Firewall Wizards mailing list archives
Re: High availability firewalls
From: chuck <Chuck () yerkes com>
Date: Tue, 20 Jan 1998 19:09:31 -0500 (EST)
Well, having done a lot of HA work on Suns (and eventually Openvision, when they bought us), I must bring up the Pepsi test: if I pore a pepsi on the HUB, you're down. How HA do you want to be? Should all machine's have two NIC's (and run a reasonable routing protocol)? I must assume that the firewall's run smart protocols so that when FW1 dies, all packets go to FW2. How do you update rules between Firewalls? What if one is down when you make a change? Lose the hub, let the firewalls do the failover (I know there's a SL/IP link between the firewalls too, right? Perhaps each side of the HA pair talks to both routers... (which I can't draw in ascii). It is claimed, but unverified, that Jyri Kaljundi wrote:
Does anyone have any suggestions on how to build high availability networks which have a firewall as their one part? Where I am having problems is we want to have one place where we have 2 Cisco routers used for their HA and 2 FireWall-1 boxes used for firewall HA. It would be most easy to do this like this: LAN 1 ------ router 1 ----- Ethernet HUB ----- firewall 1 ------ LAN 2 | | | | | | ---- router 2 --- --- firewall 2 ---- Routers could have a dedicated Ethernet between them (talking HSRP for example) and firewalls could do the same (using Stonebeat HA software for FireWall-1). But what I do not like is the 1 HUB between them. You might say HUB's a pretty stable devices, but in this environment it probably would break anyway (if you leave one weak link in system, it does break). So this seems more reliable: LAN 1 ------ router 1 -------- firewall 1 ------ LAN 2 | | | | ---- router 2 -------- firewall 2 ---- But is it better than the 1st diagram? When router 1 and firewall 2 go down, the system will not work anymore, although in diagram 1 it would still work. The question is, how to actually technically to it? On the firewalls side, when firewall 1 goes down, the HA software assigns IP-address and MAC-address of firewall 1 to firewall 2. Now how shall I let routers know that 1 must go down and 2 must go up? What should be used, OSPF, RIP, and how?
Current thread:
- High availability firewalls Jyri Kaljundi (Jan 19)
- Re: High availability firewalls Randy.Witlicki. (Jan 19)
- Re: High availability firewalls Roger Nebel (Jan 20)
- Re: High availability firewalls Billy Smith (Jan 20)
- Re: High availability firewalls Adam Shostack (Jan 20)
- Re: High availability firewalls Peter J. Cherny (Jan 21)
- Re: High availability firewalls chuck (Jan 20)
- Re: High availability firewalls Allen Todd (Jan 21)
- Re: High availability firewalls Jyri Kaljundi (Jan 22)
- Re: High availability firewalls Allen Todd (Jan 21)
- <Possible follow-ups>
- RE: High availability firewalls Gary Crumrine (Jan 20)
- RE: High availability firewalls Stefan Jon Silverman (Jan 21)
- RE: High availability firewalls Stout, William (Jan 21)
- Re: High availability firewalls Allen Todd (Jan 22)
- Re: High availability firewalls Randy.Witlicki. (Jan 19)