PDA

View Full Version : Bridge/ Layer 2 Firewall connectivity and HA



andrewm
2013-11-12, 08:02
Hi all,

I am trying to find some detailed documentation on how the load balancing/ ClusterXL functionality works in combination with checkpoint as a L2 bridging firewall.

I am currently looking at FW-1 running on GAia - R75.40 and F1-1 on Splunk R71.40. STP is not enabled on the checkpoint box.

Can the Firewall process actually disable bridging? I have seen an instance where due to the cluster members not syncing correctly - bpdus were no longer passed. However - in its default config, when both cluster members are talking, it seems to allow bpdu's through - even though it is supposed to be in active/ standby mode (clusterXL)? This seems a little strange because you can cause a complete outage if someone moves the root bridge...
So what actually causes the firewall to block bridging?

I was also wondering whether it would be possible to run the following configuration:



/------FW-------\
server--- router1 | router2----pc
\-------FW-------/


where both links between the two routers are routed links, and the FW sits as a "bump" in the wire. The link directly between the firewalls is used to pass state information, and there are no layer 2 links between the firewalls. The two routers would use a dynamic routing protocol such as eigrp between each other.

Would this work with FW-1, and both FWs in Active mode...?

Is there any more detailed documentation on how FW-1 cluster/ HA exactly works with L2 configurations?

Thanks for any pointers

Regards

Andrew

PhoneBoy
2013-11-12, 15:05
Check Point provides a guide on configuring your systems in bridge mode, what is supported, etc.

http://downloads.checkpoint.com/dc/download.htm?ID=21482

R75.40 won't be supported for a Bridge Mode cluster, but there are several options if go to R75.40VS, R76, or R77.

cciesec2006
2013-11-12, 16:16
Check Point provides a guide on configuring your systems in bridge mode, what is supported, etc.

http://downloads.checkpoint.com/dc/download.htm?ID=21482

R75.40 won't be supported for a Bridge Mode cluster, but there are several options if go to R75.40VS, R76, or R77.

DO NOT DO IT. Checkpoint is terrible at supporting this type of configuration. Their TAC engineer will not be able to support you.

I tried to do this back in 2010 and it went nowhere.

If you decide to take this path, be prepared to have another job ready :(

alienbaby
2013-11-12, 20:45
DO NOT DO IT. The stability of a CheckPoint L2 firewall is less than stellar. The last one I had the misforture to deal with, had to rebooted daily.

cciesec2006
2013-11-12, 21:23
DO NOT DO IT. The stability of a CheckPoint L2 firewall is less than stellar. The last one I had the misforture to deal with, had to rebooted daily.

Alienbaby is absolutely correct. You don't have to take my word for it. Just search this forum for Layer-2 firewall topic that I posted back 2010 and you will see PhoneBoy comments on it as well.

The more things change, the more they stay the same.

andrewm
2013-11-13, 08:18
Thanks for the comments everyone.

I had thought as much already. I am even less keen on running a routing protocol on my firewall however.

Regards

Andrew