Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the Ask the Author form. You will also gain access to thousands of other FAQs at ITFAQnet.com.
| 1. | I ve been told that state synchronization uses authentication between cluster members . My machines are connected via crossover cable. Is there a way to disable authentication? | |
| 2. | In prior methods , I had to edit the sync.conf file and run the putkeys command in order to establish synchronization peers; is this no longer the case? | |
| 3. | I have a Nokia appliance but I am confused about the capabilities of ClusterXL on IPSO and the need for VRRP. How is this configuration special? | |
| 4. | I can t seem to find the configuration information I m looking for in SecureKnowledge or on Check Point s website. Is there somewhere else I should be looking? | |
Answers
| 1. | Indeed there is. You simply need to edit the $FWDIR/lib/control.map file and add the sync directive to the line that currently reads: * : getkey,gettopo,gettopossl,certreq/none. Contact Check Point Technical Support or at a minimum view SecureKnowledge Solution ID: 55.0.5956173.2652048 before making changes to the control.map file as it can cause you endless headaches and expose you to security risks if you make incorrect changes. |
| 2. | You are referring to what is called the Old Sync Method. VPN-1/FW-1 NG AI uses what is known as the New Sync Method, and this configuration is all GUI-based. No need to meddle with the sync.conf file anymore (note that you still can use the old method, but then you must use the putkeys command). |
| 3. | ClusterXL when referring to IPSO-based appliances simply means state synchronization. VRRP and Nokia s clustering technology handles sending traffic to one gateway or another. In this case, VPN-1/FW-1 simply processes any and all packets it sees and then updates other members via state synchronization. Make sure you do NOT check ClusterXL in the Products Installed part of the Cluster object s configuration. The 3 rd Party Configuration page will allow you to specify if you are using Nokia VRRP or clustering and set the appropriate parameters. |
| 4. | Yes, Check Point s online help is pretty good in NG AI. When you re looking at a screen just click the Help button to find configuration examples as well as discussions of what each option does. Check Point has examples of how to migrate from a legacy HA installation to new mode HA or Load Sharing with Minimal Effort or Minimal Downtime , as well as many others common configurations. There are other resources on the Internet as well, but check out the online Help; it may save you a lot of time. |
![Check Point NG[s]AI](/icons/blank_book.jpg "Check Point NG[s]AI"){kind=icon}