380 Chapter10·HighAvailability Summary In this chapter, we discussed the different high-availability options available with a Nokia. Although Nokia offers IP Clustering technology, the most popular high-availability mode when implementing a Nokia is active/passive. The Nokia IPSO operating system supports VRRPv2 and VRRP Monitored Circuits. Although VRRPv2 has its advantages, it is recommended that Monitored Circuits be used. With VRRPv2, if an interface on the firewall was to go down, there would be no way of sending the backup Nokia device a message stating the current status of the interface. This would cause the backup device to assume the master role for the fallen interface only. You can definitely see the limitations. Monitored Circuits offer the feature of not only monitoring whether the firewall itself has crashed, but also if a network card has gone done. When implementing a high-availability solution, it is vital that the system clocks of both enforcement points are synchronized. The Check Point firewall is extremely sensitive in this manner. It is recommended that the enforcement points be within three seconds of each other. The best way to synchronize the time is to use NTP. This will ensure that the time is always consistent. The final step in implementing a highly available firewall solution is to configure the Check Point Gateway Cluster Object. Not only must you add the individual enforcement points to the object, but you must configure the Topology with your VIP addresses and synchronization network. Do not forget to deselect the ClusterXL option on the Gateway Cluster Object, as well as enable Nokia VRRP as the high-availability method. Solutions Fast Track Understanding Check Point High Availability Nokia offers a couple of different methods when implementing highly available firewalls: active/passive and active/active. The use of VRRP in an active/passive configuration is one of the most commonly implemented methods of for Nokia Check Point firewalls. State synchronization ensures that an organization does not have asymmetric routing problems with their highly available firewall implementation. Configuring the Nokia VRRP Implementation VRRP implementations have one master and a minimum of one backup router. The VRRP protocol is outlined in RFC proposed standard number 2338.