[log in to unmask]" type="cite">Hiya,I have assumed that these are not built into a chassis and are separate firewall units.
I am also assuming that the setup is an active/active configuration rather than an active/passive but the principals for failover tracking are the same.
The key issue here is the transition of the state data base between the firewalls and how quickly they can pick up on an interface failure.The old school solution is that the devices run HSRP or VRRP and have the ability of the LAN side interfaces to track the state of the WAN interfaces. Then if the interface fails then it "automatically" shifts traffic to the second firewall and away you go. The setup also requires a heart beat link between the firewalls, so that is 3 interfaces minimum per box. However, here is the problem. If the routing or switching protocol fails, this setup won't pick it up so the firewall needs to know what is going with the device further upstream both physically and logically.
Most Tier-2 installs inside a university may use layer 2 connection, however to facilitate proper failover you should run a layer 3 protocol such as OSPF or BGP. RIP would cut it just but the best solution I have built used weighted BGP routes into the firewalls so that you don't end up in the scenario where the primary firewall internal link fails and the internal system switches over to the backup solution and the main link, which hasn't failed in the campus, still tries to send traffic down a dead link. This happens more often than people would think.
Therefore, you have to configure interface tracking on the internal and external interfaces of the firewall, make sure that it can track the routing protocol used and this is also used on the routers or Layer 3 switches that the firewall is connected to. Then configure VRRP or HSRP on the internal network, if you want to be belts, braces and a super glued waste band grade of resilience go for Multi group HSRP or VRRP but this means that you will have effectively two gates which could split the cluster's externally facing devices as one recommendation is to have them on separate networks. That is a site design choice.
The WAN design involves weighted routes and directly connected interface tracking. Also, the devices you are connected to in the WAN have to "know" about one another at Layer 3 to do what is briefly described above.
Then configure the heart beat timeout between firewalls to be ultra low and you have to be sure of the link between the devices as this is the core of the setup. The active/passive or active/active setup is a winner but it is complex to do properly.
Layer 2 failover is complex to do as you are limited in terms of protocol choice STP isn't quick enough and RSTP isn't that quick either and it doesn't get round the issue described above with the interface failures.
Some places to look are:
This gives an overview of how the failover protocols work, but it is Cisco centric.
Also,
Hope this helps. My main experience is Cisco and Checkpoint and Cisco and PIX but I have also built out solutions on Extreme and Foundry systems using Checkpoint as the firewall.
My main question is how resilient do you want it to be?
Regards,mark
On 30 Jan 2012, at 17:53, Santanu Das wrote:
Dear all,
It's a bit off-tpoic but I though I ask here: If I want to add a second
firewall for redundancy purpose only, so that nothing gets locked out in
case there is a failure, what are the requirements to provide this
service? Any suggestion(s) greatly appreciated.
Cheers,
Santanu
--------------------------------------------
Mark Mitchell,
ScotGrid Technical Co-ordinator,
Rm 481,
Kelvin Building,
School of Physics and Astronomy,
University of Glasgow,
G12 8QQ, UK
Telephone: +44-141-330 6439
E Mail: [log in to unmask]