[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Cluster Gateway definition
The cluster object itself need only the virtual IP address listed on the general tab. In your case this will be the VRRP address. Keep in mind though, the original specification of VRRP was to have one of the clustered gateways primary IP be the VRRP address. This had the limitation of in a fail-over scenario the backup gateway could not answer traffic destined to the VRRP address since he did not own it. Here, we want the ability to initiate to the VRRP address even in fail-over mode, this requires the use of a non-physical address. Here, the VRRP address should be something other than any of the primary external addresses. In a VPN configuration where the remote side needs to define his IPSec policy, they will need to define more than the VRRP address if the FireWall-1 gateway is earlier than SP3. The reason is, we will do key exchanges to the VRRP address, but the external header in all tunnel mode IPSec traffic would contain the address of the primary interface. I the other end is a Check Point firewall, this can be accomplished by the peer defining a firewall object with the cluster IP on the general tab and all of the other primary external addresses on the interfaces tab. The IP on the interfaces tab do not need to have the correct device name however. If you have SP3 you can make a edit that will cause only the VRRP address to be used to overcome this problem. Check the release notes for details. -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of [email protected] Sent: Friday, June 08, 2001 4:02 AM To: [email protected] Subject: [FW1] Cluster Gateway defination What IP address should be defined in the Cluster Gateway in a VRRPmc environment, should one use the primary IP address on the General tab of the properties window, and add the rest of the interfaces including the virtual interfaces to the interfaces tab of the firewall module object. I have read conflicting articles on defining Cluster Gateways on the rulebase can someone please set me straight. -- Get your firstname@lastname email for FREE at http://Nameplanet.com/?su ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|