireboxes into a dumb hub first and 
then plug the hub into this VLAN.  Our goal is to eliminate the hub and just use the managed switches.

Any ideas?  I have tried various multicast settings on the VLAN and IGMP snooping setting to no avail.  I was hoping 
someone out there has had a similar experience and could share.

Thanks in advance,
Andrew Dadmun -- Network Administrator
Mindsolve Technologies -- www.mindsolve.com
(352) 264-2817 -- adadmun () mindsolve com



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: