Checkpoint FW1 High Availability mode and Cisco switches.

Discussion in 'Cisco' started by PJML, Jan 20, 2004.

  1. PJML

    PJML Guest

    Anyone out there using Checkpoint Firewall-1 in "High
    Availability new Mode" connected to a Cisco 2948G-L3

    This involves multicast MAC-addresses and is something
    that I'm not too sure about. Plan is to define 2 ports
    on the 2948G-L3 to connect to the redundant pair of
    firewalls, with a dedicated Ethernet crossover-cable
    between the 2 firewalls so they can communicate between
    each other, then define the 2 ports on the 2948 as
    members of a VLAN. The idea is that the 2948 fires
    packets at the multicast MAC-address defined for the
    two interfaces on the two firewalls, and whichever
    one is the active member at the time handles it, the
    standby member ignores the packet....

    PJML, Jan 20, 2004
  2. We use Stonebeat which is a multicast based failover
    (probably the same as Checkpoint) with multiple switches
    for HA. You need to setup the destination MAC addresses
    on the switch like so (Cisco 3500 example) :

    mac-address-table static 0808.0808.0808 FastEthernet 0/4 FastEthernet 0/1 FastEthernet 0/2

    These docs below explain better (watch the wrap).
    And just VLAN each 'net (DMZ, service rails, choke net, etc).
    Do not allow routing between VLANs, force traffic thru firewall.

    3500/2900 switches

    2948G switches

    Alan Strassberg, Jan 20, 2004
  3. I have two 'external' switches (one VLAN), but connected via a
    port-channel, presumably I could take a similar approach to constrain the
    L2 multicast traffic between two Nokia IP530s?


    Matthew Melbourne, Jan 20, 2004
  4. Yep. Looking at a switch attached to a pair of active-active Nokias,
    the switch config has the same "mac-address" stuff per the URL's
    I posted.

    This should help keep the multicast down. Actually I'm surprised
    it's worked without it. This only makes sense for an active-active

    Alan Strassberg, Jan 20, 2004
  5. PJML

    MC Guest

    Off topic, However I am using Stonebeat fullcluster 3.0 up grading to 3.5 on
    a pair of SUN boxes with checkpoint NG.

    I was looking at weather Checkpoints ClusterXL is any better, Worse or same
    compared to Stonebeats Fullcluster product as in reliabliltiy and

    I am using Nortel switches on the LAN connections and had a time getiing the
    multicast to work correctly but so far everthing works great without any

    Now I am also thinking of maybe using Cisco switches instead of nortel
    since we are using cisco routers and thought since upgrading I would look at
    the cluster part.

    Are you satisfied with stonebeat product, any thoughts?

    How are cisco switches working with the multicasting ?

    One other issue I am looking at is trying to figure out if I can run
    VRRP/HSRP between two cisco routers for LAN interface redundancy with the
    firewalls also using multicasting. Anyone done this with checkpoint, either
    clustering product?

    MC, Jan 23, 2004
