[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Multiple WAN Links.

To: mdecker@rainfinity.com
Subject: Re: [FW1] Multiple WAN Links.
From: CryptoTech <cryptotech@gmx.de>
Date: Thu, 02 Nov 2000 22:39:38 -0500
Cc: 'Gunjan Mathur at 9netave' <gmathur@chat4help.com>, fw-1-mailinglist@lists.us.checkpoint.com


    [ Part 1, Text/PLAIN  69 lines. ]
    [ Unable to print this part. ]

If this will be a cluster configuration -- that is, allowing session
failover, and if necessary, vpn-failover, then the two boxes will be
defined as a cluster, therefore each internal subnet must be hidden
behind one ip.  If you decide to break the state synchronization by
configuring the two boxes as totally separate entities, and allowing
yourself to enforce different hide addresses for the same subnet on two
boxes, you will run into problems with dynamically generated web pages
when failover occurs, because the source address for a session will
change and the remote server will be unable to swap the remote
association.

Don't get me wrong, Rainfinity is a great product, but to do this
solution flawlessly, you should still listen to the first response

"Mark L. Decker" wrote:
       Actually, there is a way to do this (at least for outbound
      access and mail) without BGP, but it requires two firewalls
      in a RainWall cluster.  You connect one firewall to ISP A and
      the other firewall to ISP B, and both to the same internal
      subnet.  The firewall A does NAT using range from ISP A, and
      firewall B does NAT using range from ISP B.  Then you set up
      the RainWall Ping Monitor to watch the ISP links.  If link to
      ISP A goes down, RainWall can automatically disable firewall
      A, and move its internal IP address to firewall B, thereby
      redirecting users out to ISP B.  This also allows load
      sharing of outbound traffic between the two links.  It does
      not help in the case of inbound access to an internally
      hosted webserver, but mail will still work if you use
      multiple MX records.  Failover is automatic, but not
      transparent (because src/dest pair changes).  Not a perfect
      solution, but then neither is BGP.Mark L.
      DeckerRainfinitymdecker@rainfinity.com(408) 382-4870
            -----Original Message-----
            From:
            owner-fw-1-mailinglist@lists.us.checkpoint.com
            [mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On
            Behalf Of CryptoTech
            Sent: Thursday, November 02, 2000 6:12 AM
            To: Gunjan Mathur at 9netave
            Cc: fw-1-mailinglist@lists.us.checkpoint.com
            Subject: Re: [FW1] Multiple WAN Links.
             
This can only be handled by BGP and cooperation between the
ISP's.  FireWall-1 will not change it's security policy/nat
policy when a wan link drops.

Gunjan Mathur at 9netave wrote:
      I have two WAN links using PPP with static routes
      >from diff. ISP,
      Now I want if my one links goes down then
      automatical second link handel all
      the things and if both are up then load balancing
      will happen.

      and I'm using NATting of my LAN traffic on
      firewall with one ISP's IP range.
      If the link of this ISP goes down then all my LAN
      users are unable to access
      the net,b'caz of this NATting.
      How I configure my structure in such a way if one
      the link of NATting ISP's
      is down then second link handel the traffic.
       
       

      GM

Prev by Date: Re: [FW1] RE: FW Licensing issues
Next by Date: RE: [FW1] Multiple WAN Links.
Prev by thread: RE: [FW1] Multiple WAN Links.
Next by thread: RE: [FW1] Multiple WAN Links.
Index(es):
- Date
- Thread