nanog mailing list archives

Re: Checkpoint IPS

From: Eugeniu Patrascu <eugen () imacandi net>
Date: Wed, 4 Feb 2015 18:07:33 +0200

On Tue, Feb 3, 2015 at 5:41 PM, Michael Hallgren <m.hallgren () free fr> wrote:

 Le 03/02/2015 16:21, Eugeniu Patrascu a écrit :

On Mon, Feb 2, 2015 at 2:53 PM, Michael Hallgren <m.hallgren () free fr>
wrote:

Hi,

Someone has positive or negative experience running
Checkpoint IPS cluster over ``long distance'' synch.
network? Real life limitations? Alternatives? Timers?

 You can do "stretched" with Check Point as long as the network delay is
less than around 70-100 msec RTT or so. If you do this, run your firewalls
in Active/Standby modes.


Thanks Eugeniu, I see what you mean. The specific case I'm looking at is
about asymmetric routing, though.


Firewalls/IPS and asymmetric routing don't play nice. Try to change your
setup/design so that traffic enters/leaves your network segments through
the same security device.

Current thread:

Checkpoint IPS Michael Hallgren (Feb 02)
- Re: Checkpoint IPS Eugeniu Patrascu (Feb 03)
  - Re: Checkpoint IPS Michael Hallgren (Feb 03)
    - Re: Checkpoint IPS Eugeniu Patrascu (Feb 04)
    - Re: Checkpoint IPS Michael Hallgren (Feb 04)
    - Re: Checkpoint IPS Roland Dobbins (Feb 04)
    - Re: Checkpoint IPS Michael Hallgren (Feb 04)
    - Re: Checkpoint IPS Valdis . Kletnieks (Feb 05)
- Re: Checkpoint IPS Roland Dobbins (Feb 04)
  - Re: Checkpoint IPS Michael Hallgren (Feb 04)
    - RE: Checkpoint IPS Terry Baranski (Feb 05)
    - Re: Checkpoint IPS Michael O Holstein (Feb 05)
    - Re: Checkpoint IPS Roland Dobbins (Feb 05)
    - RE: Re: Checkpoint IPS Darden, Patrick (Feb 05)

(Thread continues...)