Gordon,
Here are my views on this subject....
<..snip..>
As I understand it ( and I am more than happy to be corrected on
this one !
) this means I can only use one IP address for both boxes.
This in turn means I really need to set them up as a "gateway
cluster" and
that would require a separate box to run the management module
....... am I
right so far ?.
<..snap..>
I think it depends on your setup. If the license is build on your external
IP
address then you can build a second firewall with the same IP address
and use that one as a failover system. The only problem is that you can't
use it as a "real time" failover because then you get an IP conflict. You
must the
the failover manually.
Seperating the management module is handy if you have a firewall cluster
or have a lot of firewalls with the same rulebase. In your setup with only 2
firewalls it can work without it... Unless you wanna use some clustering
idea... normally it's then handy to use a management station to have
a central location where you manage the rulebase and the logging.
<..snip..>
1. Buy another box/(management) licence and use the full "gateway
Cluster"
technique
<..snap..>
this is an option...
<..snip..>
2. Use the older Nokia "tunnel" to give (I guess) a non-stateful
failover
(I presume this means I would also need another certificate key in
order to
config the second Nokia with a different IP address)
<..snap..>
Dunno what you mean by this
<..snip..>
3. Buy a third product (eg "Stonebeat")..............(I presume this
also
means I would also need another certificate key in order to config
the
second Nokia with a different IP address)
<..snap..>
The problem is, as far as I know, that stonebeat doesn't run on Nokia
stuff, only on Solaris and NT. And stonebeat wants a seperate management
station and firewall modules. Stonebeat can work in a active-active and
active-passive solution. Checkpoint can do that on it;s own too I think...
Anyway... maybe more people can shed some light on this,
but these were my thought.
Regards,
Brenno
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: dinsdag 18 september 2001 19:11
> To: [EMAIL PROTECTED]
> Subject: FW-1 failover options
>
> Hi All,
> Here I am ; still suffering with my Nokia's .................. I have one
> FW-1 (Nokia IP440) on-line so far, and one that I wish to install as
> backup.
> Ordering was done by another dept. (my excuse !) so I have only now
> discovered that we have only one certificate key. !.....
>
> I saw the details about the Nokia Tunnel (mutually exclusive to the CP
> clusters) on the "knowledge base", but that was about it for alternatives
> ?
> I can see that this is going to get very complicated, so all I want to ask
> at this moment is what my options are to provide partial of full failover
> capability. If my comments above are correct, I can see only the following
> as alternatives :-
>
> I would love to be told that I am wrong !
> Your comments and alternatives would be most appreciated,
> Thanks in advance,
> Gordon
>
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
