My mistake, you are right. It used to be like that up until NG FP3.
On 6/30/05, Brian Anderson <brian.anderson AT teradyne DOT com> wrote:
>
> Charalambos,
>
> I would like to respectfully disagree with your statement below:
> do you use VRRP on your cluster? If so, you must not fill any information
> on
> the topology tab of the cluster object (only in the cluster member
> objects).
>
> I believe Check Point recommends for NG AI R55 exactly opposite of what
> you mention. I've run NG AI R55 (with Nokia VRRP) clusters at two
> different companies and have always had the topology information filled in
> on the topology section of the cluster object, not the cluster members. In
> addition to that, on the 3rd Party Configuration, you would choose High
> Availability and then select Nokia VRRP.
>
> Thanks,
> Brian
>
>
>
>
> Charalambos Klitiropoulos <klitiro AT GMAIL DOT COM>
> Sent by: Mailing list for discussion of Firewall-1
> <FW-1-MAILINGLIST AT amadeus.us.checkpoint DOT com>
> 06/28/2005 01:58 PM
> Please respond to
> Mailing list for discussion of Firewall-1
> <FW-1-MAILINGLIST AT amadeus.us.checkpoint DOT com>
>
>
> To
> FW-1-MAILINGLIST AT amadeus.us.checkpoint DOT com
> cc
>
> Subject
> Re: [FW-1] NATing and netowkr related issues
>
>
>
>
>
>
> Hello,
>
> do you use VRRP on your cluster? If so, you must not fill any information
> on
> the topology tab of the cluster object (only in the cluster member
> objects).
> Another possible cause according to CP's knowledge base is when you enter
> the NATed IP as the object's IP address and the real address of the server
>
> in the NAT tab (if you use automatic NAT). The last one however does not
> seem to be the cause, as you would have noticed these problems right from
> the start, but you never know. By the way, do you have another object with
>
> the NATed IP and if so, do you use it anywhere in your policy?
>
> On 6/28/05, Lenny Sanchez <lennys AT healthgate DOT com> wrote:
> >
> > Hello,
> >
> > For the last couple of weeks, I've had a problem(s) surface that had
> never
> > come up before. I'm running a cluster configuration of 2 Nokia IP440's
> with
> > Checkpoint NG AI R55. The usual route downstream is from the IDC's
> router,
> > thought the primary firewall, down to a F5 load balance appliance. As
> you
> > all know, the load balancer will then make the decision as to which of
> the 2
> > web servers (Windows 2003 Standard Servers, mutli-homed NICs) to send
> > traffic. What we started see happening was, the traffic destined for the
>
> > external interface on the firewall, was instead routing through the
> internal
> > interface. Firewall was saying, "no way, address spoof", and then
> dropping
> > the outbound packets. This started happening out of nowhere. Checked
> every
> > route on every device under the sun. Started to add new one's in hoping
> I
> > could catch a break. You guys have to understand, no other
> sites/services
> > were having this problem. Only these 2003 servers, which had been
> routing
> > correctly for a bit of time.
> >
> > So as a test, I bypassed the whole DMZ route. Come in through the
> > firewalls, go through an internal router, and then to only one of the
> 2003
> > servers. Made the necessary static route change within the firewall.
> Worked
> > for a few days, then start seeing Connection contains real IP of Nated
> > address. So, changed over to the other server. Same thing. Traffic is
> fine
> > for a while, and then Connection contains IP of NATed address.
> >
> > I know I'm missing something. Any help you guys/girls could provide
> would
> > be great.
> >
> > Thanks
> > Lenny
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
