Firewall Wizards mailing list archives

Re: High availability firewalls

From: chuck <Chuck () yerkes com>
Date: Tue, 20 Jan 1998 19:09:31 -0500 (EST)

Well, having done a lot of HA work on Suns (and eventually
Openvision, when they bought us), I must bring up the
Pepsi test:

if I pore a pepsi on the HUB, you're down.

How HA do you want to be?  Should all machine's have two
NIC's (and run a reasonable routing protocol)?

I must assume that the firewall's run smart protocols
so that when FW1 dies, all packets go to FW2.

How do you update rules between Firewalls?  What if
one is down when you make a change?

Lose the hub, let the firewalls do the failover (I know there's
a SL/IP link between the firewalls too, right?

Perhaps each side of the HA pair talks to both routers...
(which I can't draw in ascii).
 

It is claimed, but unverified, that Jyri Kaljundi wrote:



Does anyone have any suggestions on how to build high availability
networks which have a firewall as their one part? Where I am having
problems is we want to have one place where we have 2 Cisco routers used
for their HA and 2 FireWall-1 boxes used for firewall HA. It would be most
easy to do this like this:

LAN 1 ------ router 1 ----- Ethernet HUB ----- firewall 1 ------ LAN 2
        |       |       |                  |       |         |
        ---- router 2 ---                  --- firewall 2 ----

Routers could have a dedicated Ethernet between them (talking HSRP for
example) and firewalls could do the same (using Stonebeat HA software for
FireWall-1). 

But what I do not like is the 1 HUB between them. You might say HUB's a
pretty stable devices, but in this environment it probably would break
anyway (if you leave one weak link in system, it does break).

So this seems more reliable:

LAN 1 ------ router 1 -------- firewall 1 ------ LAN 2
        |       |                  |         |
        ---- router 2 -------- firewall 2 ----

But is it better than the 1st diagram? When router 1 and firewall 2 go
down, the system will not work anymore, although in diagram 1 it would
still work. 

The question is, how to actually technically to it? On the firewalls side,
when firewall 1 goes down, the HA software assigns IP-address and
MAC-address of firewall 1 to firewall 2. Now how shall I let routers know
that 1 must go down and 2 must go up? What should be used, OSPF, RIP, and
how?

Current thread:

High availability firewalls Jyri Kaljundi (Jan 19)
- Re: High availability firewalls Randy.Witlicki. (Jan 19)
  - Re: High availability firewalls Roger Nebel (Jan 20)
  - Re: High availability firewalls Billy Smith (Jan 20)
- Re: High availability firewalls Adam Shostack (Jan 20)
  - Re: High availability firewalls Peter J. Cherny (Jan 21)
- Re: High availability firewalls chuck (Jan 20)
  - Re: High availability firewalls Allen Todd (Jan 21)
    - Re: High availability firewalls Jyri Kaljundi (Jan 22)
- <Possible follow-ups>
- RE: High availability firewalls Gary Crumrine (Jan 20)
- RE: High availability firewalls Stefan Jon Silverman (Jan 21)
- RE: High availability firewalls Stout, William (Jan 21)
- Re: High availability firewalls Allen Todd (Jan 22)