Hi!
PIX Admin. guide says: "The PIX Firewall checks TCP sequence number and
ensures that it fits within an acceptable range".
The questions are:
- does the PIX really do this?
- does "acceptable range" mean "within the window, but out-of-order TCP
segments are allowed"?
- does this checking mean that dedicated *Gig* ethernet interface is required
for stateful failover, provided that we use 535 with Gig interfaces for data
traffic. (If SEQs are really tracked by the (active) PIX it must send SEQ changes
to the standby for every data packet, isn't it? So, what about performance issues?)
Thank you,
Oleg Tipisov,
REDCENTER,
Moscow