Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999_2

NFR Wizards Archive: Re: FW-1 Failover

Re: FW-1 Failover

Aaron D. Turner (aturnervicinity.com)
Wed, 23 Jun 1999 10:16:16 -0700 (PDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Choi, Byoung: "RE: Firewall performance"
Previous message: Chris Brenton: "Re: Firewall performance"
In reply to: Sandy Green: "Re: Firewall performance"
Next in thread: John McDonald: "RE: FW-1 Failover"

I've got Veritas FirstWatch for FW-1 on my pair of E250's (each with 9
interfaces). Works just fine. You need 1 interface for the admin
network, plus 2 more for heart-beat. That leaves the reset for DMZ's,
etc.

-- Aaron Turner, CNE aturner

vicinity.com 650.237.0300 x252 Network Security Engineer Vicinity Corp. Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com

On Wed, 23 Jun 1999, Lance Spitzner wrote:

> On Tue, 22 Jun 1999, Kelvin Garrahan wrote: > > > I am thinking of using FW-1 for a internal Firewall which will segregate > > four networks of different security levels. The configuration is to be on > > NT, with four Ethernet cards. The choice of platform is customer driven, my > > original plans where to use Cisco's PIX. The main problem I have is > > providing failover for the FW-1. With PIX this is not a problem. I know FW-1 > > supports failover/load sharing, but will this work with four interfaces? > > FW1 supports failover, however you need 3rd party software to actually implement > it. What FW1 provides is "stateful synching" between two FWs. This means that > your primary and failover FW share stateful tables. Whatever connections are > going through the primary FW, the secondary knows about, so no connections are > dropped during the failover. > > Now, to answer your question - yes. However, it depends on what 3rd party > support you are using. The two most commonly used solutions are Stonebeat > and Nokia. Nokia requires you buy their proprietary BSDI based systems that > have FW1 installed. These boxes come with their own failover solution. I have > never personally tried these, but have heard excellent things on the FW1 listserv. > > The other solution is Stonebeat, which I have installed at various sites. I > like Stonebeat because it is BRAIN DEAD simple. I have used it with up to > 3 interfaces, but Stonbeat claims they have clients with up to 17 interfaces > per system. Both Stonebeat and FW1 claim both systems can support unlimited > number of interfaces. > > Hope this long winded explanation helps :) > > > Lance Spitzner > http://www.enteract.com/~lspitz/papers.html > Internetworking & Security Engineer > Dimension Enterprises Inc >

Next message: Choi, Byoung: "RE: Firewall performance"
Previous message: Chris Brenton: "Re: Firewall performance"
In reply to: Sandy Green: "Re: Firewall performance"
Next in thread: John McDonald: "RE: FW-1 Failover"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:19:01 CDT