Hi all, I'm hoping I can get some help from real users on the list to answer some questions. Everything sounds great from sales and the VAR I've been talking to but you know how that goes. It's been a long time since I've used Checkpoint but I do have some old experience with version 4.1 on Solaris, running in high availability mode behind Foundry load balancers; so obviously that's quite a long time ago but I was happy to see the interface still looks friendly like I remember in demos. It would be a nice change from cisco's cli, zones, policies and class maps.
Background info is we're a web host and are outgrowing our current firewalls. We have multiple 10gig uplinks across two border routers but only push about 2 Gbps outbound under normal circumstances. Inbound is of course a small fraction of that due to our business being web serving; perhaps a few hundred megs peak. We have been the victim of DDoS from time to time so we would like to be able to cope with 10 to 20 Gbit of inbound should it occur; doesn't have to be mitigated, it can be passed in until we deal with it, but can't have the firewall(s) falling down. We use ospf between the border and core routers, with some tuning to facilitate load sharing; there is a full mesh between both pairs of routers. Our netflow data indicates about 20,000 active sessions are typical during the busy times of the day; I don't have a correlation from that to connections per second. The network is about 30,000 ipv4 and 30,000 ipv6 addresses as we're dual stacked on our hosted sites; they're of course public ip's and there is no nat'ing. The initial proposal was two 21400 appliances. Here's some questions that I think are better answered from people who have done similar things, or attempted them: 1) Of primary importance is that we retain the redundancy we have in both directions that result from the border and core having a full mesh ospf setup. One device on each side can die and it won't matter. After scouring the website and mailing list archives, whenever I see talk of a multi-device deployment, it involves ClusterXL and then, from what I've read, load sharing using multicast mac or vrrp-type configurations with switches on each side and the firewalls acting as one device. I don't think that would work for us since we're using true routers on the border and core (Cisco ASR's); i.e. not layer 3 switches and vlans, just 10gig interfaces with ip's and routing protocols. We'd sacrifice redundancy and load sharing to even achieve a config like that since it would involve adding a switch in between the routers and firewalls that everything connects to. I guess my vision of how the appliances would have fit into our environment would be having them act as layer 2 devices, having high availability session sync since our multiple paths and multiple upstreams means lots of asymmetric routing, and then the routers can just keep talking to each other across all their links like nothing happened. Is that possible? If not, I suppose I have to use the ClusterXL routing support with OSPF, but the docs on that are pretty vague. Does each firewall interface on both appliances allow me to define interface ip addresses on all of them so the routers can maintain several paths to one another so I don't lose my redundancy and don't lose my load sharing? I'm not sure if that would work since both appliances seem to get the same router id, so my real routers would think all paths lead to the same neighbor and I lose my load sharing, which also effectively limits my overall throughput in a ddos situation. How do others integrate into that type of environment? 2) Any idea how much bandwidth goes across the sync interface in a cluster setup? What I'm really getting at is whether a 1gig connection is sufficient for multiple 10gig ports that are saturated. Can you have a primary and backup sync defined? 3) There are specs for firewall throughput, ips throughput, ips with recommended signatures and then firewall and ips throughput. I am curious what happens if you hit the limit? For example, normally the 21400 can handle our traffic with firewall and ips, but if we get attacked, it would not handle that amount. Does it just discard traffic? Can it turn off IPS at that point to keep up with the overall load? 4) Should I be looking at alternative hardware options than the 21400's that can achieve similar or better performance for the price? 5) In a system with multiple interfaces, can you apply different policies to different interfaces? i.e. if we use all the 10gig ports for our critical internet traffic, can we use some of the gig ports for internal things that need firewalling from network to another? Thanks all! Dave ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
