-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 cisco4ng wrote: | can someone with Provider-1 NGx R65 explain this to me? | | scenario: | | Provider-1 NGx R65 (Mandger & Container) with HFA_02 on SPLAT. | Backup SmartCenter (SMC) NGx R65 with HFA_02 on SPLAT. | | Provider-1 has an IP address of 10.250.97.1/24 | Backup SmartCenter (SMC) has an IP address of 10.250.97.10/24 | | Here is what I did: | | a- clean install of P-1 NGx R65, | b- apply hfa-02 on P-1 box, | c- clean install SmartCenter NGx R65, | d- apply hfa-02 on the SmartCenter, | e- create global policies in P-1, | f- create a new CMA with ip address of 10.250.97.23, | g- apply global policy to that CMA, | h- add backup SMC into the CMA and perform SIC, | i- add Nokia Enforcement Modules into the CMA and perform SIC, | j- on the gateway cluster, select both the CMA and SMartCenter | to manage the gateway cluster. Furthermore, both CMA and | SmartCenter is selected as log servers as well, | k- under global properties, select "synchronization" everytime | the policy is saved, | l- create a few rules in the security policy, | m- install the database, | n- install the policy, | | At this point, the CMA is listed as "Active" and the SmartCenter | is listed "standby". So far so good. | | Next, I simulated a metldown by shutting down the P-1 server | completely with "shutdown". Now, I log into the SmartCenter | and switch it over to "active". I then created a few more rules, | push the policy to the nokia gateway cluster. Again everything | is good. Remember at this point, the P-1 is DOWN. | | Next, I bring the P-1 back online. When the P-1 is completely | back online, I see both the CMA and the SmartCenter is shown | as "active". When I do a 'High Availability detailed status', | I see it is listed as "collision". Basically, whatever changes | I made in the SmartCenter is not replicated over the CMA. | | Has anyone actually deployed this configuration in a production | environment and it actually works? This seems to me like another | "broken" product from checkpoint in term of High Availability. | This configuration is clearly supported as listed in the | Provider-1 NGx training courseware.
The problem sits behind the keyboard. You have deliberatly created a collision condition. I would in fact be very cross with Check Point if they had tried to do this automagically. Who is to say which of the out of sync smartcenters is right? Who has the best rulebase? (Perhaps even: who has the least worse one?) The humans make the decision and not the systems. This was clearly explained by Check Point to us when they expained the concept of smartcenter HA. Wether or not the smartcenter is standalone or resides on P1 is immaterial in this. Hugo. - -- [EMAIL PROTECTED] http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHhb/aBvzDRVjxmYERAsvkAKCpy8HAFHy7h5a9RLQo3Ga8W99XgACgkrmS 5Wc67BPvGIlsai5negSP88I= =j6ab -----END PGP SIGNATURE----- ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
