Firewall Wizards mailing list archives

RE: Nokia/Checkpoint firewall

From: dwelch () uswestmail net
Date: 26 Jan 2000 00:45:13 -0800

On Mon, 24 January 2000, "Burden, James" wrote:

* High-availability - I will caveat this by saying, as long as you are only
using it for 10BaseT or slower speeds, than you should be fine.  Otherwise,
the keeping of stateful connections does not work so well on high speed
lines (ATM, FE) where the 10BaseT connection between the two firewalls is
slower than the communication on the other interfaces.  The issues are when
the packet has already arrived at the FE/ATM interface but the Ethernet
interface has not learned about it yet.


This is more of a function of the fact that FireWall-1 doesn't sync quickly enough to handle asymmetric conditions 
(i.e. SYN goes through A, SYN-ACK comes through B). Other vendors do various things to allow this to work, but it does 
impact performance. You're always going to get the *maximum* performance if you spend the money on hardware around the 
firewalls to load balance and, more importantly, insure connections always flow through the same firewall (i.e. a 
firewall sandwich).

* Be wary of the licensing issues.  I have had countless issues with my lab
firewalls and production.


This is normal FireWall-1 stuff (i.e. the Nokia's don't add any more to this process).

* Too many rules?  This one is odd, and I am still trying to get a good
answer.  We have made some changes in the rules, and then made another
change later in the rules to basically allow the same thing.  When reading
the logs, you would see it hit the high rule a couple of times, and then go
back to the lower rule (where it should have been allowed in the first
place).  This started happening around the 60th rule or so.


What version of FireWall-1/IPSO are we talking about here?

--
Dameon D. Welch, a.k.a. PhoneBoy (dwelch () phoneboy com)
Check Point FireWall-1 FAQs at http://www.phoneboy.com/fw1/
The views expressed herein are not necessarily those of anyone else.
--
Signup for your free USWEST.mail Email account http://www.uswestmail.net

Current thread:

RE: Nokia/Checkpoint firewall Matt Bruce (Jan 21)
- <Possible follow-ups>
- RE: Nokia/Checkpoint firewall Burden, James (Jan 24)
- RE: Nokia/Checkpoint firewall Wang, Daniel (Jan 27)
- RE: Nokia/Checkpoint firewall dwelch (Jan 28)