Checkpoint IPS

Eugeniu Patrascu eugen at imacandi.net
Wed Feb 4 16:07:33 UTC 2015


On Tue, Feb 3, 2015 at 5:41 PM, Michael Hallgren <m.hallgren at free.fr> wrote:

>  Le 03/02/2015 16:21, Eugeniu Patrascu a écrit :
>
> On Mon, Feb 2, 2015 at 2:53 PM, Michael Hallgren <m.hallgren at free.fr>
> wrote:
>
>> Hi,
>>
>> Someone has positive or negative experience running
>> Checkpoint IPS cluster over ``long distance'' synch.
>> network? Real life limitations? Alternatives? Timers?
>>
>>
>  You can do "stretched" with Check Point as long as the network delay is
> less than around 70-100 msec RTT or so. If you do this, run your firewalls
> in Active/Standby modes.
>
>
> Thanks Eugeniu, I see what you mean. The specific case I'm looking at is
> about asymmetric routing, though.
>

Firewalls/IPS and asymmetric routing don't play nice. Try to change your
setup/design so that traffic enters/leaves your network segments through
the same security device.



More information about the NANOG mailing list