Firewall Wizards mailing list archives

Re: Managing multiple Cisco Pix's

From: Timothy Shea <tim () tshea net>
Date: Wed, 5 Sep 2007 20:11:49 -0500

Incorrect.

Pix 7.x and above support "active-active" which allows both firewalls  
to handle traffic versus the traditional active-passive in which all  
connections are sent through one firewall until something triggers a  
failover event.  Think of this as Pix's version of load balancing but  
this can also be used in situations were  asynchronous routing  
conditions exist in which case the pix would sync its config and  
state information over the network.  I was looking at this at my last  
full time position before I left.

What I don't understand from the original e-mail is why he chose not  
to use the multiple context support?  This is required for active- 
active.  Otherwise he would need some other device to handle load  
balancing between the two firewalls (CSS or BigIP).  So in essence -  
he has two different firewall configs to deal with.  For only two pix  
firewalls I just handle it by command line.  For new changes I create  
a text file with the change and apply it to both firewalls and the  
changed is archived.

t.s

On Sep 5, 2007, at 4:12 PM, Paul Melson wrote:

In effect we are going to end up with two separate devices, but  
that we

will want to have matching rulesets

on. My question, therefore, is - what software is available for  
managing

multiple Pix units, and (if you've

any experience of it) is it any good?


Just to be clear, you are going to have 2 firewalls.  One through  
which all
traffic will pass, and another through which no traffic will pass.   
Until
the former breaks, in which case all traffic will manually be  
switched over
to the latter.  Correct so far?

If you're comfortable with the command interface and manually editing
configs (as opposed to using PDM from a web browser), then I would  
recommend
Kiwi CatTools* for managing configurations.

PaulM

* http://www.kiwisyslog.com/kiwi-cattools-overview/



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Managing multiple Cisco Pix's James Burns (Sep 05)
- Re: Managing multiple Cisco Pix's Paul Melson (Sep 05)
  - Re: Managing multiple Cisco Pix's dlang (Sep 05)
    - Re: Managing multiple Cisco Pix's James (Sep 06)
    - Re: Managing multiple Cisco Pix's Aaron Smith (Sep 06)
  - Re: Managing multiple Cisco Pix's Timothy Shea (Sep 06)
  - Re: Managing multiple Cisco Pix's James Burns (Sep 08)
    - Re: Managing multiple Cisco Pix's Victor Williams (Sep 10)
- <Possible follow-ups>
- Managing multiple Cisco PIX's Stefan avgoustakis (Sep 06)