[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] CP 4.0 multiple encryption domain definition
Title: CP 4.0 multiple encryption domain definition Hi all, We are trying to migrate from one ISP to another in our location. Original setup: ---Site A--Firewall A----Internet--Firewall B--Site B---
We have setup a second firewall at site B (Let's call it Firewall C). I have defined new network objects for firewall C with hiding NAT's behind the external interface. From Site B the default route outbound is Firewall B right now. Few nights ago we wanted to cut over to Firewall C and make that our default firewall to the internet. The fire wall worked great, rule set worked, but when tried to restart the VPN between site A and B now using the Firewall C as the termination point, the firewall at Site A was still trying to encrypt packets to firewall B instead of C. From C the encryption worked fine to Site A. I have recreated the encryption domain with the newly defined network objects and also put firewall C in it as well. In my mind Firewall A would have no business contacting Firewall B for any reason, because the encryption domain it supposed to contact is clearly defined that Firewall C is what it needs to talk to. Could someone confirm or deny this behavior of CP 4.0?
How could I setup a standby firewall not in production before the cutover with all object defined and ready to go for cutover night? If it is not possible anyone can recommend a way to cut over in a minimum amount of time or I have to recreate all the network object on cutover night? All help or advice would be greatly appreciated, <sig> László Somi
</sig>
|