CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Clustering (Security Gateway HA and ClusterXL)
How to convert an existing FW to a A-S Cluster using Nokia VRRP? How to convert an existing FW to a A-S Cluster using Nokia VRRP?
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-12-13
Junior Member
  
Join Date: 2006-03-28
Location: Oakland, CA
Posts: 15
Rep Power: 0
eyunghans has an average reputation (10+)
Default How to convert an existing FW to a A-S Cluster using Nokia VRRP?
All-

We are a rather large organization with over 80 Nokia (and a few Windows-based) FW's in a fully meshed VPN Community based on R60 HFA05. All of our external firewalls primary communication channel is to our home site based in the US, at which the core is a singular Nokia IP390. I've been tasked to get this core IP390 FW into a Active-Standby HA mode using Nokia VRRP.

From what I can gather so far I will need to do the following:
1) Setup a interface on both to be used solely for VRRP.
2) Run cpconfig on both FW's and state that each are a member of a cluster
3) Create a new FW definition inside the Console in order to state that this is indeed a Cluster.

The 3rd item is what I have the biggest concerns. I would think that in creating a completely new FW definition for our core that I would be creating an entirely new certificate. This new certificate for our core would need to be pushed to every FW; and all SecureClient users when connecting would immediately be prompted to accept the new certificate. Is this a correct assumption?

I assume I'm not the only person here who has had to go through this; anyone have any pointers?

Thanks,
eyunghans
Reply With Quote
  #2 (permalink)  
Old 2007-12-13
Senior Member
  
Join Date: 2007-06-04
Posts: 1,062
Rep Power: 3
mcnallym has an average reputation (10+)
Default Re: How to convert an existing FW to a A-S Cluster using Nokia VRRP?
Step 1: Build a new IP390 as a VRRP member. You will need an additional interface to use for State Synchronisation. VRRP is run on all of the traffic bearing interfaces.

You will also need to allocate two new IP addresses for each interface on the box as the VRRP address will be the original IP390 interface address, requiring the use of new IP addresses as the interface IP on the new IP390 and the existing IP390 that will be redone.

This will require that you define a new gateway object to represent the new Check Point.

Step 2: Create a Check Point Cluster Object and add the new object as a member. Configure the topology etc in the cluster object.

Step 3: Insert into network and push policy to all of the gateways.

You will indeed get a new cert as a new cluster object that will have its own new certificate.

Once done rebuild existing IP390 as a cluster member and add, then push policy again.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 11:11.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0