[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Services to enable VRRP in Checkpoint
On Fri, Oct 06, 2000 at 11:33:15AM +0200, [email protected] wrote: : : I'd like to know which services I have to enable with Checkpoint to permit : the VRRP protocol between the firewalls (two firewall with a VRRP protocol : installed in) You may need to create service objects for VRRP first (I forget if they started doing that). If you need to do this, create a service object of type "Other", call it "vrrp", in the "match" field, put "ip_p = 0x70". Make another service object called igmp, "ip_p = 0x2". You'll also need to create a network object of type Workstation for vrrp.mcast.net (224.0.0.18). I'll assume you're doing monitored circuits, so you don't need to have the secondary routing protocol involved (like you had to in the 'good old days' - when we had to also use OSPF w/vrrp).. Make a rule at the top of your rulebase, with source as a group of *EVERY* interface on both firewalls that will be doing vrrp, yes every single one of them. If you've got quad cards in each box, and are using one as the sync link, using a crossover, with inside/outside/dmz as your setup, this group will contain the remaining 6 interfaces. Make the destination vrrp.mcast.net, services vrrp and igmp, accept, no log (if you log it, your logs will be HUGE!). fw-interfaces vrrp.mcast.net vrrp Accept igmp If you're doing it old-style, make network objects for ospf.mcast.net and ospf-dr.mcast.net (224.0.0.5 and 224.0.0.6, respectively), and make similar rules to let the interfaces on the fw's that are talking ospf talk to those addresses with the proper services. -- Jason Costomiris <>< | Technologist, geek, human. jcostom {at} jasons {dot} org | http://www.jasons.org/ Quidquid latine dictum sit, altum viditur. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|