Bill,
The answer is yes and no.
We have tried to not use the phrase "High Availability" on purpose.
Qualix provides high availability in their solution and it is a valuable
supplement to what FW-1 does.
What "State Sharing" does is solve the assymetrical routing problem when
you have multiple, valid, routed paths that the packets within a logical
session can take. If this ability to handle multple paths is combined
with a routing topology mechanism that is extremely responsive to
topology changes, then you approach the functionality level of a "High
Availability" system.
So, in short, yes the "after" diagram you have shown will work, in terms
of solving the assymetrical routing problem. However, to make that
system "Highly Available" you also have to include the surrounding
routers into the picture and make the sure they are playing the game
also.
David
Bill Husler wrote:
>
> David,
> Let me see if I understand this.
>
> Currently, if we want HA we must use Qualix software which required two
> dedicated lan ports and external shared DASD between two firewalls - one
> of which is simply a hot standby. With this configuration on a Sparc-5,
> we only get to have two usable interfaces. If I understand what we will
> get with Checkpoints flavor is the ability to actually use these other
> interfaces for the sort of things we wanted to in the first place like
> providing employee dial-up or private connections to other companies
> while provide load balancing and fail-over. Is this true?
>
> BEFORE AFTER
>
> -------------------- --------------
> Int | | Ext Int | | Ext
> -----| Primary Firewall |----- -----| Firewall A |-----
> | | | | | | | |
> | -------------------- | | -------------- |
> | ......|.|........|........ | | | | |
> | . req | | ---------- . | | -------- -------- |
> -----| . for | | |Ext Disk| . |----- -----| | DIAL | | OTHR |
> |-----
> | . HA | | ---------- . | | -------- -------- |
> | ......|.|........|........ | | | | |
> | -------------------- | | -------------- |
> | | | | | | | |
> -----| Backup Firewall |----- -----| Firewall B |-----
> | | | |
> -------------------- --------------
> Bill
>
> >Subject: Re: Redundant FW-1s in Parallel!?
> >Sent: 11/27/96 9:04 AM
> >Received: 11/27/96 8:01 PM
> >From: David Helms, david .
helms @
checkpoint .
com
> >To: Dave Roberts, djr @
saa-cons .
co .
uk
> >CC: Firewalls @
GreatCircle .
COM
> >
> >Dave,
> >
> >See my comments below....
> >
> >Dave Roberts wrote:
> >>
> >> On Tue, 26 Nov 1996, David Helms wrote:
> >>
> >> > That "State-Sharing" protocol was announced as a feature of the V3.0
> >> > release of FireWall-1.
> >>
> >> How does the software share the state information? ie what kind of
> >> protocol over what kind of medium.
> >
> >The state sharing protocol is a TCP-protocol that falls within the group
> >of what are considered FW-1 control protocols.
> >
> >> Is it encrypted and/or authenticated?
> >
> >Yes and yes, based on the same mechanism as other FW-1 control
> >protocols.
> >
> >David
> >>
> >> --
> >> Dave Roberts For PGP Key - send mail with subject of 'get pgp':-
> >> Senior Unix Admin < 51 4B 6A 35 3F C4 B6 3D 13 88 0C B2 48 61 51 1C >
> >> SAA Consultants Ltd Std disclaimer applies, it's nothing to do with them
> >> Plymouth, UK. Tel: +44 1752 606000 Fax: +44 1752 606838
> >
> >--
> >__________________________________
> > David Helms
> > Senior Technical Consultant
> > CheckPoint Software Technologies
> > ph 703.684.4824
> > fx 703.684.4847
> > davidh @
checkpoint .
com
> >__________________________________
--
__________________________________
David Helms
Senior Technical Consultant
CheckPoint Software Technologies
ph 703.684.4824
fx 703.684.4847
davidh @
checkpoint .
com
__________________________________
|
|
