This is a multi-part message in MIME format. --------------72C32BFA3CBAD25C3B8B1742 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Yin To Chu wrote: > Is it possible to scale the FW by using load balancing switches, say, from > Alteon, Foundry, Arrow point, F5, Extreme, RADWare, CIsco,etc, with multiple > FWs? I have been involve with three types of load balancing scenarios for FW-1 platforms, one type using Cisco's Local Director, another using RADWare, and a 3rd type using F5. In the case of Local Director, we were distributing incoming HTTP to a WWW farm. The Local Director had a different static route for each WWW server. Each static route was a different VRRP IP address. Each WWW server had a default route that also was a unique VRRP IP address. Each Nokia firewall was the master of one VRRP IP address (on the external and internal LAN) and a backup for the other 3 (4 WWW servers). During normal operations, Local Director would be forwarding HTTP to each of the four IP addresses in order to reach the physical WWW server on the server network. Since each WWW server had a default route back through the very same physical firewall, symmetric routes were maintained. Should any firewall fail, the VRRP IP addresses on the external and server LANs would be taken by the primary backup, which would double its load. This particular solution, Local Director, could only be used when trying to load balance connections to a finite number of destination IP addresses. Systems like RADWare and F5 are designed to also distribute network connections that are outbound to unknown destination IP addresses. All of these solutions can and should be configured to maintain any given connection through the same physical firewall in order to avoid asymmetric routes. The Synchronization feature in FireWall-1 is designed to deal with failovers, not load distributions Jerald.Josephsat_private Manager Proactive Services Nokia IP Routing Group http://www.iprg.nokia.com > > > Is it possible to provide N+1 redundancy in this case? > Is it still possible to maintain transparency to end point systems and how? > > YT > > -----Original Message----- > From: owner-firewall-wizardsat_private > [mailto:owner-firewall-wizardsat_private]On Behalf Of Jeff Thomas > Sent: Friday, 4 February 2000 12:00 > To: firewall-wizardsat_private > Subject: Nokia/Checkpoint > > The Nokia platforms are FreeBSD. The OS is heavily modified. It is not a > standard FreeBSD install. The benefits of this product is the low admin > needed to maintain it. You don't need to be a unix guru to manage it. The > use of packages allows to to upgrade and revert to a previous version of > firewall-1 or the OS itself. In other words, you can run several versions > on the same box. you simply activate the one you need. Good for managed > services in my opinion. A web interface is provided to do all the admin. > It is responsive and works well. SSH is available for the commandline > commandos. Supports OSPF, BGP (extra cost), IGRP which is implemented in > the routing daemon. Has ACL capabilities as well. > > One thing I disagree is the fact you have to get NIC from Nokia. Probably > a result of the modified kernel and drivers used. Things tend to get > pricey this way. Models avaialble are the IP330/VPN220 - remote office, > IP440 - enterprise, and IP600 - carrier. The IP440 used to offer the most > configurations. The IP600 is catching up. IP600 does not offer mirrored > drives as the IP440 does. Yet the IP440 doesn't offer redundant power or > hot-swap as the IP600 does. IP330/VPN are pretty much fixed configs. > > Support was always good. I understand Checkpoint is to take this over > though (not knocking checkpoint). > Parts were received in a day or two. > > One question I have is regarding the post that Nokia is behind in HA. What > does Stonebeat have that puts it ahead in regard to HA? I find VRRP to > work well. Plus, I don't need an extra $10000 for HA. VRRP is able to > backup multiple systems. It is also a standard. Now if your talking > clustering or load balancing then I agree. All though you can load balance > using OSPF and VRRP I believe. -- --------------72C32BFA3CBAD25C3B8B1742 Content-Type: text/x-vcard; charset=us-ascii; name="jerald.josephs.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Jerald Josephs Content-Disposition: attachment; filename="jerald.josephs.vcf" begin:vcard n:Josephs;Jerald tel;fax:650-625-2903 tel;work:650-625-2175 x-mozilla-html:TRUE url:http://www.iprg.nokia.com org:Nokia IP Routing Group;Customer Services adr:;;313 Fairchild Ave;Mountain View;California;94043;USA version:2.1 email;internet:Jerald.Josephsat_private title:Manager Proactive Services x-mozilla-cpt:;0 fn:Jerald Josephs end:vcard --------------72C32BFA3CBAD25C3B8B1742--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:15 PDT