Firewall Wizards mailing list archives
Experience with Gateway Clusters/High Availability FW1 4.1 SP2
From: Greg Polanski <greg_polanski () adc com>
Date: Tue, 22 Aug 2000 17:46:57 -0500
I am successfully using Rainwall 1.3, build 38 on Solaris 2.7 and Checkpoint FW1 4.1, SP2. A few problems have shown up, but I think that they are mainly Checkpoint problems. I am seeing the problems in the Rainwall environment because I need to use Gateway Clusters to support VPN The gateways are two Enterprise 420R, dual CPU, 450 MHz boxes. SunOS diamond 5.7 Generic_106541-11 sun4u sparc SUNW,Ultra-80 Here are the Checkpoint problems. 1. FWZ does not work for SecuRemote clients. IKE Hybrid (SecurID authentication) does work. Log entries will contain the phrase, Failed to generate reply to client request SecuRemote users will see No answer received from a Firewall at site .... WORKAROUND. Use IKE Hybrid for SecurID authentication. IKE also supports NAT'd SecuRemote users. 2a. SecureClient policy servers do not work. Checkpoint tech support confirms this oversight. The userc.C file on the SecuRemote client has the following line :policy_servers () WORKAROUND: Define the policy servers by hand via edit or by distributing a 'fixed' userc.C 2b. Policy Server Managment. Checkpoint sells licenses for SecureClient, but provides NO tools to report on how many SecureClient licenses are used and who has them. This problem exists whether you cluster or not. 3. X-windows does not work for IP Pools. My policy is "Outgoing and Encrypted" Checkpoint tech support confirms this oversight. When IP pools are used, SecureClient rejects the X displays. You can see the lock on the envelope change color to red when the X window is blocked. This is supposed to work when IP pools are not used. 4. HUBs on at least one interface. The Checkpoint 4.1 SP2 notes (in a footnote) say that the interfaces should use a hubs and not depend on router connections. I agree, especially on the interface that is used to exchange the state information. With the hub, the heartbeat messages appeared more often on the console. ++++++ Received Heartbeat from 155.226.0.1, add to nodeMap ++++++ RAINWALL SPECIFIC TUNING 1. Increased Table Sizes. Since each table has the state of both gateways, I had to modify the table size values in /etc/fw/lib/table.def. # diff -b /etc/fw/lib/table.def.orig /etc/fw/lib/table.def 214c214 < hashsize 32768 limit 25000; --- > hashsize 65536 limit 100000; See http://www.phoneboy.com/fw1/faq/0289.html See Checkpoint article (3.0.698764.2304823) You have to REBOOT to change the table sizes. fwstop; fwstart was insufficient for resizing tables. Since the changes affects ALL gateways, fwhmem may need to be increased on all gateways. 2. Increased fwhmem. With the larger tables, I had to increase fwhmem # egrep fwhmem /etc/system set fw:fwhmem = 0x1000000 3. The Rainwall manual is over zealous about fw putkey .... The manual is fine if the only gateways that you have are rainwalled. If you have a running gateway environment, the fw putkey commands are just needed between the two or more gateways that are clustered. greg _______________________________________________________________ Greg Polanski mailto:greg_polanski () adc com ADC Telecommunications, Inc. 952-946-2270 MS 85 952-946-2465 FAX PO Box 1101 612-538-1833 pager Minneapolis, MN 55440-1101 6125381833 () minncommpaging com _______________________________________________________________ _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Experience with Gateway Clusters/High Availability FW1 4.1 SP2 Greg Polanski (Aug 24)