>To: [EMAIL PROTECTED] >From: Inaki Agirre <[EMAIL PROTECTED]> >Subject: SunScreen IP change > >Hi, > >I need help with a FW re-configuration operation. I would thank any advice. > >Problem: >We have a HA (two hosts) SunScreen EFS 3.0b FW which makes NAT and is the >GW of our LAN. We want to put an HA Level 7 switches between FW and LAN to >protect a internal servers zone, so we want to give GW IP to our (double) >L7 switch, and force this one to route outbound traffic through our FW. > >Ok, I think our procedure would be: >create interface alias with new IP at the inner IF of FW
What exactly do you mean interface alias? virtual (aka logical) IP? SunScreen can handle those (you do not need to modify your policy, the same policy is applied to all logical interfaces as is applied to the physical interface). >duplicate FW policies for IF alias, don't enable >now network downtime... >disable all policies at FW >get down inner IF and alias >create virtual server for GW IP at L7 switch, pointing to FW new IP >get up inner IF with new IP >enable new policies >...end of network downtime > >The question is: Do you think SunScreen would accept interface alias for >this procedure? Admin Manual is laconic at add interface pages... There is If you're referring to virtual interfaces, then you do not need to tell the firewall about them at all, due to the way that Solaris networking works. >a better approach to minimize network downtime? If you do not explicitly use your firewall's IP addrs in your policy, and instead use "localhost", then you do not need to modify your policy at all. Simply reactivating the policy after the IP addr is changed will update the definition of "localhost" used in the active policy. hth Valerie -- [EMAIL PROTECTED] [EMAIL PROTECTED] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
