Clarify what you want. Cold spare or hot spare with fail over (HA) or load
balancing? VPN or just FW?
For the latter 2 you need another license but I would only get a module
license. Put a module license on each Nokia and the management license on
some internal (secure) box (NT or Linux or other Unix).
For HA, VRRP which is built into the Nokia works well. (2-5 second fail
over, hardly noticeable by users). You license to the real IP but create a
virtual IP for the application routing. (can't ping that address so don't
use that for testing). You also turn on state sharing on Check Point so the
connections don't get dropped during a fail over. Really works.
You can also put the management on one Nokia and only a module on the other.
I don't know if HA will work with this though it might. MEP for VPN will not
work well with this - you really need a separate manager. I don't see why
you could not run them as two firewalls protecting the same network with the
same policy with one being a module and one being a module/manager.
Also, look at NG.
Adam
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 1:11 PM
Subject: FW-1 failover options
> Hi All,
> Here I am ; still suffering with my Nokia's .................. I have one
> FW-1 (Nokia IP440) on-line so far, and one that I wish to install as
> backup.
> Ordering was done by another dept. (my excuse !) so I have only now
> discovered that we have only one certificate key. !.....
>
> As I understand it ( and I am more than happy to be corrected on this one
!
> ) this means I can only use one IP address for both boxes.
> This in turn means I really need to set them up as a "gateway cluster" and
> that would require a separate box to run the management module ....... am
I
> right so far ?.
> I saw the details about the Nokia Tunnel (mutually exclusive to the CP
> clusters) on the "knowledge base", but that was about it for alternatives
?
> I can see that this is going to get very complicated, so all I want to ask
> at this moment is what my options are to provide partial of full failover
> capability. If my comments above are correct, I can see only the following
> as alternatives :-
>
> 1. Buy another box/(management) licence and use the full "gateway Cluster"
> technique
> 2. Use the older Nokia "tunnel" to give (I guess) a non-stateful failover
> (I presume this means I would also need another certificate key in order
to
> config the second Nokia with a different IP address)
> 3. Buy a third product (eg "Stonebeat")..............(I presume this also
> means I would also need another certificate key in order to config the
> second Nokia with a different IP address)
>
> I would love to be told that I am wrong !
> Your comments and alternatives would be most appreciated,
> Thanks in advance,
> Gordon
>
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
