ASF stands for Alteon (now owned by Nortel) Switched Firewall.
Hardware set-up consists of one or two 'accelerators' with between 1 to 6
'directors'. There are various different hardware models, of which some are
integrated, i.e. one appliance can consist of both a director and an
accelerator (and can then be doubled up, a bit like using Nokia HA solution),
and of which others consist of separate Accelerator(s) and separate director(s).
View this setup a bit like how one might see an IBM server running a Check
Point NG enforcement module (the director) but with a separate network card
with its own ports and power supply (the accelerator).
Although one can install the CP NG Smart Centre server on to a director, the
above is the best way I can think of to describe the architecture.
The last time I checked (I think since version 3x of the code), NAT was indeed
being successfully negotiated by the ASF clusters, as indeed were all normal
Check Point features _including Smart Defence_. Alteon use Secure XL API to
produce their own 'mirrored' state table (a mirror of the table found on the
directors) on the accelerator ASIC, effectively meaning that after the initial
connection is accepted, all subsequent packets are forwarded 'in hardware', at
least until they enter the FIN sequence (for TCP). This is not the case for
application level inspection however, so all smart defence, indeed anything
that uses Check Points Security servers, is always going to be passed to the
directors and therefore not forwarded in hardware.
The most powerful set-up is 6 directors, each passing 500,000 concurrent
connections (cc), I've no idea what the new connections per second is but
obviously for true failover, each could only contain 250,000 cc. Whereas the
IP740 (smaller model that the IP12xx and IP2250) can handle 907406 TCP
connections on its own. These nodes (not the hardware based IP2250) can be
clustered (up to 4 is it?) so you can do the maths.
Speaking from experience, I have found Alteons to be flaky but getting better
with each new iteration of code. The ASM (manager) is still rubbish though,
i.e. it is high maintenance and often breaks. Nokias are good, have world class
support and are more reliable.
Boston
___________________________________________________
Take your business online with Officemaster. Sign up for a free trial today!
http://www.officemaster.net
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
