Firewall Wizards mailing list archives
Experience with Gateway Clusters/High Availability FW1 4.1 SP2
From: Greg Polanski <greg_polanski () adc com>
Date: Tue, 22 Aug 2000 17:46:57 -0500
I am successfully using Rainwall 1.3, build 38 on Solaris 2.7
and Checkpoint FW1 4.1, SP2. A few problems have shown
up, but I think that they are mainly Checkpoint problems.
I am seeing the problems in the Rainwall environment because
I need to use Gateway Clusters to support VPN
The gateways are two Enterprise 420R, dual CPU, 450 MHz boxes.
SunOS diamond 5.7 Generic_106541-11 sun4u sparc SUNW,Ultra-80
Here are the Checkpoint problems.
1. FWZ does not work for SecuRemote clients.
IKE Hybrid (SecurID authentication) does work.
Log entries will contain the phrase,
Failed to generate reply to client request
SecuRemote users will see
No answer received from a Firewall at site ....
WORKAROUND. Use IKE Hybrid for SecurID authentication.
IKE also supports NAT'd SecuRemote users.
2a. SecureClient policy servers do not work.
Checkpoint tech support confirms this oversight.
The userc.C file on the SecuRemote client has the
following line
:policy_servers ()
WORKAROUND:
Define the policy servers by hand via edit or by
distributing a 'fixed' userc.C
2b. Policy Server Managment. Checkpoint sells licenses
for SecureClient, but provides NO tools to report
on how many SecureClient licenses are used and who
has them. This problem exists whether you cluster
or not.
3. X-windows does not work for IP Pools.
My policy is "Outgoing and Encrypted"
Checkpoint tech support confirms this oversight.
When IP pools are used, SecureClient rejects the
X displays. You can see the lock on the envelope
change color to red when the X window is blocked.
This is supposed to work when IP pools are not used.
4. HUBs on at least one interface.
The Checkpoint 4.1 SP2 notes (in a footnote) say that
the interfaces should use a hubs and not depend on router
connections. I agree, especially on the interface that
is used to exchange the state information.
With the hub, the heartbeat messages appeared
more often on the console.
++++++ Received Heartbeat from 155.226.0.1, add to nodeMap ++++++
RAINWALL SPECIFIC TUNING
1. Increased Table Sizes. Since each table has the state
of both gateways, I had to modify the table size values
in /etc/fw/lib/table.def.
# diff -b /etc/fw/lib/table.def.orig /etc/fw/lib/table.def
214c214
< hashsize 32768 limit 25000;
---
> hashsize 65536 limit 100000;
See http://www.phoneboy.com/fw1/faq/0289.html
See Checkpoint article (3.0.698764.2304823)
You have to REBOOT to change the table sizes.
fwstop; fwstart was insufficient for resizing tables.
Since the changes affects ALL gateways, fwhmem may
need to be increased on all gateways.
2. Increased fwhmem. With the larger tables, I had to
increase fwhmem
# egrep fwhmem /etc/system
set fw:fwhmem = 0x1000000
3. The Rainwall manual is over zealous about fw putkey ....
The manual is fine if the only gateways that you have
are rainwalled. If you have a running gateway environment,
the fw putkey commands are just needed between the two or more
gateways that are clustered.
greg
_______________________________________________________________
Greg Polanski mailto:greg_polanski () adc com
ADC Telecommunications, Inc. 952-946-2270
MS 85 952-946-2465 FAX
PO Box 1101 612-538-1833 pager
Minneapolis, MN 55440-1101 6125381833 () minncommpaging com
_______________________________________________________________
_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Experience with Gateway Clusters/High Availability FW1 4.1 SP2 Greg Polanski (Aug 24)