I have a very similar situation. I have my main firewalls (crossbeam x40)
and a departmental firewall (IP120).
I manage them from the same SmartCenter. In SmartCenter you can specify the
install targets of the policy.
I have two policies. One for the mains, and one for the IP120. Only thing
that aggravates me is that you have to define the objects all in Smartcenter
regardless of the policy loaded, so these are going to get replicated to
both firewalls. The policy install time on the IP120 takes a bit.
It works well enough. We did run into one problem, where the IP 120 is
inside the encryption domain of the mains. And VPN was configured on the
IP120 it messed up SecuRemote (overlapping encryption domain). Two
solutions to this (that I know about). Remove the subnet for the IP120 from
the mains encryption domain, or remove VPN on the Smartcenter IP120 object.
We chose the latter.
I'm running FP3 HFA317, Floodgate FP3 on the mains, and FP3 on IP120.
Hope this helps,
Derek
-----Original Message-----
From: Ray Pesek [mailto:sixsigma44 AT HOTMAIL DOT COM]
Sent: Saturday, January 24, 2004 6:54 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Managing two firewalls from one station - any gotchas?
Hi,
We currently have our main firewall and a little IP120, both being managed
by separate management servers. We want to free up the server that's
controlling the IP120 and manage it as well from the one used by the main
firewall. I was hoping anyone who experienced a problem with this
arrangement could chime in so we can be aware of any issues before we make
the change (such as installing the wrong policy on the wrong enforecment
module, unexpected interactions, etc.)
The main management station is already on NG AI R55 so there shouldn't be
any version issues. The IP120 is on NG FP3 and we'll be upgrading it after
we make the move.
Thanks,
Ray Pesek, CISSP
_________________________________________________________________
Check out the coupons and bargains on MSN Offers!
http://shopping.msn.com/softcontent/softcontent.aspx?scmId=1418
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
