[177751] in North American Network Operators' Group
Re: Checkpoint IPS
daemon@ATHENA.MIT.EDU (Eugeniu Patrascu)
Wed Feb 4 11:07:48 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <54D0EC39.40209@free.fr>
Date: Wed, 4 Feb 2015 18:07:33 +0200
From: Eugeniu Patrascu <eugen@imacandi.net>
To: mh@xalto.net
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, Feb 3, 2015 at 5:41 PM, Michael Hallgren <m.hallgren@free.fr> wrote=
:
> Le 03/02/2015 16:21, Eugeniu Patrascu a =C3=A9crit :
>
> On Mon, Feb 2, 2015 at 2:53 PM, Michael Hallgren <m.hallgren@free.fr>
> wrote:
>
>> Hi,
>>
>> Someone has positive or negative experience running
>> Checkpoint IPS cluster over ``long distance'' synch.
>> network? Real life limitations? Alternatives? Timers?
>>
>>
> You can do "stretched" with Check Point as long as the network delay is
> less than around 70-100 msec RTT or so. If you do this, run your firewall=
s
> in Active/Standby modes.
>
>
> Thanks Eugeniu, I see what you mean. The specific case I'm looking at is
> about asymmetric routing, though.
>
Firewalls/IPS and asymmetric routing don't play nice. Try to change your
setup/design so that traffic enters/leaves your network segments through
the same security device.
