Firewall Wizards mailing list archives
Re: High availability
From: Russ Wolfe <rwolfe () hxcorp com>
Date: Tue, 06 Jul 1999 17:39:40 -0400
I can't speak for other solutions, but I can for the Stonebeat HA solution. In the standby configuration (there is
also now a load sharing configuration that has both firewalls up) the firewall that is standing by has its internal,
external, and any other operative network interfaces down. There is a single network connection between the primary
and secondary boxes that carries the heartbeat and other tests that tell the secondary when it must take over. For
UNIX systems, the MAC address is configurable for all interfaces, so for all the interfaces involved, you simply assign
them the same MAC address. This is accomplished by a configuration file in the /opt/stonebeat/etc directory. Only the
heartbeat interfaces are setup under the UNIX operating system (ie have a hostname.le0 file, etc.) and remain up at all
times.
Having the same mac addresses assigned to the hot and standby interfaces eliminates the arp issues.
For example, you have two SPARC 10s with the interfaces configured accordingly
Primary Fireall Secondary Firewall Role
le0 172.16.1.1 172.16.1.2 heartbeat network unique MACs
QFE0 209.28.16.4 209.78.16.4 external interface - same MAC
QFE1 10.1.1.1 10.1.1.1 internal interface - same MAC
QFE2 208.14.1.2 208.14.1.2 DMZ interface - same MAC
Only the le0 interfaces would be configured in the operating system - QFEx interfaces would all be set up under
stonebeat config files, and the operating system would be unaware of them until the Stonebeat software brought them up
in a switchover.
Hope this helps.
Russ Wolfe
Manager, Information Security Solutions
Halifax Coporation
Sandy Green <sand232 () yahoo com> 07/06/99 10:17AM >>>
How does the HA solution work. ie when there is a change over from the primary to secondary, the IP addresses are swapped over to the secondary. which IP addresses are swapped ? the external as well as the internal. or only the external. what about the arp cache ? what about the mapping of MAC address to IP address of the internal IP addresses ? In short I need to understand the working of a HA solution. The white papers in the sites like stonebeat only talk about it superficially. I asked this question in the Checkpoint mail list but did not get a satisfactory answer as yet. thanks _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ! !
Current thread:
- High availability Sandy Green (Jul 06)
- Re: High availability Carric Dooley (Jul 12)
- RE: High availability Andrew J. Luca (Jul 12)
- <Possible follow-ups>
- Re: High availability Russ Wolfe (Jul 08)
- Re: High availability Don Kendrick (Jul 09)