dieselhead
Technical User
I am fairly new to firewalling. My background is OSPF / Integrated IS-IS routing.
In my current company they use Nokia firewalls running Checkpoint Firewall VPN.
I can't figure out how to get redundant routes through them if they are state aware.
I could enable OSPF on the firewalls, or run OSPF virtual adjacencies through them, but with OSPF going off to some edge router that connects to the internet then I can't guarantee that a TCP session will not go out through one site or ISP and then come back through the other. Therefore I get an assymetric traffic flow and the session aware rules dump the session.
I can't easily sync two firewalls that are on different sites in different parts of the country.
The only solution appears to be to funnel all the traffic through one sire and run them through a firewall pair with a VRRP address.
This isn't quite the level of redundancy that I'm looking for.
How do I solve this?
In my current company they use Nokia firewalls running Checkpoint Firewall VPN.
I can't figure out how to get redundant routes through them if they are state aware.
I could enable OSPF on the firewalls, or run OSPF virtual adjacencies through them, but with OSPF going off to some edge router that connects to the internet then I can't guarantee that a TCP session will not go out through one site or ISP and then come back through the other. Therefore I get an assymetric traffic flow and the session aware rules dump the session.
I can't easily sync two firewalls that are on different sites in different parts of the country.
The only solution appears to be to funnel all the traffic through one sire and run them through a firewall pair with a VRRP address.
This isn't quite the level of redundancy that I'm looking for.
How do I solve this?
