[177754] in North American Network Operators' Group
Re: Checkpoint IPS
daemon@ATHENA.MIT.EDU (Michael Hallgren)
Thu Feb 5 01:52:10 2015
X-Original-To: nanog@nanog.org
Date: Thu, 05 Feb 2015 07:51:56 +0100
From: Michael Hallgren <m.hallgren@free.fr>
To: Eugeniu Patrascu <eugen@imacandi.net>
In-Reply-To: <CALgc3C6iG_WW8_qJ2Sqomp7hheo_aXYO1A1YtDW4DbUS-z7BiQ@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Reply-To: mh@xalto.net
Errors-To: nanog-bounces@nanog.org
Le 04/02/2015 17:07, Eugeniu Patrascu a =C3=A9crit :
> On Tue, Feb 3, 2015 at 5:41 PM, Michael Hallgren <m.hallgren@free.fr
> <mailto:m.hallgren@free.fr>> wrote:
>
> Le 03/02/2015 16:21, Eugeniu Patrascu a =C3=A9crit :
>> On Mon, Feb 2, 2015 at 2:53 PM, Michael Hallgren
>> <m.hallgren@free.fr <mailto:m.hallgren@free.fr>> wrote:
>>
>> Hi,
>>
>> Someone has positive or negative experience running
>> Checkpoint IPS cluster over ``long distance'' synch.
>> network? Real life limitations? Alternatives? Timers?
>>
>>
>> You can do "stretched" with Check Point as long as the network
>> delay is less than around 70-100 msec RTT or so. If you do this,
>> run your firewalls in Active/Standby modes.
>>
>
> Thanks Eugeniu, I see what you mean. The specific case I'm looking
> at is about asymmetric routing, though.
>
>
> Firewalls/IPS and asymmetric routing don't play nice. Try to change
> your setup/design so that traffic enters/leaves your network segments
> through the same security device.
I know. However, I fail to see symmetric traffic flow as ``natural'',
apart from maybe at the extreme edge of a network. So, need another
inspection strategy I think.
Thanks,
mh
