> [ ... ] add a second firewall for redundancy purpose only, so > that nothing gets locked out in case there is a failure, what > are the requirements to provide this service? [ ... ] That's not entirely trivial, if one wants totally transparent failover in particular. If existing connections don't need to be preserved it can be as simple as advertising by OSPF (for example) two entry point into the network, them being the two firewalls. If totally transparent is required, and existing connection do need preserving something like 'conntrackd' (if the firewalls are running Linux or similar) is required, as well as a floating IP address. There should be some HOWTOs involving 'conntrackd' that give an idea of how to get that going.