Firewall Wizards mailing list archives
RE: Hardware vs. Software firewall reliability
From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Sat, 11 Sep 1999 15:06:58 -0700
I thought the problem with H/A and VPN is only one of the firewalls can have the VPN "certificate". When the primary fails and the secondary takes over the remote site aborts the VPN because the secondary has the wrong cert. The fix is to manually update the certificates (or perhaps via a script). Beacuse, by default, FW-1 allows any established connection through, the state table of the secondary shouldn't become an issue. If FW-1 didn't allow that, all established connections would drop when the secondary took over.
... And "established " only applies to TCP, and the VPN doesn't run over TCP. It runs over IP in IP. The problem is that FW-1's state sharing code always seems to lag behind the new features, so you get things like the VPN state not being shared even though it's been around for awhile. Ryan
Current thread:
- Re: Hardware vs. Software firewall reliability, (continued)
- Re: Hardware vs. Software firewall reliability Bill Pennington (Sep 08)
- Re: Hardware vs. Software firewall reliability Christopher C. Petro (Sep 18)
- Re: Hardware vs. Software firewall reliability David Klann (Sep 08)
- Re: Hardware vs. Software firewall reliability Josh Robb (Sep 08)
- Re: Hardware vs. Software firewall reliability Ryan Russell (Sep 08)
- Re: Hardware vs. Software firewall reliability Marcus J. Ranum (Sep 08)
- RE: Hardware vs. Software firewall reliability Lart (Sep 09)
- RE: Hardware vs. Software firewall reliability Lart (Sep 11)
- RE: Hardware vs. Software firewall reliability Lart (Sep 09)
- Re: Hardware vs. Software firewall reliability Vin McLellan (Sep 09)
- RE: Hardware vs. Software firewall reliability Bill Stout (Sep 09)
- RE: Hardware vs. Software firewall reliability Ryan Russell (Sep 12)
- Tripwire like perl program Siglite (Sep 14)
- RE: Hardware vs. Software firewall reliability dwelch (Sep 14)
- RE: Hardware vs. Software firewall reliability Joe Ippolito (Sep 14)
- RE: Hardware vs. Software firewall reliability Bill Stout (Sep 14)
- RE: Hardware vs. Software firewall reliability Tina Bird (Sep 18)
- RE: Hardware vs. Software firewall reliability Joe Ippolito (Sep 18)
- Re: Hardware vs. Software firewall reliability Chenggong Charles Fan (Sep 18)
- RE: Hardware vs. Software firewall reliability dwelch (Sep 18)
- RE: Hardware vs. Software firewall reliability Garrahan, Kelvin (Sep 18)
- Re: Hardware vs. Software firewall reliability Bill Pennington (Sep 08)