RE: Firewall Load balancing solution

["Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>]

Typically you can only load balance between two firewalls of the same type,
if you want to be able to failover between them in a transparent fashion.
This is because the two firewalls need to share state information as to what
connections are being permitted through, and firewalls of different
manufacture require different state information. 

If you don't care if a user's session gets dropped, and they have to restart
it, you should be able to mix your technologies. I wouldn't advise it
though, bacause it can be complicated to debug problems, especially those
caused by rule base mismatches. More so when you don't know WHICH rulebase
is causing the problem. Firewalls (from the same vendor) that are configured
in a hot standby or load balancing configuration typically both get the same
copy of the rulebase, and so synchronisation problems are not an issue.

However, if you are thinking of deploying a multi-tiered, multi-vendor
firewall solution (two Pix in front, two CheckPoint behind) this should be
achievable. Some would even say advisable, due to reduction in Single Point
of Failure.

I am quite interested to know if anyone has experience with firewalls using
VRRP to provide load balancing, and what the advantages and disadvantages
are.

Rogan



> -----Original Message-----
> From: Phu Quy [mailto:npquy () vnn vn]
> Sent: 30 September 2002 01:11
> To: firewall-wizards () nfr net
> Subject: [fw-wiz] Firewall Load balancing solution
>
>
>
> Dear all,
>
> I would like to deploy a firewall load balacing solution for 
> our network, Now we have 2 Cisco PIX firewall and we will 
> have 2 checkpoint servers in next some months, I don't know 
> which solution is good for us. I have to choose between Cisco 
> solution and other.
>  - With Cisco solution, we need buy a Content switching 
> module for our catalyst 6509 , but I don't know can It use 
> for checkpoint firewall and Cisco Pix firewall load balancing 
> ( mix together )
>
> - With other solution, We intend to buy 2 ServerIron400  from 
> Foundry Network for content switching components, But I don't 
> know can I use many verdor of firewall in this structure also
>
> Pls give me your advise
>
> Thanks so much
> Regards,
> Quy Nguyen
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards