Most budgets prohibit purchasing a management HA license and another
management server, so what else can you do? You can definitely do
this. I have practiced this on Nokia, Splatform, and Windows.
For planning you should consider:
* the lics
* module connectivity
* NAT
* SIC
* backup procedures
* restore procedures
* fw module policy unloads
Ideally, you'd want to have the same name and IP as the primary, but
this box is in another subnet. You can pre-generate the lics for the
cold backup server and have them already at hand before a disaster.
You will have to re-SIC the modules with the backup mgmt server. Plan
for how you are going to connect to the modules from the new backup
server carefully. NAT can be tricky in this situation. I recommend
that you use manual NAT rules. Then have two policy packages -- a
primary and a disaster policy. The only difference between these
policy packages is the granular differences in the NAT rules of each
policy. I could explain this in more detail later if you want me to.
You may also have to unload the policy on the modules that you want to
take over, either locally or remotely if the loaded policy allows.
Last but not least, have regular backups restored onto the backup
server regularly :)
I like the upgrade_export and upgrade_import utilities for this task.
Also, why not have a local cold backup at your main facility, too?
best,
fwguru
On Thu, 23 Dec 2004 19:34:11 +0100, Patrick Marquetecken
<patrick.marquetecken AT pandora DOT be> wrote:
> On Wed, 22 Dec 2004 09:10:45 -0700
> Hal Dorsman <hdorsman AT RMEF DOT ORG> wrote:
>
> > Well, your license is tied to an IP, and awhile back they made it
> > so you can use the internal IP. Since this can be anything you want
> > it makes it easier to implement the cold standby backup. I guess I
> > don't understand why you would want your backup server in another
> > location,
> The idee is if our ISP is down our another network problem, we activate the
> Managment server in the other location if we need to make some changes, if
> you know that your rules are "static" then about 13.000 Eur is a lot of
> money.
>
> however. But, yes, to answer your question, you can do
> > this, but AFAIK your internal IP's would need to be the same to
> > avoid any licensing issues.
> >
> > Hal
> >
> Patrick
>
> --
> "Please Captain, not in front of the Klingons."
> -- Spock, to Kirk, refusing a hug (Star Trek V)
>
> Fingerprint = 2792 057F C445 9486 F932 3AEA D3A3 1B0C 1059 273B
> ICQ# 316932703
> Registered Linux User #44550
> http://counter.li.org
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
