Firewall Wizards mailing list archives
RE: Nokia/Checkpoint firewall
From: dwelch () uswestmail net
Date: 26 Jan 2000 00:45:13 -0800
On Mon, 24 January 2000, "Burden, James" wrote:
* High-availability - I will caveat this by saying, as long as you are only using it for 10BaseT or slower speeds, than you should be fine. Otherwise, the keeping of stateful connections does not work so well on high speed lines (ATM, FE) where the 10BaseT connection between the two firewalls is slower than the communication on the other interfaces. The issues are when the packet has already arrived at the FE/ATM interface but the Ethernet interface has not learned about it yet.
This is more of a function of the fact that FireWall-1 doesn't sync quickly enough to handle asymmetric conditions (i.e. SYN goes through A, SYN-ACK comes through B). Other vendors do various things to allow this to work, but it does impact performance. You're always going to get the *maximum* performance if you spend the money on hardware around the firewalls to load balance and, more importantly, insure connections always flow through the same firewall (i.e. a firewall sandwich).
* Be wary of the licensing issues. I have had countless issues with my lab firewalls and production.
This is normal FireWall-1 stuff (i.e. the Nokia's don't add any more to this process).
* Too many rules? This one is odd, and I am still trying to get a good answer. We have made some changes in the rules, and then made another change later in the rules to basically allow the same thing. When reading the logs, you would see it hit the high rule a couple of times, and then go back to the lower rule (where it should have been allowed in the first place). This started happening around the 60th rule or so.
What version of FireWall-1/IPSO are we talking about here? -- Dameon D. Welch, a.k.a. PhoneBoy (dwelch () phoneboy com) Check Point FireWall-1 FAQs at http://www.phoneboy.com/fw1/ The views expressed herein are not necessarily those of anyone else. -- Signup for your free USWEST.mail Email account http://www.uswestmail.net
Current thread:
- RE: Nokia/Checkpoint firewall Matt Bruce (Jan 21)
- <Possible follow-ups>
- RE: Nokia/Checkpoint firewall Burden, James (Jan 24)
- RE: Nokia/Checkpoint firewall Wang, Daniel (Jan 27)
- RE: Nokia/Checkpoint firewall dwelch (Jan 28)