Comments

• Definitely X0, yes: X0 is used as a backup HA link so the advice is to connect it so the firewalls can see each other.

  in HA and redundant provider connections Comment by Arkwright November 19
• Only other option I can think of is asking the provider to see if they can give us two LAG ports from each Juniper You just want a bunch of ports [two - one for each Sonicwall? or three - 2xSonicwalls + a port for the peer Juniper?] bridged together on each Juniper router. That would eliminate the switches. If one of the…

  in HA and redundant provider connections Comment by Arkwright November 19
• Configure Failover and Load Balancing with logical probing on the WAN(s). It will log the state of connectivity to the probe target and keep some [limited] statistics.

  in Internet loss for 60 seconds or less - several times a day on TZ400 Comment by Arkwright November 19
• OK, given that information, it sounds to me like your real issue is losing contact with the firewall from the LAN, rather than, some issue with F&LB. If you can't reach the firewall from the LAN then what your WANs are doing is irrelevant.

  in Failover issue - Switching to other ISP took about 2-3 minutes to get back our internet Comment by Arkwright November 19
• Where are you in relation to the firewall? If you are managing it from the LAN then you should not lose management access if any WAN is down. If you are managing it from the WAN, then you will lose management access via any WAN that is down. You will only be able to manage it via the WAN which is up. F&LB cannot fix that!

  in Failover issue - Switching to other ISP took about 2-3 minutes to get back our internet Comment by Arkwright November 18
• But more and more sites do a cross-check, where the remote site 'asks' the browser what certificate information it has received. I had a suspicion that something like this might be happening, performed by some WAF. Two customers reported issue with two different sites that randomly return 404 on different page elements [we…

  in I have a feeling most people are configuring their SW's incorrectly Comment by Arkwright November 15
• I suggest you test this whilst watching the state of the LB status/Target columns for each interface.

  in Failover issue - Switching to other ISP took about 2-3 minutes to get back our internet Comment by Arkwright November 14
• Can you use both WANs simultaneously in normal operation [ratio mode]? Do you have logical probing configured?

  in Failover issue - Switching to other ISP took about 2-3 minutes to get back our internet Comment by Arkwright November 13
• I just think this is a very misunderstood setting with SW's. Evidently :) So it's my understanding unless you install the certificates on all the workstations and/or servers DPI is doing absolutely nothing and eating up your ISP speed and firewall CPU If you enable DPI-SSL on traffic for clients that don't trust your cert,…

  in I have a feeling most people are configuring their SW's incorrectly Comment by Arkwright November 11
• My question is this: Why not just connect each different WiFi network (Guest vs Business) to a different physical interface? If you need the capacity, or don't have managed switches [and separate APs for guest and business…..we're getting a bit implausible here], then use separate physical interfaces. If you have managed…

  in Noobie Question Subinterfaces vs Physical Interfaces Comment by Arkwright November 8
• I think that port scan detection detects port scans whether your firewall would have allowed the traffic or not, so having a rule makes no difference. Additionally, I have a suspicion that some innocuous patterns of traffic will trigger the detection; imagine a scenario where clients open multiple connections to a web…

  in TZ-500 - Loads of Probably and Possible Port Scans Comment by Arkwright November 8
• You need to raise a customer service request. You cannot transfer it yourself.

  in Transferring registration - NSA 6600 Comment by Arkwright November 8
• I know nothing about Checkpoint. The only sensible default, is to use the local and remote address as each IKE ID.

  in Error occurred during configuring site-to-site VPN tunnel with Checkpoint firewall Comment by Arkwright November 7
• Is this connection subject to DPI-SSL?

  in Wireshark malformed packets from monitor pcapng export Comment by Arkwright November 7
• You cannot not have an IKE ID. So I assume that means they're not setting them manually, and that's why it doesn't work.

  in Error occurred during configuring site-to-site VPN tunnel with Checkpoint firewall Comment by Arkwright November 7
More Comments