Hi @ll,
I'm not quite sure if it makes sense to use the CP ISP redundancy mechanism
if there is no connectivity from each Gateway to each ISP. I asume this
because the customer wants to break up the GW cluster...
The alternatives from my point of view are:
- Use BGP with one provider independent address space for ISP redundancy and
let BGP handle HA of your site (for from outside initiated conns); you would
probably need additional routing facilities (further router between GW and
router of ISP); consider internal HA mechanisms (OSPF, Loadbalancing, ...)
or
- Use a device like Radware LinkProof or F5 LinkController in front of your
firewalls. You'll need layer-2 connectivity between your 2 sites in front of
your firewalls. (In that case you can use the CP feature alternatively...)
Cheers,
André
> It is also important to note that ISP redundancy is limited by the OS.
> Currently, only Solaris and Linux are capable of ISP redundancy - IPSO is
NOT
> capable at this time.
>
> - john
>
> -----Original Message-----
> From: dhananjoy [mailto:dhananjoyc AT GMAIL DOT COM]
> Sent: Wednesday, April 27, 2005 3:20 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] Dual ISP Firewall Design Question
>
>
> Hi,
> If you are running NGAI R55 or above ,you can use the ISP Redundancy
> feature
> in Load Sharing mode.
> This feature doesnt cost extra and comes along with R55.
> You can use the existing Cluster but you need to do some tweaking in the
> existing SBFC configs, NAT configs for servers in DMZ and also VPN
> configurations.
>
>
> On 4/27/05, Ruiyuan Jiang <Ruiyuan_Jiang AT liz DOT com> wrote:
> >
> > Hi, all
> >
> > My client currently has two firewall modules with StoneBeat fullcluster
> > with one ISP which has BGP configuration. Now my client wants to change
> > the setup to utilize two ISPs (i.e. one in NY, one in CT with different
> > network number) instead of one ISP and BGP setup. What is the best way
> > to accomplish this?
> >
> > The client is thinking that dismantle the firewall cluster and put one
> > in CT and another one in NY as individual firewall to save firewall
> > cost. For high availability of DMZ, it might need to setup two DMZs (one
> > in CT and one NY) in case of the site failure. Do we need to have load
> > balancer for ISP in front of firewalls to monitor the availability of
> > ISPs? Internally the client is trying to use router to control users'
> > internet access with proxy server (i.e. NY users accessing internet
> > using NY's ISP link, CT users accessing internet using CT's ISP link).
> > Any recommendations? Thanks.
> >
> > Ryan
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
>
>
> --
> Regards,
> dhananjoy
> India.
> Phone : 091-9899602123
> ---------------------------------------------------------------
> Registered Linux user # 375503
> http://counter.li.org
> ---------------------------------------------------------------
> Some men see things as they are and say why?
> I dream things that never were and say "Why Not?"
> -Robert F. Kennedy
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> IMPORTANT: The information contained in this electronic message and/or its
> attachments is intended only for the use of the individual(s) named above
> and
> may contain information that is privileged and/or confidential. If you are
> not
> the intended recipient, please notify the sender immediately by reply and
> immediately delete this message and all its attachments without making any
> copies or distributions thereof. Any review, use, reproduction, disclosure
> or
> dissemination of this message or any attachment by an unintended recipient
> is
> strictly prohibited and may violate copyrights and/or other laws. Neither
> the
> sender, his or her employer nor any of their respective affiliates makes
> any
> warranties as to the completeness or accuracy of any of the information
> contained herein or that this message or any of its attachments is free of
> viruses.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
--
+++ Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
