[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] How to setup a Nokia Firewall
Hi, Please can you explain the two following points : 1°) In the number 10 you let Firewalls do IGMP towards the VRRP Multicast object .... WHY IGMP ????? How is igmp used in the VRRP (Monitored Circuit) mode ???? 2°) Is the use of a crossover cable between the both FireWall much more efficient than a shared link with the LAN of the DMZ ??? What are the requirement of bandwith (for example) for the synchronization ??? Thanks. Jason Costomiris a écrit : > On Tue, Jan 23, 2001 at 05:03:33PM +0000, [email protected] wrote: > : Anyone got a document "How to Setup a Nokia FW-1" ? > > It's really no different than other platforms, except the software is > preloaded... Do the OS config, do the FW config, create a policy, > install policy, adjust policy, etc. > > : I have got several different documentation sets for Nokia and Checkpoint > : which are not very helpful and it is not even clear in what order to do > : certain things. > : > : It would nice to have just one set of steps from start to finish (at least > : to the point where you have a GUI connected and are ready to build a > : rulebase) - hopefully in the correct order ! > > Here's a quick guide. I'll assume two units in a VRRP config with a > management console running on the internal network. This assumes you > understand FW1 basics like putkeys, connecting remote fw modules to > management consoles, etc. > > 1) Hook up the console cable, do the initial config (hostname, admin pw, > pick an i/f, configure it) - do this to both boxes. > > 2) Rack 'em and cable 'em up. > > 3) Configure the remaining interfaces using Voyager, including IP addresses, > netmasks, chose 10 or 100 Mbps, full/half duplex, etc. > > 4) Configure routing - default gateways, static routes, etc. > > 5) Configure VRRP Monitored Circuits - test failover. > > 6) Configure FW1 on each box (cpconfig) - get them talking to the management > console ($FWDIR/conf/masters, putkeys, etc.) > > 7) Make a workstation object, vrrp.mcast.net == 224.0.0.18 > > 8) Make sure your firewalls are defined, and all of their i/fs are listed in > the Interfaces tab of their respective workstation objects. > > 9) Configure FW1 state sync - Create $FWDIR/conf/sync.conf on each fw module > with the ip of the partner fw in the file. Don't forget to do putkeys > each way between the partners. I typically dedicate an interface to > this, and use a crossover, running at 100 Mbps, full duplex. Use these > IPs for the state sharing. > > 10) First rule of your rulebase: > firewalls vrrp.mcast.net vrrp,igmp Accept (No log) > > 11) Finish building your rules, lather, rinse, repeat. > > This rule permits vrrp to work properly. > > -- > Jason Costomiris <>< | Technologist, geek, human. > jcostom {at} jasons {dot} org | http://www.jasons.org/ > Quidquid latine dictum sit, altum viditur. > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ begin:vcard n:Schachtele;Guillaume tel;fax:(+33) 4.42.36.67.60 tel;work:(+33) 4.42.36.65.50 x-mozilla-html:FALSE url:http://www.gemplus.fr org:GEMPLUS;Management Information Service version:2.1 email;internet:[email protected] title:MIS Security Engineer note:DMZ administrator adr;quoted-printable:;;Gemplus BP 100=0D=0AGEMENOS=0D=0A13881=0D=0AFRANCE;;;; end:vcard
|