Ian,
There seems to be a problem with the synchronization of FW-1,
if you are looking for HA for your firewall, you may want to
take a look at the HA+ solution from Qualix that uses FW-1
(http://www.qualix.com/html/ha_firewall.html)
Regards,
/Martin
Schlueter, Ian wrote:
>
> I am attempting to utilize the synchronization capabilities of FW1 ver
> 3.0b to implement "high-availability" and I am running into a problem.
>
> I have two HPUX C100's configured identically. Installed are a total of
> four network interfaces in each.
>
> Interface 1: to the Internet
> Interface 2: to the intranet
> Interface 3: to the DMZ
> Interface 4: to the "firewall sync network"
>
> The firewall sync network only has the two firewalls on it, I am using a
> non-internet routable "test" range to address that segment. The
> firewalls each have an entry in the /etc/fw/conf/sync.conf file
> pointing to their counterpart.
>
> Here is the problem:
>
> I am continuously seeing a "Got Connection from firewall-1"
> then immediately seeing a "End Connection from firewall-1"
>
> These messages appear simultaneously on both firewall consoles. Logs
> appear to be shared, but state tables only seem to be shared part of the
> time.
>
> Checkpoint suggested that if the two machines system clocks were more
> than 5 seconds out of synchronization that it could cause this problem.
> We set the clocks to the same time, and tested, still no luck. We even
> installed ntp between them and it did not change the results.
>
> Anyone have any ideas?
>
> - - -/ W. Ian Schlueter ian .
schlueter @
avnet .
com
> - - / Project Manager, Global Internet/intranet support
> - -/ Avnet, Inc. Chandler, AZ
> - / (602) 940-5977
|
|
