tunnels do not fail over correctly. If the encryption/authentication algorithm is supported in the master and not supported by the backup and you do not use NAT, tunnels fail over correctly, but they are not accelerated after failover.

If you use sequence validation in VPN-1 NGX, you should be aware that in the event of a failover, sequence validation is disabled for connections that are transferred to another node. Sequence validation is enabled for connections that are created after the failover.

You might want to enable sequence validation in the Check Point management application and IPSO, as described in the following procedure.

To enable sequence validation in the Check Point management application and

IPSO

1.Click Advanced System Tuning under Configuration > System Configuration in the tree view.

Note

This option is available only when SecureXL is enabled.

2.On the Advanced System Tuning page, click the button to enable sequence validation.

3.Enable sequence validation in the Check Point management application.

4.Push the new policy to the IPSO appliance.

Configuring VRRP Rules for Check Point NGX

When you are using Check Point NGX FP1 and FP2 or later, you must define an explicit VRRP rule in the rulebase to allow VRRP Multicast packets to be accepted by the gateway. You can also block the VRRP traffic with an explicitly defined rule.

Caution

VRRP rule constructions used in Check Point FireWall-1 4.1 and earlier does not work with Check Point NGX. Using these constructions could result in VRRP packets being dropped by the cleanup rule.

For information about how to configure VRRP rules for Check Point FireWall-1 4.1, contact the Nokia Technical Assistance Center (TAC).

Configuration Rule for Check Point NGX FP1

Locate the following rule above the Stealth Rule:

Nokia Network Voyager for IPSO 4.0 Reference Guide

199

Page 199
Image 199
Nokia IPSO 4.0 manual Configuring Vrrp Rules for Check Point NGX, Configuration Rule for Check Point NGX FP1