On Mon, 24 January 2000, "Burden, James" wrote: > * High-availability - I will caveat this by saying, as long as you are only > using it for 10BaseT or slower speeds, than you should be fine. Otherwise, > the keeping of stateful connections does not work so well on high speed > lines (ATM, FE) where the 10BaseT connection between the two firewalls is > slower than the communication on the other interfaces. The issues are when > the packet has already arrived at the FE/ATM interface but the Ethernet > interface has not learned about it yet. This is more of a function of the fact that FireWall-1 doesn't sync quickly enough to handle asymmetric conditions (i.e. SYN goes through A, SYN-ACK comes through B). Other vendors do various things to allow this to work, but it does impact performance. You're always going to get the *maximum* performance if you spend the money on hardware around the firewalls to load balance and, more importantly, insure connections always flow through the same firewall (i.e. a firewall sandwich). > * Be wary of the licensing issues. I have had countless issues with my lab > firewalls and production. This is normal FireWall-1 stuff (i.e. the Nokia's don't add any more to this process). > * Too many rules? This one is odd, and I am still trying to get a good > answer. We have made some changes in the rules, and then made another > change later in the rules to basically allow the same thing. When reading > the logs, you would see it hit the high rule a couple of times, and then go > back to the lower rule (where it should have been allowed in the first > place). This started happening around the 60th rule or so. What version of FireWall-1/IPSO are we talking about here? -- Dameon D. Welch, a.k.a. PhoneBoy (dwelchat_private) Check Point FireWall-1 FAQs at http://www.phoneboy.com/fw1/ The views expressed herein are not necessarily those of anyone else. -- Signup for your free USWEST.mail Email account http://www.uswestmail.net
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:22 PDT