Re: Nokia and Cluster for Checkpoint

["Chris Hummel" <chris_hummel () hotmail com>]

I'm actually in the process of evaluating Nokia's CryptoCluster 
(active-active) technology in IPSO 3.6, so I'll share some of the more 
interesting things that I've come across:
1) A Nokia cluster can only scale to a total of four nodes.
2) Each node in the cluster will require a minimum of four interfaces: 
internal LAN, Internet or external LAN , FW-1 State Sync, and Nokia Cluster 
Sync.
3) One Cluster VIP address is required for each segment represented by an 
interface.  So yes, each of the sync subnets will require a Cluster VIP.
4) Nokia's security appliances running Check Point were designed to act as 
firewall modules only, not as Management Stations.  Although it is 
technically possible to achieve this, it may noy be feasible due to limited 
disk size (logging) and moreover the fact that there is no patch/hotfix 
support for Mgt Stations on IPSO.
5) There's much more than meets the eye to properly configure a Nokia/Check 
Point cluster even if it is offline in a lab environment.  The IPSO versions 
are tighly integrated with a corresponding version of Check Point.  For 
example, because Check Point has been modifying its code thereby delaying 
the release of FP4 (aka AI), Nokia developers have had to re-write portions 
of their code in their release of IPSO 3.7.
6) There are no options in the event of a failover - meaning you cannot 
specify alternate interfaces to send the cluster traffic over.  See #2 
above.

As far as disecting the 'cluster' traffic, recall that there are two 
components here: fw state and cluster.  For a quick peak you can simply use 
the Log Viewer.  To dig a little deeper you can either run tcpdump or the 
Check Point command 'fw monitor'.  Within Nokia Voyager, you can look at 
Cluster Monitor but that only shows the health and various stats of the 
cluster.  The big thing that seems to be missing is how to tell, without a 
shadow of a doubt, that the FW-1 state tables are in sync.  The only thing 
(so far) we've been able to come up with is to open two terminal windows, 
then enter a command in one window before toggling to the other.

Hope that helps - good luck!

Chris


Hi,

I'd like some pointers on building up a cluster of firewalls (2 for =
starters) with four interfaces (all should be VRRP/HSRP alike) and a =
seperate management box on Nokia's.

The idea is to have (per box); 1 int     Bad Guys 1 int     DMZ 1 int
LAN 1 int     Management

The management should contain all synch traffic between the boxes
(pref. = in load balancing mode) and the other interfaces should have
as little = synch traffic as possible.

Now, setting up the Nokia cluster isn't that hard, the Checkpoint =
cluster itself isn't that hard, but where can I find info on the
traffic = generated by the clustering itself ? Can we force just to
use the = Management interface for all synch traffic and does a
failover (or down = situation) will occur when any of the interaces
will go down ?

T.i.a.

--- A. Louw louw () xs4all nl
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online  
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards