Q: How do I get the Checkpoint cluster to redistribute certain interface routes into OSPF?

A:

I was surprised to note that in Voyager for IPSO 3.8.1 there is no option to redistribute cluster interface routes into OSPF. That means I cannot get the firewalls to tell OSPF that it has a route to the DMZ segments. There is an option to redistribute static routes into OSPF, but Voyager will not even let me enter a route to one of the interface networks as a static route, because it already has it as an interface route. So there is no possibility of a workaround this way. I ended up entering a static route to each of the DMZ networks via the firewall on the router just inside the firewall, and injecting those routes into OSPF there. Last year, someone noted that originally routers tried to be firewalls. They didn't do this very well, so separate firewalls became the norm. Now, firewalls are trying to be routers, and it seems in this case not doing a very good job of it at all. UPDATE: according to Nokia, this and other cluster-related features are not working in IPSO 3.8.1. An upgrade to IPSO 4.0 is warranted before any further troubleshooting .