Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[FW-1] Single node firewall to a cluster (ClusterXL)

from TL Media [Permanent Link]
Subject: [FW-1] Single node firewall to a cluster (ClusterXL)
From: TL Media <tl_media00 AT YAHOO DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Wed, 25 Feb 2004 10:43:39 -0800 
We have a single firewall, currently NG AI running on Solaris 8. It's 
distributed, one management console, one enforcement point.

We are looking to change our enforcement point to a cluster. We'll be using 
ClusterXL, no third party products. Currently I'm thinking Load Sharing, 
probably unicast mode to solve some switch problems. The new cluster will be on 
new hardware (E250s), so we can keep our existing firewall up as long as needed 
to aid in transition. The two new cluster firewalls will be built from scratch. 
The old one won't be touched.

Our firewall (oldfw) obviously has multiple interfaces, but for the sake of 
simplicity let's just say it has inside (10.10.10.1) and internet 
(192.168.1.1). Lets call the new firewalls clusterfw1 and clusterfw2.

In the final state of the cluster, I want the new cluster addresses to use 
those old firewall addresses, so we don't have to adjust any routers.

My question is how to stage all of this. Ideally I'd like to have the current 
firewall (oldfw) to be up and running while I configure the cluster in the 
production environment. Then when the cluster is ready and tested, I'll down 
oldfw, and configure clusterfw to use its addresses.

So is it possible to bring up clusterfw1 with 10.10.10.2 & 192.168.1.2 and 
clusterfw2 with 10.10.10.3 & 192.168.1.3, and a cluster address of 10.10.10.4 & 
192.168.1.4. That would allow me to install NG AI, setup ClusterXL, test 
clustering and failover, etc. Then during the cut-over window I can down oldfw, 
and reconfigure the cluster object to use the 10.10.10.1 & 192.168.1.1 instead 
of the .4 addresses.

Does this sound like the right approach? Will changing the Cluster IPs be a 
problem? I assume SIC and licensing will be tied to the real IPs (physical) so 
changing the cluster addresses isn't a problem?

Thanks,

TL



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [FW-1] Single node firewall to a cluster (ClusterXL), TL Media <=
Previous by Date:  Re: [FW-1] Safe@office, O'Brien, James
Next by Date:  [FW-1], O'Flynn, Derek
Previous by Thread:  [FW-1] Dynamic Internet IP NIC for small office?, Dean Sadler
Next by Thread:  Re: [FW-1] AW: [FW-1] Using a load balancing equipment with firew all1, Jay Grassi
Indexes:  [Date] [Thread] [Top] [All Lists]