Le 04/02/2015 17:07, Eugeniu Patrascu a écrit : > On Tue, Feb 3, 2015 at 5:41 PM, Michael Hallgren <m.hallg...@free.fr > <mailto:m.hallg...@free.fr>> wrote: > > Le 03/02/2015 16:21, Eugeniu Patrascu a écrit : >> On Mon, Feb 2, 2015 at 2:53 PM, Michael Hallgren >> <m.hallg...@free.fr <mailto:m.hallg...@free.fr>> wrote: >> >> Hi, >> >> Someone has positive or negative experience running >> Checkpoint IPS cluster over ``long distance'' synch. >> network? Real life limitations? Alternatives? Timers? >> >> >> You can do "stretched" with Check Point as long as the network >> delay is less than around 70-100 msec RTT or so. If you do this, >> run your firewalls in Active/Standby modes. >> > > Thanks Eugeniu, I see what you mean. The specific case I'm looking > at is about asymmetric routing, though. > > > Firewalls/IPS and asymmetric routing don't play nice. Try to change > your setup/design so that traffic enters/leaves your network segments > through the same security device.
I know. However, I fail to see symmetric traffic flow as ``natural'', apart from maybe at the extreme edge of a network. So, need another inspection strategy I think. Thanks, mh
