Management over the internet

[mogwai]

We're looking at setting up a cluster of checkpoints in one of our international offices. Currently either thinking of a couple of Edge devices or if we can get the money a couple of Crossbeam C2s with Express.

If we were to use our existing SmartCenter server in another country, will pushing policy and recieving logs work successfully over the internet. We're talking UK to Australia here so the latency could be quiet high.

Any other things we would have to look out for in this sort of situation ? Is it really best practice to manage firewall modules over the internet or should we be looking at another SmartCenter server at the other location ?

[Joncon]

mogwai

in the past I have used Smartcenter server in the UK to manage nokia devices in Italy, Spain, Israel and Sweden and all worked very well with no noticable latency problems when pushing policies / pulling logs. Obviously you're talking UK - Australia so there will be more latency, but assuming you have a big enough internet connection at each end I don't think you will have any major issues.

Checkpoint encourage you to have a distributed environment with one central smartcenter server as it takes the load off the enforcement modules (ie the devices at the other offices don't have any management functions to perform so they can concentrate on purely blocking / passing traffic. You could install Smartcenter server at each location but it will cost you for each licence (even a secondary 'redundent' server will need a licence). I suggest you:-

1. Setup management server in UK.
2. Make sure you have adequate bandwidth at each location.
3. Install CHKP as enforcement modules at other locations.
4. Ensure you have a backdoor into the remote sites because if you lose UK internet connection / remote site VPN you will not be able to manage these devices. Personally, I would enable the modem on each device for callback and simply unplug the line at the remote site. If you need to use it, is a lot easier to ask someone to plug the line in for you than talk someone through fw unloadlocal etc (especially if they don't speak your language - trust me I've been there :(!

Hope the above helps.

[nooon]

Quote:

Originally Posted by Joncon

- trust me I've been there :(!

+1, not fun thought.

[Sergej]

Hi,

I have the same question from the customer. He wanted to join 5 standalone CheckPoint FW (not Safe@Edge, but full ones) to a one Management server all over the Europe.

After a long discussions we decide to leave system as is.

Can you please explain which bandwidth is adequate? Do you have any rules with logging enabled?

[Joncon]

Sergei,

this is the configuration I had:-

London (250 users): 4 Mb
SPLAT Management Station
Nokia IP350 Enforcement Module

Madrid (10 users): 2 Mb ADSL
Nokia IP130 Enforcement Module

Milan (10 users): 2 Mb ADSL
Nokia IP130 Enforcement Module

Munich (50 users): 2 Mb SDSL
Nokia IP330 Enforcement Module

Tel Aviv (50 users): 2 Mb ADSL
SPLAT Enforcement Module

All policies pushed from London. All traffic between sites encrypted as site to site VPNs. All logs sent to Management station in London. All traffic logged except 'noise rule' (NBT etc). Never had any problems with Bandwidth when communicating with the remote modules.

Hope this helps,

Joncon

[Sergej]

Did you have Asymmetric DSL lines with a common 1/4 ratio? Like 2Mbps down 512Kbps UP?

[JohnMH]

One of our remote firewalls in South America (distributed setup with management in the US) has a 256k wireless internet connection (a company on a farm in the mountains). This has worked very well for us.

I have even copied install files accross the line (over the weekend of course) and remote controlled the box to clean and install new releases.

It is a VPN Pro on Windows 2003 server. We do remote management to alot of different box's from edge to Pro and it works very well.

John

[Joncon]

Quote:

Originally Posted by Sergej

Did you have Asymmetric DSL lines with a common 1/4 ratio? Like 2Mbps down 512Kbps UP?

Sergej, yes tha ADSL lines had common upstream / downstream ratios.

Thanks,

Jon