Richard Stiennon wrote:
| At 11:38 AM 3/17/97 +1100, David Cragg wrote:
| Level 3. Stonebeat keep alive software with dual FireWall-1 installations
| in parallel. The Stonebeat element monitors primary FW from secondary. If
| it detects outage it renumbers ports on secondary to be same as old primary
| (IP address *and* MAC address). The advantage is that the network does not
| have to learn new routes. Convergance time we have tested to less than 5
| seconds. With FW-1 3.0 state is maintained across both firewalls. An
| authenticated session sees only a five second delay. You *do not* have to
| re-authenticate.
http://www.stonebeat.com/sb-wp.html#How StoneBeatTM writes:
>Simple TCP connections like telnet, http, smtp etc. won't event
>disconnect while the switch over. More sophisticated connections, like
>FTP and RPC, where the firewall module contains more state information
>of the connections needs to be re-established after the switch over.
>(See FireWall-1TM v3.0 Connection Control option which may be used to
>avoid this.)
Sounds like they're using ACK bits in the first level of fail over.
The last time I looked for details on "Connection Control's"
authentication and integrity mechanisms, no useful info was available.
I'm sure someone will point out if this has changed.
Adam
--
"Well, that depends. Do you mind the end of civilization as we know
it?"
References:
|
|
