Re: Checkpoint IPS

[Michael Hallgren <m.hallgren () free fr>]

Le 04/02/2015 17:07, Eugeniu Patrascu a écrit :
> On Tue, Feb 3, 2015 at 5:41 PM, Michael Hallgren <m.hallgren () free fr
> <mailto:m.hallgren () free fr>> wrote:
>
>     Le 03/02/2015 16:21, Eugeniu Patrascu a écrit :
> >     On Mon, Feb 2, 2015 at 2:53 PM, Michael Hallgren
> >     <m.hallgren () free fr <mailto:m.hallgren () free fr>> wrote:
> >
> >         Hi,
> >
> >         Someone has positive or negative experience running
> >         Checkpoint IPS cluster over ``long distance'' synch.
> >         network? Real life limitations? Alternatives? Timers?
> >
> >
> >     You can do "stretched" with Check Point as long as the network
> >     delay is less than around 70-100 msec RTT or so. If you do this,
> >     run your firewalls in Active/Standby modes.
>
>     Thanks Eugeniu, I see what you mean. The specific case I'm looking
>     at is about asymmetric routing, though.
>
>
> Firewalls/IPS and asymmetric routing don't play nice. Try to change
> your setup/design so that traffic enters/leaves your network segments
> through the same security device.

I know. However, I fail to see symmetric traffic flow as ``natural'',
apart from maybe at the extreme edge of a network. So, need another
inspection strategy I think.

Thanks,

mh