[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Multiple WAN Links.

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]


Another option is Radware's Linkproof appliance which handles multiple ISP 
connections without requiring BGP.

Pat Scopelliti

> ----------
> From:         Mark L. Decker[SMTP:mdecker@rainfinity.com]
> Reply To:     mdecker@rainfinity.com
> Sent:         Thursday, November 02, 2000 11:17 PM
> To:   'CryptoTech'
> Cc:   'Gunjan Mathur at 9netave'; fw-1-mailinglist@lists.us.checkpoint.com
> Subject:      RE: [FW1] Multiple WAN Links.
> 
> Agreed.  If transparent failover is your top priority, BGP is the better 
>solution.  If you host web servers internally that need to be reached from 
>the outside world, BGP also prevents you from having to play games with DNS 
>to provide access to those servers in the event of link failure.  BGP has 
>plenty of negatives (uneven load sharing, complex configuration, requires AS 
>number and cooperation from both ISPs, giant routing tables that eat gobs of 
>router CPU and RAM, etc.), but it is still the only solution that provides 
>transparent failover for both inbound and outbound sessions in the event of 
>link failure.
>  
> RainWall as a multi-homing solution is really most effective as cheap 
>protection and link load balancing for outbound Internet access and email 
>(with multiple MX records).  If you don't care so much that connections have 
>to be re-established after failover, it's a viable option.  Otherwise, BGP 
>is the way to go.
> 
>       -----Original Message-----
>       From: CryptoTech [mailto:cryptotech@gmx.de]
>       Sent: Thursday, November 02, 2000 7:40 PM
>       To: mdecker@rainfinity.com
>       Cc: 'Gunjan Mathur at 9netave'; 
>fw-1-mailinglist@lists.us.checkpoint.com
>       Subject: Re: [FW1] Multiple WAN Links.
> 
> 
>       If this will be a cluster configuration -- that is, allowing session 
>failover, and if necessary, vpn-failover, then the two boxes will be defined 
>as a cluster, therefore each internal subnet must be hidden behind one ip.  
>If you decide to break the state synchronization by configuring the two 
>boxes as totally separate entities, and allowing yourself to enforce 
>different hide addresses for the same subnet on two boxes, you will run into 
>problems with dynamically generated web pages when failover occurs, because 
>the source address for a session will change and the remote server will be 
>unable to swap the remote association. 
> 
>       Don't get me wrong, Rainfinity is a great product, but to do this 
>solution flawlessly, you should still listen to the first response 
> 
>       "Mark L. Decker" wrote: 
> 
>                Actually, there is a way to do this (at least for outbound 
>access and mail) without BGP, but it requires two firewalls in a RainWall 
>cluster.  You connect one firewall to ISP A and the other firewall to ISP B, 
>and both to the same internal subnet.  The firewall A does NAT using range 
>from ISP A, and firewall B does NAT using range from ISP B.  Then you set up 
>the RainWall Ping Monitor to watch the ISP links.  If link to ISP A goes 
>down, RainWall can automatically disable firewall A, and move its internal 
>IP address to firewall B, thereby redirecting users out to ISP B.  This also 
>allows load sharing of outbound traffic between the two links.  It does not 
>help in the case of inbound access to an internally hosted webserver, but 
>mail will still work if you use multiple MX records.  Failover is automatic, 
>but not transparent (because src/dest pair changes).  Not a perfect 
>solution, but then neither is BGP.Mark L. DeckerRainfinity 
>mdecker@rainfinity.com(408) 382-4870 
> 
>                       -----Original Message----- 
>                       From: owner-fw-1-mailinglist@lists.us.checkpoint.com 
>[ mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On Behalf Of 
>CryptoTech 
>                       Sent: Thursday, November 02, 2000 6:12 AM 
>                       To: Gunjan Mathur at 9netave 
>                       Cc: fw-1-mailinglist@lists.us.checkpoint.com 
>                       Subject: Re: [FW1] Multiple WAN Links. 
>                        
>                       This can only be handled by BGP and cooperation 
>between the ISP's.  FireWall-1 will not change it's security policy/nat 
>policy when a wan link drops. > 
> 
>                       Gunjan Mathur at 9netave wrote: > 
> 
>                               I have two WAN links using PPP with static 
>routes >from diff. ISP, 
>                               Now I want if my one links goes down then 
>automatical second link handel all 
>                               the things and if both are up then load 
>balancing will happen. 
> 
>                               and I'm using NATting of my LAN traffic on 
>firewall with one ISP's IP range. 
>                               If the link of this ISP goes down then all my 
>LAN users are unable to access 
>                               the net,b'caz of this NATting. 
>                               How I configure my structure in such a way if 
>one the link of NATting ISP's 
>                               is down then second link handel the traffic. 
>                                 
>                                 
> 
>                               GM 
>                                 
>                                
> 
> 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================