> -----Original Message-----
> From: hermit1 [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, May 22, 2000 9:29 PM
> To: [EMAIL PROTECTED]
> Subject: [FW1] Nokia failover
>
>
> *** Warning : This message originates from the Internet ***
>
>
>I was looking at the system failure notification section of the
Nokia to
>set up the email alert when failover happens. What happens if the
>interface that fails is the one that connects to the smtp server? I
assume
Yeah I see what you're saying. Your internal interface fails - well
if you're running VRRP monitored circuits then there should be a problem
since if a monitored interface fails, all traffic for that firewall should
be failed over to the other firewall. The backup firewall would send an
email/smtp trap depending on your config, on to the place you configured it
to do so. If you are running just normal VRRP however, the firewall will
have no other choice but to search its routing tables for an alternative
route to the smtp server. If your network config is such that there's no
alternate route then you're stuffed.
>no alert arrives anywhere, but can someone confirm this? That
implies I
>would need an external monitoring point to check that the firewall
is healthy.
Out of band monitoring is an option sure, but it's not required in
this case. OBM is more secure, if more expensive due to the extra network
links required, plus if someone is filling your bandwidth with DoS traffic
and its saturating your in-band management links, an out of band
monitoring/management channel is a godsend.
>The second question appears: what do people do to monitor their
>Nokias? Do most people use the failover Nokia to ping the
interfaces on
>the first one and send an alert if an interface fails to respond?
Or is
>there a built-in alert function that get activated when the
failover system
>assumes the virtual IP? Or do most people use an unrelated
(non-firewall)
>monitoring system?
Primary system, backup system. SNMP traps or emails can be sent
automatically if an interface fails with the newer IPSOs (3.2.x) - you can
build user-defined events in fw-1 that with a little bit of thought, you can
have automatically gathering info as to where the problem lies and emailing
it (if possible) to your first second or third line support channel. The
Nokia IPSO system is evolving nicely at an appreciable rate too - in it's
current state at 3.2.x it's all you need - there's no further requirement
for third party failover products like rainwall or stonebeat. It's one of
the really nice things about the Nokia boxes. A minor gripe tho is the no
ping response from the virtual address for an interface. We can ping HSRP
addresses, why can't the firewall currently holding control of the VIP spoof
a reply on behalf of the VRRP address?
regards,
Scott.
The Royal Bank of Scotland plc is registered in Scotland No 90312. Registered Office:
36 St Andrew Square, Edinburgh EH2 2YB.
The Royal Bank of Scotland plc is regulated by IMRO, SFA and Personal Investment
Authority.
This e-mail message is confidential and for use by the addressee only. If the message
is received by anyone other than the addressee, please return the message to the
sender by replying to it and then delete the message from your computer.
'Internet e-mails are not necessarily secure. The Royal Bank of Scotland plc does not
accept responsibility for changes made to this message after it was sent.'
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
