Chapter 3. High availability for VPN-1/FireWall-1 229
3.9 High availability issues with VPN-1/FireWall-1
This section describes high availability issues with VPN-1/FireWall-1.
3.9.1 Synchronizing VPN-1/FireWall-1 management
You may have realized that, although the other VPN-1/FireWall-1 firewall
modules are synchronized, the VPN-1/FireWall-1 management modules, and,
therefore, the security policies on them, are not. To cure this problem, we
created the script /usr/local/bin/diff_fw1 (see Section 3.5.4.4, diff_fw1 on
page 190) that copies all relevant files from the /usr/local/lpp/CPfw1-41
directory on the primary (fw3) to the secondary management station (fw4).
After synchronizing these files, the VPN-1/FireWall-1 Management Daemon
(FWM) needs to be restarted on fw4 because the diff_fw1 script kills the
daemon before the files are copied. The files and directories that should not
be copied are defined in the /usr/local/bin/diff_fw1.not file.
You can try out /usr/local/bin/diff_fw1 now. This is what it looks like:
fw4:/# diff_fw1
This script is going to try to copy the VPN-1/FireWall-1 configuration of
fw3tofw4
Generating checksums on fw3
Generating checksums on fw4
Generating diff of checksums
These files are different:
The following steps from 3.9 and on have not been replicated and tested in
this updated version. The origional text from the -00 version of this redbook
has been kept.
As for the inability of firewalls to maintain connections (VPN, authentication
or otherwise) across failover, Check Point has made many advances in this
area. The user Authentication worked fine across failover. The browser
transparently reauthenticated the session. Check Point claims the
persistence of these connections is handled and maintained in a much
better manner. This is covered in Section 1.4, Whats new in
VPN-1/FireWall-1 V4.1 and SP1on page 12 and Section 1.5, Whats new
in VPN-1/FireWall-1 V4.1 SP2 on page 20
Note
230 Check Point FireWall-1 on AIX - A Cookbook for Stand-Alone and High Availability Solutions
/usr/lpp/CPfw1-41/conf/objects.C
/usr/lpp/CPfw1-41/conf/rulebases.fws
/usr/lpp/CPfw1-41/database/fwauth.NDB
/usr/lpp/CPfw1-41/database/objects.C
/usr/lpp/CPfw1-41/conf/fw.license
/usr/lpp/CPfw1-41/conf/objects.C.bak
/usr/lpp/CPfw1-41/database/opsec_authkeys.C
/usr/lpp/CPfw1-41/conf/vpn.W
Do you want to continue and copy them to fw4 ? [y]/n y
Generating tar of different files on fw3
a /usr/lpp/CPfw1-41/conf/objects.C 69 blocks.
a /usr/lpp/CPfw1-41/conf/rulebases.fws 55 blocks.
a /usr/lpp/CPfw1-41/database/fwauth.NDB 41 blocks.
a /usr/lpp/CPfw1-41/database/objects.C 70 blocks.
a /usr/lpp/CPfw1-41/conf/fw.license 5 blocks.
a /usr/lpp/CPfw1-41/conf/objects.C.bak 69 blocks.
a /usr/lpp/CPfw1-41/database/opsec_authkeys.C 1 blocks.
a /usr/lpp/CPfw1-41/conf/vpn.W 10 blocks.
Killing FireWall-1 Management Daemon (fwm) on fw4
kill: 6486: 0403-003 The specified process does not exist.
kill: 6486: 0403-003 The specified process does not exist.
kill: 6486: 0403-003 The specified process does not exist.
Extracting tar of different files on fw4
x /usr/lpp/CPfw1-41/conf/objects.C, 35291 bytes, 69 media blocks.
x /usr/lpp/CPfw1-41/conf/rulebases.fws, 27838 bytes, 55 media blocks.
x /usr/lpp/CPfw1-41/database/fwauth.NDB, 20481 bytes, 41 media blocks.
x /usr/lpp/CPfw1-41/database/objects.C, 35443 bytes, 70 media blocks.
x /usr/lpp/CPfw1-41/conf/fw.license, 2060 bytes, 5 media blocks.
x /usr/lpp/CPfw1-41/conf/objects.C.bak, 35291 bytes, 69 media blocks.
x /usr/lpp/CPfw1-41/database/opsec_authkeys.C, 239 bytes, 1 media blocks.
x /usr/lpp/CPfw1-41/conf/vpn.W, 4637 bytes, 10 media blocks.
Comparing checksums of transferred files between nodes
The files that were found different are now identical.
You still need to restart fwm on fw4 !!!
Do you want me to delete all /tmp/diff_fw1*.11120 files [y]/n? y
fw4:/usr/local/bin#
The other problem is that the security policy cannot be installed on fw4 from
fw3 after it replaces its boot IP addresses with the service IP addresses when
it goes active, because the primary IP address of fw4 is fw4_out_boot and the
VPN-1/FireWall-1 management daemon on fw3 want to talk to that address.
Therefore, we added an IP alias to the external network interface for the boot
Chapter 3. High availability for VPN-1/FireWall-1 231
address in /usr/local/bin/active-start that is executed after the service IP
addresses are configured on all network interfaces.
The other limitation you may encounter is that you are unable to install a
security policy from the secondary management station (fw4) to the
secondary filter (fw3).
For fw4 to be able to send log files, it has to be defined in the clients file on
fw3, and nothing may be in the masters file on fw3. Since fw4 cannot be in
the masters file on fw3, it is not allowed to install a security policy to fw3. fw3
would stop logging fw4s messages as soon as we put fw4 into the masters
file on fw3. This is a somewhat unexpected behavior of VPN-1/FireWall-1 that
was undocumented. We found it out in our tests and changed our design (see
Section 3.1.4, Our HA design on page 151) accordingly from totally equal
rotating gateways to asymmetric primary management/secondary filter and
secondary management/primary filter.
3.9.2 NAT
Before NAT can work again, you need to put the NAT routes back into effect:
fw4:/# cd /etc
fw4:/etc# diff rc.local rc.local.old
3,5c3,5
< # start ntp daemon as client
< startsrc -s xntpd
< /usr/es/sbin/cluster/etc/rc.cluster -boot '-N' '-b' '-i'
---
> arp -s 802.5 10.2.2.3 00:06:29:B9:FE:FC pub
> route add 10.2.2.3 10.3.3.3
> arp -s 802.5 10.2.2.9 00:06:29:B9:FE:FC pub
fw4:/etc# route add 10.2.2.3 10.3.3.3
10.3.3.3 host 10.2.2.3: gateway 10.3.3.3
fw4:/etc# rsh fw3_adm route add 10.2.2.3 10.3.3.3
10.3.3.3 host 10.2.2.3: gateway 10.3.3.3
fw4:/etc#
fw4:/etc# echo "route add 10.2.2.3 10.3.3.3" >> rc.local
fw4:/etc# clonediff rc.local
5a6
> route add 10.2.2.3 10.3.3.3
-rwxr-xr-x 1 root system 193 Sep 01 17:56 fw4:/etc/rc.local
-rwxr-xr-x 1 root system 165 Sep 01 16:41 fw3_adm:/etc/rc.local
fw4:/etc/rc.local -> fw3_adm:/etc/rc.local ? y
fw4:/etc#

Get Check Point VPN-1 / FireWall-1 on AIX: A Cookbook for Stand-Alone and High Availability Solutions now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial