[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] How to setup a Nokia Firewall
Hi,
Please can you explain the two following points :
1°) In the number 10 you let Firewalls do IGMP towards the VRRP Multicast object
.... WHY IGMP ?????
How is igmp used in the VRRP (Monitored Circuit) mode ????
2°) Is the use of a crossover cable between the both FireWall much more efficient
than a shared link with the LAN of the DMZ ???
What are the requirement of bandwith (for example) for the synchronization ???
Thanks.
Jason Costomiris a écrit :
> On Tue, Jan 23, 2001 at 05:03:33PM +0000, [email protected] wrote:
> : Anyone got a document "How to Setup a Nokia FW-1" ?
>
> It's really no different than other platforms, except the software is
> preloaded... Do the OS config, do the FW config, create a policy,
> install policy, adjust policy, etc.
>
> : I have got several different documentation sets for Nokia and Checkpoint
> : which are not very helpful and it is not even clear in what order to do
> : certain things.
> :
> : It would nice to have just one set of steps from start to finish (at least
> : to the point where you have a GUI connected and are ready to build a
> : rulebase) - hopefully in the correct order !
>
> Here's a quick guide. I'll assume two units in a VRRP config with a
> management console running on the internal network. This assumes you
> understand FW1 basics like putkeys, connecting remote fw modules to
> management consoles, etc.
>
> 1) Hook up the console cable, do the initial config (hostname, admin pw,
> pick an i/f, configure it) - do this to both boxes.
>
> 2) Rack 'em and cable 'em up.
>
> 3) Configure the remaining interfaces using Voyager, including IP addresses,
> netmasks, chose 10 or 100 Mbps, full/half duplex, etc.
>
> 4) Configure routing - default gateways, static routes, etc.
>
> 5) Configure VRRP Monitored Circuits - test failover.
>
> 6) Configure FW1 on each box (cpconfig) - get them talking to the management
> console ($FWDIR/conf/masters, putkeys, etc.)
>
> 7) Make a workstation object, vrrp.mcast.net == 224.0.0.18
>
> 8) Make sure your firewalls are defined, and all of their i/fs are listed in
> the Interfaces tab of their respective workstation objects.
>
> 9) Configure FW1 state sync - Create $FWDIR/conf/sync.conf on each fw module
> with the ip of the partner fw in the file. Don't forget to do putkeys
> each way between the partners. I typically dedicate an interface to
> this, and use a crossover, running at 100 Mbps, full duplex. Use these
> IPs for the state sharing.
>
> 10) First rule of your rulebase:
> firewalls vrrp.mcast.net vrrp,igmp Accept (No log)
>
> 11) Finish building your rules, lather, rinse, repeat.
>
> This rule permits vrrp to work properly.
>
> --
> Jason Costomiris <>< | Technologist, geek, human.
> jcostom {at} jasons {dot} org | http://www.jasons.org/
> Quidquid latine dictum sit, altum viditur.
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
begin:vcard
n:Schachtele;Guillaume
tel;fax:(+33) 4.42.36.67.60
tel;work:(+33) 4.42.36.65.50
x-mozilla-html:FALSE
url:http://www.gemplus.fr
org:GEMPLUS;Management Information Service
version:2.1
email;internet:[email protected]
title:MIS Security Engineer
note:DMZ administrator
adr;quoted-printable:;;Gemplus BP 100=0D=0AGEMENOS=0D=0A13881=0D=0AFRANCE;;;;
end:vcard
