Re: RE: firewalls & multi-homing

["Stephane Nasdrovisky" <stephane.nasdrovisky () uniway be>]

There are 2 ways I can think of.
-The first one is to synchronise the 2 firewalls. In the case of checkpoint, you
configure the sync.conf as if the 2 distant firewalls were part of a single
cluster. If the wan between the 2 firewall is 'slow' (<10 Mbs), forget it.
-The other one is to use address translation: the idea is that you should make
sure that any packet leaving your LA firewall have valid LA addresses. You
achieve this by translating/masquerading NY addresses into LA addresses on the
LA firewall. You'll have to do similar thing on the NY firewall.


Irwin Lazar wrote:

> Got a question on multihoming and the use of stateful firewalls:
>
> Suppose customer "X" has two internet gateways, one in NY and one in LA.
> Traffic goes out the NY gateway, but for some reason, asymmetrical routing
> sends the return traffic to LA.  Assuming the customer is using stateful
> firewalls, will the return traffic in LA be blocked?  Is there any mechanism
> for the LA & NY firewalls to exchange stateful information?
>
> So far, the only solution I see to this issue is to tinker with route
> advertisements to prevent or minimize asymmetrical routing.
>
> Thanks in advance.
>
> irwin
>
> -----
> Irwin Lazar
> Senior Consultant, The Burton Group
> e-mail: ilazar () tbg com
> Office: 703-742-9659
> Cell: 703-402-4119
> http://www.tbg.com/
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards