Checkpoint FW1 High Availability mode and Cisco switches.

Discussion in 'Cisco' started by PJML, Jan 20, 2004.

  1. PJML

    PJML Guest

    Anyone out there using Checkpoint Firewall-1 in "High
    Availability new Mode" connected to a Cisco 2948G-L3
    switch?

    This involves multicast MAC-addresses and is something
    that I'm not too sure about. Plan is to define 2 ports
    on the 2948G-L3 to connect to the redundant pair of
    firewalls, with a dedicated Ethernet crossover-cable
    between the 2 firewalls so they can communicate between
    each other, then define the 2 ports on the 2948 as
    members of a VLAN. The idea is that the 2948 fires
    packets at the multicast MAC-address defined for the
    two interfaces on the two firewalls, and whichever
    one is the active member at the time handles it, the
    standby member ignores the packet....

    -PeteL.
     
    PJML, Jan 20, 2004
    #1
    1. Advertisements

  2. We use Stonebeat which is a multicast based failover
    (probably the same as Checkpoint) with multiple switches
    for HA. You need to setup the destination MAC addresses
    on the switch like so (Cisco 3500 example) :

    mac-address-table static 0808.0808.0808 FastEthernet 0/4 FastEthernet 0/1 FastEthernet 0/2

    These docs below explain better (watch the wrap).
    And just VLAN each 'net (DMZ, service rails, choke net, etc).
    Do not allow routing between VLANs, force traffic thru firewall.

    3500/2900 switches
    ftp://download.stonesoft.com/web/Support/StoneBeat/Technical%20Notes/SGSB-TECNSwitches3.pdf

    2948G switches
    ftp://download.stonesoft.com/web/Support/StoneBeat/Technical%20Notes/SGSB-TECNSwitches2.pdf

    alan
     
    Alan Strassberg, Jan 20, 2004
    #2
    1. Advertisements

  3. I have two 'external' switches (one VLAN), but connected via a
    port-channel, presumably I could take a similar approach to constrain the
    L2 multicast traffic between two Nokia IP530s?

    Cheers,

    Matt
     
    Matthew Melbourne, Jan 20, 2004
    #3
  4. Yep. Looking at a switch attached to a pair of active-active Nokias,
    the switch config has the same "mac-address" stuff per the URL's
    I posted.

    This should help keep the multicast down. Actually I'm surprised
    it's worked without it. This only makes sense for an active-active
    setup.

    alan
     
    Alan Strassberg, Jan 20, 2004
    #4
  5. PJML

    MC Guest

    Off topic, However I am using Stonebeat fullcluster 3.0 up grading to 3.5 on
    a pair of SUN boxes with checkpoint NG.

    I was looking at weather Checkpoints ClusterXL is any better, Worse or same
    compared to Stonebeats Fullcluster product as in reliabliltiy and
    performance.

    I am using Nortel switches on the LAN connections and had a time getiing the
    multicast to work correctly but so far everthing works great without any
    problems.

    Now I am also thinking of maybe using Cisco switches instead of nortel
    since we are using cisco routers and thought since upgrading I would look at
    the cluster part.

    Are you satisfied with stonebeat product, any thoughts?

    How are cisco switches working with the multicasting ?

    One other issue I am looking at is trying to figure out if I can run
    VRRP/HSRP between two cisco routers for LAN interface redundancy with the
    firewalls also using multicasting. Anyone done this with checkpoint, either
    clustering product?

    Thanks,
    MC
     
    MC, Jan 23, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.