Firewall Wizards mailing list archives

Re: FW-1 Failover

From: "Aaron D. Turner" <aturner () vicinity com>
Date: Wed, 23 Jun 1999 10:16:16 -0700 (PDT)


I've got Veritas FirstWatch for FW-1 on my pair of E250's (each with 9
interfaces).  Works just fine.  You need 1 interface for the admin
network, plus 2 more for heart-beat.  That leaves the reset for DMZ's,
etc.


-- 
Aaron Turner, CNE   aturner () vicinity com  650.237.0300 x252
Network Security Engineer                 Vicinity Corp.        
Cell: 408-314-9874  Pager: 650-317-1821   http://www.vicinity.com

On Wed, 23 Jun 1999, Lance Spitzner wrote:

On Tue, 22 Jun 1999, Kelvin Garrahan wrote:

I am thinking of using FW-1 for a internal Firewall which will segregate
four networks of different security levels. The configuration is to be on
NT, with four Ethernet cards. The choice of platform is customer driven, my
original plans where to use Cisco's PIX. The main problem I have is
providing failover for the FW-1. With PIX this is not a problem. I know FW-1
supports failover/load sharing, but will this work with four interfaces?


FW1 supports failover, however you need 3rd party software to actually implement
it.  What FW1 provides is "stateful synching" between two FWs.  This means that
your primary and failover FW share stateful tables.  Whatever connections are
going through the primary FW, the secondary knows about, so no connections are
dropped during the failover.

Now, to answer your question - yes.  However, it depends on what 3rd party
support you are using.  The two most commonly used solutions are Stonebeat
and Nokia.  Nokia requires you buy their proprietary BSDI based systems that
have FW1 installed. These boxes come with their own failover solution. I have 
never personally tried these, but have heard excellent things on the FW1 listserv.

The other solution is Stonebeat, which I have installed at various sites.  I
like Stonebeat because it is BRAIN DEAD simple.  I have used it with up to
3 interfaces, but Stonbeat claims they have clients with up to 17 interfaces
per system.  Both Stonebeat and FW1 claim both systems can support unlimited
number of interfaces.

Hope this long winded explanation helps :)


Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc

Current thread:

FW-1 Failover Kelvin Garrahan (Jun 22)
- Re: FW-1 Failover Carric Dooley (Jun 23)
- Re: FW-1 Failover Richard Rees (Jun 23)
- Re: FW-1 Failover Lance Spitzner (Jun 23)
  - Re: FW-1 Failover Aaron D. Turner (Jun 23)
- <Possible follow-ups>
- RE: FW-1 Failover John McDonald (Jun 23)
- RE: FW-1 Failover Kelvin Garrahan (Jun 23)
  - RE: FW-1 Failover Carric Dooley (Jun 23)
- Re: FW-1 Failover Sean Costello (Jun 23)
- RE: FW-1 Failover John McDonald (Jun 28)