Re: FW-1 Failover

[Richard Rees <richard_rees () ins com>]

The multiple DMZs really aren't an issue as far as the HA is concerned.  I
have implemented a Stonebeat HA solution for FW-1, and it works fine in
that regard.  One DMZ is no different than 2 or 4 DMZs.  The only
limitation is the space for NICs in your machine.  A word to the wise,
however:  reserve one port on BOTH firewalls for management traffic, and
tie the DNS hostname (e.g. GW1 and GW2) to that interface.  Checkpoint's
state synchronization really isn't at the point where it can be trusted,
IMHO.  Stonebeat can also be configured to operate in load sharing, but
that is a dragon I have yet to slay.

At 12:12 PM 6/22/99 +0100, Kelvin Garrahan wrote:
> Hi all,
>
> I am thinking of using FW-1 for a internal Firewall which will segregate
> four networks of different security levels. The configuration is to be on
> NT, with four Ethernet cards. The choice of platform is customer driven, my
> original plans where to use Cisco's PIX. The main problem I have is
> providing failover for the FW-1. With PIX this is not a problem. I know FW-1
> supports failover/load sharing, but will this work with four interfaces?
>
> Has anyone any experience with creating resilience for multiple DMZ FW-1
> configurations?
>
> Regards
>
> Kel.
>
> Kelvin Garrahan
> Internet Technologies Consultant.
> Network Services,
> Park House,
> N.C.R.,
> Dublin 7.
> > kelvin.garrahan () compaq com 

----------------------------------------------------------------------------
-------------------------
Richard Rees                            email:  richard_rees () ins com
International Network Services          pager:  (800) 467-1467 or
Network Systems Consultant              page_richard_rees () ins com
Network Security Services               fax:  (847) 995-7701
1100 E. Woodfield Road, Suite 437
Schaumburg, IL 60196
Do not interfere in the affairs of dragons, for you are crunchy and taste
good with ketchup.
"The choices we make dictate the life we lead.  To thine own self be true"