RE: Sync Firewall Policy (Checkpoint NG FP2)

[Yinal Ozkan <Yinal.Ozkan () Integralis Com>]

Since you are planning to synch firewall rulebase, I assume that you are
planning to synch the management server. You cannot sync only rules, you
need many other elements (e.g. object repository, certificates). You must
have a distributed installation which means that your management server and
the firewall modules must be installed on separate boxes. 

The best way to accomplish this task is to use "Management HA" feature of
Check Point. The second server must be installed as secondary, if you have
the correct licenses the rest is simple. If you are interested in this
feature I may post more information. Management HA only works on identical
OS and distributed installations.

Alternate setup without Management HA: Since FW-1 is a certificate authority
you should copy certificates, and the certificates are bound to the name of
the hosts, so cold stand-by scenarios are not simple "copy files" setups.
Both hosts should have the same FQDN (though it doesn't sound logical)  In
FP3 I would recommend using upgrade export import utilities which work
perfect (you still need to change IPs). In this scenario you may not get
logs to the secondary when it is not active.

fyi,
- yinal ozkan

-----Original Message-----
From: Elvie Lee [mailto:elvielee74 () hotmail com]
Sent: Wednesday, July 30, 2003 4:33 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Sync Firewall Policy (Checkpoint NG FP2)


Hi,

I am setting up a new firewall (Checkpoint NG FP2) at another site (not HA).

Any idea what is the best way to sync the firewall rulebase between two 
firewall located at two different place?

Thanks!

_________________________________________________________________
Send a fun phone greeting to your friend! 
http://www.msn.com.sg/mobile/fungreetings/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


Please note that:
 
1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this 
confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in 
any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business 
practices.
3. The contents of this email are those of the individual and do not necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is sent.

http://www.integralis.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards