© Copyright IBM Corp. 2000 149
Chapter 3. High availability for VPN-1/FireWall-1
This chapter contains step-by-step instructions of how to make the
VPN-1/FireWall-1 implementation that is demonstrated in Chapter 2,
Implementation of VPN-1/FireWall-1 on AIX on page 25 highly available by
utilizing the IBM HACMP product and a second RS/6000 workstation as a
standby firewall. For those who do not have knowledge of the basic concepts
of HACMP, it is recommended they read Appendix A, Introduction to
HACMP on page 333.
3.1 Design considerations for highly available VPN-1/FireWall-1
This section is intended to give an in-depth technical background on the
reasoning behind our High Availability (HA) solution design. A reader who is
not very familiar with the VPN-1/FireWall-1 and HACMP products is not
required to understand this section in detail before going through the steps of
how to implement this solution later in this chapter.
3.1.1 Test environment
Our test environment consists of two RS/6000 systems (called fw3 and fw4).
The four networks attached to the firewalls are:
The Internet
A demilitarized zone for publicly accessible Web and FTP servers
A dedicated administration network
An internal network (intranet)
150 Check Point FireWall-1 on AIX - A Cookbook for Stand-Alone and High Availability Solutions
Figure 76. Abstract network plan for high availability
3.1.2 Our HA design goals
These were the design goals for our highly available firewall environment:
The solution requires only two workstations to run VPN-1/FireWall-1.
The two workstations should be as identical as possible.
Load-balancing is not a goal: Availability of service would be in danger if
one system alone would not be strong enough to support the whole traffic
load in case the other firewall goes down.
Even when one firewall workstation completely fails, full VPN-1/FireWall-1
functionality should still be available:
- VPN-1/FireWall-1 traffic filtering should continue after takeover.
Active connections (for example, long FTP downloads) should not be
lost.
- VPN-1/FireWall-1 management (for example, changing of rules, adding
of users, and so forth) should also still be possible after takeover.
- The loss of VPN-1/FireWall-1 logs (audit trail) is to be avoided.
3.1.3 Classical VPN-1/FireWall-1 HA design
The VPN-1/FireWall-1 product provides several HA features. It supports state
synchronization of the firewall modules that allow active connections to
continue after failover. However, there is no built-in mechanism in
VPN-1/FireWall-1 to synchronize the security policy (filter rules and users)
across two VPN-1/FireWall-1 management stations.
Public Servers
fw3
INTERNET
Intranet
Administration
fw4
Chapter 3. High availability for VPN-1/FireWall-1 151
The classical way of building a highly available VPN-1/FireWall-1
environment is to use two separate firewall modules and one dedicated
VPN-1/FireWall-1 management module on a third separate workstation.
Advantages of having one dedicated VPN-1/FireWall-1 management
workstation:
This is the simplest HA configuration. There is no need to worry how to
synchronize the security policy on multiple management station because
there is only one.
Disadvantages of having only one VPN-1/FireWall-1 management
workstation:
The VPN-1/FireWall-1 management workstation is a single point of failure.
As soon as it fails, the VPN-1/FireWall-1 functionality is reduced to filtering
only and changing the security policy (for example, changing rules, adding
users, and so forth) is impossible until the management workstation is
fixed or replaced which usually takes hours. All VPN-1/FireWall-1 logs and
configurations are potentially lost.
The are additional hardware costs because of the extra hardware unit for
the VPN-1/FireWall-1 management workstation.
3.1.4 Our HA design
Because the classical setup did not meet our design goals, we decided to use
a slightly more complex but much more powerful approach. We use only two
workstations to provide one highly available firewall.
3.1.4.1 HACMP setup
In our HAMCP setup:
HACMP is used for service IP address takeover only. Service IP
addresses are the highly available IP addresses that are considered to be
the highly available firewall. The firewall workstation that has the service
IP addresses is the active node from a HACMP perspective. It will get all
the IP traffic.
Filesystems are not shared. It is recommended to setup local mirrors of all
filesystems in case of a hard drive failure, but this is not discussed in this
redbook.
We chose the HACMP rotating mode. When an error is detected on a
firewall, it will shutdown itself and the other firewall will take over the
service IP addresses. HACMP cascading mode would provide minimum
benefit but require redundant network adapters, thereby halving the

Get Check Point VPN-1 / FireWall-1 on AIX: A Cookbook for Stand-Alone and High Availability Solutions now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.