Gary Appreciate your advice
ok last question topo is eth2c0 147.x.x.1 vip 147.x.x.2 147.x.x.3 eth3c0 11.x.x.1 vip 11.x.x.2 11.x.x.3 1st synch 192.x.x.1 192.x.x.2 all the above part from the synch have a failover address the other interface is eth1c0 which has differnet ip addreses assigned, thse are the ip's the firewalls will be managed on ssh, ssl so given the above which ip address would you assign the cluster members? The external ip of the cluster will obviously be the 147.x.x.x vip the firewalls were built with the differnet ip, so that is why i am think the cluster mebers need to be the same, if so i can change these to be the 11..x.x.x and simpy have eth1co as purely management appreciate this and hopefully will i be sorted --- On Mon, 18/10/10, Gary Scott <accesslimi...@yahoo.com> wrote: From: Gary Scott <accesslimi...@yahoo.com> Subject: Re: [FW-1] IP addressing of firewalls and cluster topology To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Date: Monday, 18 October, 2010, 20:24 There is no need for the interfaces to be in vrrp for you to be able to ssh or ssl to the device. On your topo for your cluster object define these as non-monitored private interfaces. ________________________________ From: Peter Addy <wavema...@yahoo.com> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Mon, October 18, 2010 2:46:12 PM Subject: Re: [FW-1] IP addressing of firewalls and cluster topology Thanks Gary I think i may have not not explained myself correctly the cluster members are on seperate networks and will have no vrrp on this address, these are the managed ip addresses, however i think i will simply use the other internal addresssing for the cluster members which is on the same network and does have a vrrp address, and have the other two networks for management only for the firewalls, as i think your saying it is right to have the cluster members defined with a vrrp and must be on the same network so my SIC will be made to to these internal addreses of the cluster and, and simply have the two do you see any issues with this, does the management of both firewalls, over ssh and https have to have a vrrp, the firewalls are located in different locations on different networks --- On Mon, 18/10/10, Gary Scott <accesslimi...@yahoo.com> wrote: From: Gary Scott <accesslimi...@yahoo.com> Subject: Re: [FW-1] IP addressing of firewalls and cluster topology To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Date: Monday, 18 October, 2010, 18:09 sets of interfaces participating in vrrp must be on the same network, vrrp can have no hops between these interfaces, ________________________________ From: Peter Addy <wavema...@yahoo.com> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Mon, October 18, 2010 12:49:21 PM Subject: Re: [FW-1] IP addressing of firewalls and cluster topology Hi, Does anyone of any thoughts on this, any help is appreciated Thanks On Sun Oct 17th, 2010 8:25 PM BST Peter Addy wrote: >i was thinking would it be easier to assign the cluster memebers the same >network and this will have a vrrp address, sp change the hostname ip to the >new >addresss, keeping the hostname as it is. >the ip i mentioned will still rbe the management ip's therefoe can simply >manage > >the firewalls on those ip's ssh, https etc, so in dns have the hostnames >resolve > >to the 172.22.28.29 an 172.21.28.29 > >Hope this makes sense > >--- On Sun, 17/10/10, Peter Addy <wavema...@yahoo.com> wrote: > >From: Peter Addy <wavema...@yahoo.com> >Subject: [FW-1] IP addressing of firewalls and cluster topology >To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM >Date: Sunday, 17 October, 2010, 20:05 > >Hi, > >Does anyone know of any issues where two firewall modules(cluster >members)which >have differnt iP's that are in a Checkpint Nokia VRRP cluster? > >Scenario, one module is assigned for example 172.22.28.29, the other module is >172.21.28.29, these modules are also managed IP's, that is we will conect to >these models on ssh and https etc, and the hostname are those IP's, the >cluster > >IP is a 147.x.x.x > >There is no cluster for the modules as they are not on the same network. >The toplogy looks strange in the fact that it does not run contiguous, so >looking at the topo of the checkpoint cluster we have one interface on each >module, no vrrp, same interface though, eth1c0 > >i know there will no vrrp for this and cpha status should be fine as long as >we >have the synch, so active/active should be seen, or will this cause an issue? > >Can anyone see an issue with this config, or should the cluster members have >to >be on the same network? > > >Thanks > > > > > > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to lists...@amadeus.us.checkpoint.com >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >fw-1-ow...@ts.checkpoint.com >================================================= > > > > Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================