CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have 72 attendees signed up from 20 countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Clustering (Security Gateway HA and ClusterXL)
Reload this Page How to convert an existing FW to a A-S Cluster using Nokia VRRP?
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-12-13
eyunghans eyunghans is offline
Junior Member
  
Join Date: 2006-03-28
Location: Oakland, CA
Posts: 14
Rep Power: 0
eyunghans has an average reputation (10+)
Default How to convert an existing FW to a A-S Cluster using Nokia VRRP?
All-

We are a rather large organization with over 80 Nokia (and a few Windows-based) FW's in a fully meshed VPN Community based on R60 HFA05. All of our external firewalls primary communication channel is to our home site based in the US, at which the core is a singular Nokia IP390. I've been tasked to get this core IP390 FW into a Active-Standby HA mode using Nokia VRRP.

From what I can gather so far I will need to do the following:
1) Setup a interface on both to be used solely for VRRP.
2) Run cpconfig on both FW's and state that each are a member of a cluster
3) Create a new FW definition inside the Console in order to state that this is indeed a Cluster.

The 3rd item is what I have the biggest concerns. I would think that in creating a completely new FW definition for our core that I would be creating an entirely new certificate. This new certificate for our core would need to be pushed to every FW; and all SecureClient users when connecting would immediately be prompted to accept the new certificate. Is this a correct assumption?

I assume I'm not the only person here who has had to go through this; anyone have any pointers?

Thanks,
eyunghans
Reply With Quote
  #2 (permalink)  
Old 2007-12-13
mcnallym mcnallym is offline
Senior Member
  
Join Date: 2007-06-04
Posts: 993
Rep Power: 2
mcnallym has an average reputation (10+)
Default Re: How to convert an existing FW to a A-S Cluster using Nokia VRRP?
Step 1: Build a new IP390 as a VRRP member. You will need an additional interface to use for State Synchronisation. VRRP is run on all of the traffic bearing interfaces.

You will also need to allocate two new IP addresses for each interface on the box as the VRRP address will be the original IP390 interface address, requiring the use of new IP addresses as the interface IP on the new IP390 and the existing IP390 that will be redone.

This will require that you define a new gateway object to represent the new Check Point.

Step 2: Create a Check Point Cluster Object and add the new object as a member. Configure the topology etc in the cluster object.

Step 3: Insert into network and push policy to all of the gateways.

You will indeed get a new cert as a new cluster object that will have its own new certificate.

Once done rebuild existing IP390 as a cluster member and add, then push policy again.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 23:26.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0