Computer and IT knowledge - things to know

CheckPoint Firewall - Hochverfügbarkeit VPn 4.1 mit SP2



############################################################

Hochverfügbarkeit VPN 4.1 SP2
-----------------------------

FW1 MM2 Master für Sleepy & Sneezy
MM1 offline
FWSTOP !(beide MM!)

MM2 + Remote Module 204.32.38.1 (Check Point Configurtaion!)

Security Policy

Netzwerkobject VRRP_Multicast
IP 224.0.0.18/32

Service Object VRRP_Protocol
match: ip_p = 112

Gruppe HA_Firewall enthält
sleepy + sneezy

-> in Policy Sneezy ersetzen durch Gruppe HA_Firewall

Rules einfügen:
- HA_Firewall VRRP_Multicast VRRP_Protocol accept
- NTP service erlauben (net_local auf HA_Firewall)
- MASQ / NAT Hide ausschalten


FW1 Voyager / interface
FWM
sleepy: eth-s4p1 10.10.10.1/24
sleepy-sync (hostname eintragen)

sneezy: eth-s4p1 10.10.10.2/24
sneezy-sync (hostname eintragen)

Voyager / NTP

sneezy: NTP on
Local Clock as Master
Peer Sleepy
(-> NTP Server)

sleepy: NTP on
server sneezy

Voyager / Checkpoint Configuration
-> ! IFWD deaktivieren !

-> save


FW1 FWSTOP (beide FWM)

FWM echo "204.32.38.121" >$FWDIR/conf/masters

sneezy
echo "10.10.10.1" >$FWDIR/conf/sync.conf
FW PUTKEY -p abc123 10.10.10.1

sleepy
echo "10.10.10.2" >$FWDIR/conf/sync.conf
FW PUTKEY -p abc123 10.10.10.2

1. sneezy FWSTART

2. sleepy FWSTART



netstat
-> 2 connections established beetween "sneezy-sync" ..

tcpdump -i eth-s4p1
-> see data transfers of synchronisation

$FWDIR/log/fwd.elg #logging messages for syncronisation



Setting up "Monitored Circuit" using voyager
----------------------------------------
Voyager->Router Services->VRRP

Interface eth-s3p1c0:
- Monitored Circuit on
- Create Virtual Router: 204 (must be the same on the two fw!)
- Priority:
- sleepy: 95
- sneezy: 100
- Priority Delta:
- sleepy: 10
- sneezy: 10
- Monitored Interface:
- eth-s5p1c0
- Backup Address:
- sneezy: 204.32.38.254
- authentication: simple -> pw abc123


Interface eth-s5p1c0:
- Monitored Circuit on
- Create Virtual Router: 192 (must be the same on the two fw!)
- Priority:
- sleepy: 95
- sneezy: 100
- Priority Delta:
- sleepy: 10
- sneezy: 10
- Monitored Interface:
- eth-s3p1c0
- Backup Address:
- sneezy: 192.168.10.254
- authentication: simple -> pw abc123

-> master saves first!!

-> default routes on workstations to 204.32.38.254

computer2know :: thank you for your visit :: have a nice day :: © 2025