RE: pix firewall - failover and logging issues

["Symon Thurlow" <sthurlow () webvein com>]

I may be incorrect, but it is my understanding that the serial failover cable can be used by itself for failover, 
however you need to use the LAN and Serial failover if you want Stateful failover.
 
Also, not sure of your platfrom, but I had an issue with failover on a PIX515e bundle, it was erratic and pretty much 
just didn't work. Also, the performance was absolute cr*p.
 
The answer from the reseller was to send both boxes back, and they were replaced.
 
The reseller mentioned that they had seen this problem before.
 
Symon
________________________________

From:    Claussen, Ken [mailto:Ken () kccweb com]       
Sent:    Wed 05/02/2003 12:37 AM        
To:      Luciano Z; firewall-wizards () honor icsalabs com      
Subject:         RE: [fw-wiz] pix firewall - failover and logging issues        
        

The first answer is you are required to use LAN side failover communication to control the failover process. Each pair 
of interfaces must either be on the same dumb switch, a series of two switches with a crossover and a single VLAN, or a 
common VLAN on a layer 3 switch (not the best for security). In other words there must be communication between the 
corresponding network cards in the Primary and Standby units in order for Hello packets to be sent back and forth. When 
one of the Pixes fails to answer the Hello, the failover bundle begins a series of tests.  It determines if the network 
interface failed and if so it switches to the Secondary. It is important to make sure the interfaces are on a common 
network segment before configuring new subnets. The serial cable is used for sending the configuration and the control 
signals. When the primary determines it's interface has failed it passes control to the secondary. It is usually a good 
idea to disable Failover before making any changes which affect interface IP addresses. The command "Show Fail" will 
provide the current status of each interface on each Pix. Normal is good, other options may be Testing or Failed.  
About logging, Syslog is the way to go. Like previously mentioned Level 7 will provide all messages. Filtering of 
messages is best done at the syslog server. Kiwi provides a free Windows Syslog daemon www.kiwisyslog.com . If you 
purchase the full version it has an extensive filtering rule section. HTH. I have almost always logged at level 7 and 
never seen significant performance degradation. SHOW CPU USAGE is an undocumented command to show utilization if you 
are concerned about performance.

Ken Claussen MCSE(NT42K) CCNA CCA
"In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all 
strive"

PS I Don't have my encoding set to UTF-8. It specifies Western European (windows) for Internet recipients.

-----Original Message-----
From: Luciano Z [mailto:user_luciano () yahoo com br]
Sent: Tuesday, January 28, 2003 2:03 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] pix firewall - failover and logging issues



Hi!

I have two questions about pix firewall for the list.

The first one is directed to failover users. I´m using
a pix with version 6.1(1) software and with stateful
failover (I think this version needs update, right?).
> From time to time I experiment lost of ssh connection
to the active pix because it have changed from active
state to standby state. I couldn´t find the reason for
this because we just checked the cables and it was
operating well before I create another subnet attached
to this firewall, changing the address of and unused
interface.

In this situation I´m not using LAN based failover
(this version doesn´t support it) so the I have the
serial cable in place. Someone had some problem that
looks like my? Is it possible to start looging to the
syslog server just the messages related to failover
events?

Second question, this is about logging of URL access.
I´ve read the pix could log the URLs accessed by the
users on a protected network. My question is about the performace impact of this feature. Anybody used this? What was 
the impression about it? And again: Is it possible to log just the events related to this?

Well, thanks for your time!

[]
Luciano

_______________________________________________________________________
Busca Yahoo!
O serviço de busca mais completo da Internet. O que você pensar o Yahoo! encontra. http://br.busca.yahoo.com/ 
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

===============

 This email has been content filtered and
 subject to spam filtering. If you consider
 this email is unsolicited please forward
 the email to postmaster () webvein com and
 request that the sender's domain be
 blocked from sending any further emails.

===============




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards