Does a device like this one exist? checkpoint help

[Czar]

Basicly just a rj45 connector with two inputs and one output. The device watches input1 and sees if it is active or not, if it senses no activity for a certain time it would automaticly switch over to input2.

What I need this or something like this for is for a checkpoint firewall I have at work, lacks a failover feature so when it fails I have to manualy remove the cables from it and switch over to the backup firewall. Our outsorced checkpoint guy says this is the best way but I think its pretty low tech and lacks any automation

 

[Atheus]

I never saw a device like this, but i'd like to know if one exists myself.

So what's your setup? both firewalls plugged into the internet connection and doing their thing, but only one output connected to your router at any one time? If so, couldn't you plug both firewalls into the router and build the failover system into that? Like the router monitors the firewalls, but blocks anything coming from the secondary one, unless nothing is coming from the primary... or you could have the two firewalls monitor eachother and only begin allowing traffic if there is no response from the other.

 

[Czar]

One firewall with 4 nics connected to 4 subnets, when it goes down I either reboot it and it works again or I just plug the backup firewall in, both have the same ip addresses so I cant connect them at the same time.

Has to do with everything here being on static ip's so their gateway settings is the ip on the checkpoint firewall.

But I found this
http://www.rainfinity.com/products/ds_rainwall_check_point.html

Which does everything I need.. but at a whooping $3000 per node, needing two nodes its $6000.

 

[n0cmonkey]

Upgrade. VRRP is nice. :evil:

 

[piasabird]

Well there are routers with 2 WAN Ports. Many ISP's have multiple backbone connections.

 

[nweaver]

what you need to do is setup a load balancing/failover machine that takes the IP of the firewall (the one they share) and the clients connect to it. It then either load balances and/or provides the failover (it's smart enough to stop trying the dead one) and give the 2 firewalls unique IP's. I would think you could do this with some fancy work in any *nix distro on an older P2/P3 system.

 

[Czar]

n0cmonkey,
upgrade to what?

nweaver,
with a loadbalancing/failover machine, wouldnt that machine be the single point of failure?

 

[n0cmonkey]

Originally posted by: Czar
n0cmonkey,
upgrade to what?

nweaver,
with a loadbalancing/failover machine, wouldnt that machine be the single point of failure?

Checkpoint high availability. I've setup a couple of Nokias running Checkpoint with VRRP so they fail over nicely and automagically. It's beautiful.

 

[Czar]

ah I see

I talked to our checkpoint guy and he said thats only available for the nokia servers, we are running on linux or something. So he proposed a 3 computer setup. Two firewalls like we have now and then a monitor computer which watches and syncs the two. Sounds exactly like my first idea after this problem arose, must be some way to just script the damn thing

 

[n0cmonkey]

Originally posted by: Czar
ah I see

I talked to our checkpoint guy and he said thats only available for the nokia servers, we are running on linux or something. So he proposed a 3 computer setup. Two firewalls like we have now and then a monitor computer which watches and syncs the two. Sounds exactly like my first idea after this problem arose, must be some way to just script the damn thing

Wow, I figured there'd be something for the major platforms at least. Just another reason to always go Nokia.

:evil: Switch to OpenBSD. CARP gives you automatic failover, and pfsync makes sure you don't lose any connections if it happens. Plus you get Packet Filter, the best firewall around. /:evil:

 

[Czar]

hehe, read up on that too, carp and pfsync like vrrp is exactly what everyone should have, but noooo stupid checkpoint

but i love checkpoints management software

 

[n0cmonkey]

Originally posted by: Czar
hehe, read up on that too, carp and pfsync like vrrp is exactly what everyone should have, but noooo stupid checkpoint

but i love checkpoints management software

It's ok. I think there are checkpointish GUIs for PF too, but the rule syntax is easy enough I don't see a need for them. PF's logs are nicer too.

 

[winn0031]

Basicly just a rj45 connector with two inputs and one output. The device watches input1 and sees if it is active or not, if it senses no activity for a certain time it would automaticly switch over to input2.

I have no Idea of your budget, but there are definatley devices outhere that do precisely what you describe and would work in conjunction with your check point firewall (more in front of it in your netwrok, transparently)

www.astrocorp.com

they make a device that you hook 2 ethernet to it, it monitors traffic on both lines, if one goes down, it automatically switches all traffic, both inbound and outbound, to the line that is up. works best with 2 connections from 2 seperate isps. pm me if you want more details.