342 Check Point VPN-1/FireWall-1 on AIX: A Cookbook for Stand-Alone and High Availability Solutions
Figure 136. Pre and post-event script flow
A.2 Design consideration
There can be many different approaches in designing high availability. Please
regard this section as a reference point.
• Choosing a platform
The primary objective of our design was to devise a highly available
solution as well as to keep hardware costs as economical as possible.
One of the major factors affecting hardware cost is the number of I/O slots
provided with a machine. From this viewpoint, RS/6000 43P is an
economical solution in terms of price and performance for many highly
available implementation scenarios. However, all the concepts described
in this redbook apply to other RS/6000 models as well. For a comparison
of available 43P and F50 machines, refer to Table 12.
Table 12. H/W specification comparison between IBM RS/6000 43P and F50
Machine Type 43P Model 140 43P Model 150 F50
Number of
processors
111 ~ 4
Event Notify Script
Pre-Event Script
Event Script
Recovery Script
count>0
*
Post-Event Script
Event Notify Script
exit = 0
NO
YES
*
count = Recovery Count
Appendix A. Introduction to HACMP 343
• Shared disk
In a HA firewall setup, it is necessary to have a method to synchronize the
filter rules between two or more clustered firewall machines. A shared
disk, which was discussed in “Shared disks and shared volume groups” on
page 337, can be used in order to provide continuous access to the filter
rules. If a firewall machine fails, HACMP will take over a shared disk to
another machine.
There are two disadvantages of having a shared disk. The filter rule files
are usually so small in size that most of the disk space will be wasted. The
second disadvantage is that HACMP usually takes more time to take over
a hard disk than to take over an IP address. HACMP spends most of the
time to run fsck before mounting file systems. The longer the takeover time
is, the bigger the security exposure becomes.
We decided not to use a shared disk; instead, we devised a way to
synchronize the filter rules whenever there is a change in filter rule.
Since a firewall configuration is not static and changes from time to time, it
is necessary to synchronize the firewall configuration in a high availability
scenario.
The firewall configuration is made up of several files that can be viewed
and easily copied. When starting or updating the firewall, it reads its
configuration from these files. In order to synchronize the firewall
configuration, all changed files need to be copied, and the firewalls need
to be updated for the configuration changes to be activated.
When copying files to synchronize systems, there are two problems. The
first problem is that the files could have changed on multiple systems at
the same time, and there would have to be a decision made on which files
to favor and which to discard. The other problem is that when copying files,
it would be necessary to assure that all the files are correctly transferred
without any changes or information loss.
Processor type PowerPC 604e PowerPC 604e PowerPC 604e
Clock rates 332 MHz 375 MHz 332 MHz
Slots 3 PCI + 2 PCI/ISA 5 PCI 7 PCI + 2 PCI/ISA
Relative OLTP
performance
5.3 6.0 10.0 ~ 32.8
Machine Type 43P Model 140 43P Model 150 F50
Get Check Point VPN-1 / FireWall-1 on AIX: A Cookbook for Stand-Alone and High Availability Solutions now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
