I didn't see this pass by so I am posting again.
----------
From: Kerrigan, Philip
Sent: mercoledi 4 dicembre 1996 9.59
To: 'firewalls-digest-owner'
Subject: Re: Redundant FW-1s in Parallel!?
Reply to Bill Husler:
No, your picture is not true. Maybe someone who was at the Checkpoint
Paris conference can give more details, but v 3.0 does not give HA. It
allows the state to be shared between 2 machines, which helps
high-availability and allows separate inbound and outbound routes, but it
DOES NOT check the operating state of the other machine. Load balancing
must also be done separately. Furthermore to have the same rulebase on
both machines you need remote management, otherwise you have to remember
to copy the rulebase to the other machine everytime you change it, and
then install it. You could use cron to do this, of course, if the second
machine was in standby, or run some form of script that starts the fwui,
and then does a rcp when finished (if you want to allow rcp).
Also you can have more interfaces. A Sparcstation 5 has its basic LAN
le0, the SCSI card has another, le1, and you can add a quad ethernet to
get qe0 through qe3. Using a virtual interface you can share a heartbeat
link with the internal network. This gives you 5 usable interfaces. I
have done this and it works.
The basic Qualix SecureWatch is asymmetric but there is no real reason
why you can't make it symmetric and fail over the A machine interfaces to
a virtual interface on the B machine. Obviously in this case you can't
share disks, and you need FW-1 licences on both machines. Currently you
also lose all connections on the failed machine, but ver 3.0 should take
care of that.
distinti saluti/best regards
Philip Kerrigan
EDS Italia SpA
Viale Monza, 257
Milano, Italy tel. + (0)2 2524272
msitmi02 .
xz46g8 @
eds .
com fax + (0)2 27002588
|
|
