Re: FW-1 Failover

[Lance Spitzner <spitzner () dimension net>]

On Tue, 22 Jun 1999, Kelvin Garrahan wrote:

> I am thinking of using FW-1 for a internal Firewall which will segregate
> four networks of different security levels. The configuration is to be on
> NT, with four Ethernet cards. The choice of platform is customer driven, my
> original plans where to use Cisco's PIX. The main problem I have is
> providing failover for the FW-1. With PIX this is not a problem. I know FW-1
> supports failover/load sharing, but will this work with four interfaces?

FW1 supports failover, however you need 3rd party software to actually implement
it.  What FW1 provides is "stateful synching" between two FWs.  This means that
your primary and failover FW share stateful tables.  Whatever connections are
going through the primary FW, the secondary knows about, so no connections are
dropped during the failover.

Now, to answer your question - yes.  However, it depends on what 3rd party
support you are using.  The two most commonly used solutions are Stonebeat
and Nokia.  Nokia requires you buy their proprietary BSDI based systems that
have FW1 installed. These boxes come with their own failover solution. I have 
never personally tried these, but have heard excellent things on the FW1 listserv.

The other solution is Stonebeat, which I have installed at various sites.  I
like Stonebeat because it is BRAIN DEAD simple.  I have used it with up to
3 interfaces, but Stonbeat claims they have clients with up to 17 interfaces
per system.  Both Stonebeat and FW1 claim both systems can support unlimited
number of interfaces.

Hope this long winded explanation helps :)


Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc