phoneboy's got a good FAQ on this. The sync time refers to how long a
firewall will wait to begin the process of synchronization, which goes
something like this (please correct if I misordered or forgot a step):
1) authenticate with the other firewall
2) determine delta between last session table synchronization and this
one
3) transmit that delta and close the session. The receiving firewall then
needs to apply the changes.
Reducing the wait interval for this process introduces the possibility
that the process won't be complete before the systems attempt to start
another instance of it, which would cause CPU usage to spiral upward.
HTH
Jack Coates, Rainfinity SE
t: 650-962-5301 m: 650-280-4376
On Fri, 23 Jun 2000, Chuck Melanson wrote:
>
> Is there any benefit to reducing the state sync times? I remember
> reading that there is a lower limit, something about a 30ms delay, no
> matter what the sync timeout is - any more info on these numbers?
>
> Chuck.
>
> -----Original Message-----
> From: Carric Dooley [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 23, 2000 1:20 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: [FW1] FW Sync and Management
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ???
> Not sure I follow the question, but I can tell you there are no
> issues with sync unless you are firewalling some really high
> bandwidht links. The sync feature pushes the state table to the
> stand-by FW every 100ms or so. Most any connection (except perhaps
> VPN connections) should keep right on going in the event of a failure
> on your primary FW. You see a 1 or 2 second "hick" and then it picks
> right back up again.. even mid transfer FTP sessions.
>
> Carric Dooley
> Network Security Consultant
>
> "I have often regretted my speech, never my silence."
> - - Xenocrates (396-314 B.C.)
>
>
>
> - ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, June 23, 2000 12:10 PM
> Subject: [FW1] FW Sync and Management
>
>
> >
> > I have two nokia boxes that are configured to do connection table
> > sync. is there any issues for management of the two firewalls
> > regarding the sync? should there be any certain procedures for
> > applying changes to (one of the) firewalls in order to maintain
> > "established connections".
> >
> > JK.
> >
> >
> > ====================================================================
> > ============
> > To unsubscribe from this mailing list, please see the
> > instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ====================================================================
> > ============
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOVOOSVUqWOkDpMZ2EQK1WACg9xLnI+bZlpSlXiAapU0Wi4PPPdYAoNCY
> ngnLE+gGjRGC3bhOwtXIxUzx
> =hEKJ
> -----END PGP SIGNATURE-----
>
>
>
>
> ========================================================================
> ========
> To unsubscribe from this mailing list, please see the instructions
> at
> http://www.checkpoint.com/services/mailing.html
> ========================================================================
> ========
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
