Nokia Network Voyager for IPSO 4.0 Reference Guide 199
tunnels do not fail over correctly. If the encryption/authentication algorithm is supported in
the master and not supported by the backup and you do not use NAT, tunnels fail over
correctly, but they are not accelerated after failover.
If you use sequence validation in VPN-1 NGX, you should be aware that in the event of a
failover, sequence validation is disabled for connections that are transferred to another node.
Sequence validation is enabled for connections that are created after the failover.
You might want to enable sequence validation in the Check Point management application and
IPSO, as described in the following procedure.
To enable sequence validation in the Check Point management application and
IPSO
1. Click Advanced System Tuning under Configuration > System Configuration in the tree
view.
Note
This option is available only when SecureXL is enabled.
2. On the Advanced System Tuning page, click the button to enable sequence validation.
3. Enable sequence validation in the Check Point management application.
4. Push the new policy to the IPSO appliance.
Configuring VRRP Rules for Check Point NGX
When you are using Check Point NGX FP1 and FP2 or later, you must define an explicit VRRP
rule in the rulebase to allow VRRP Multicast packets to be accepted by the gateway. You can
also block the VRRP traffic with an explicitly defined rule.
Caution
VRRP rule constructions used in Check Point FireWall-1 4.1 and earlier does not work
with Check Point NGX. Using these constructions could result in VRRP packets being
dropped by the cleanup rule.
For information about how to configure VRRP rules for Check Point FireWall-1 4.1, contact the
Nokia Technical Assistance Center (TAC).
Configuration Rule for Check Point NGX FP1
Locate the following rule above the Stealth Rule: