Table of Contents
Advertisement
default hash. Use the NAT_INT hash for internal interfaces and the
NAT_EXT hash for external interfaces on the node. (The cluster protocol uses
the hash values for load balancing purposes.)
Note
If you are choosing the hash method for an interface that uses NAT, and
the destination interface is also uses NAT, use the default hash method
(for the interfaces at both ends of the link). This configuration prevents
packet loss that could be caused by an asymmetric routing scenario.
Note
When you use IP pools, the hash selection has no effect. See
"Configuring IP Pools"
If You Use NAT and Have a DMZ If you have a demilitarized zone
(DMZ) connected to a cluster that uses NAT, observe the following guidelines
when configuring the hash method on the cluster interfaces connected to the
DMZ. (Web, mail, and authentication servers are often located in DMZs.)
!
!
Configuring Firewall Monitoring
Use the option E
specify whether IPSO should wait for VPN-1/FireWall-1 to start before the
system becomes a node of a cluster—even if it is the only node of the cluster.
(This is particularly relevant if a cluster node is rebooted while it is in
service.) This option also specifies whether IPSO should monitor VPN-1/
FireWall-1 and remove the node from the cluster if the firewall stops
functioning.
Voyager Reference Guide
If you want to use NAT on the addresses in the DMZ, set the hash method
to NAT_INT.
If you do not want to use NAT on the addresses in the DMZ—that is, if
you want to expose the real IP addresses used in the DMZ—set the hash
method to NAT_EXT.
NABLE
for more information about using IP pools.
VPN-1/FW-1
MONITORING
? in the firewall table to
361
Advertisement
Table of Contents
