[log in to unmask]"
type="cite">Hiya,
I have assumed that these are not built into a chassis and
are separate firewall units.
I am also assuming that the setup is an active/active
configuration rather than an active/passive but the principals
for failover tracking are the same.
The key issue here is the transition of the state data base
between the firewalls and how quickly they can pick up on an
interface failure.
The old school solution is that the devices run HSRP or VRRP
and have the ability of the LAN side interfaces to track the
state of the WAN interfaces. Then if the interface fails then it
"automatically" shifts traffic to the second firewall and away
you go. The setup also requires a heart beat link between the
firewalls, so that is 3 interfaces minimum per box. However,
here is the problem. If the routing or switching protocol fails,
this setup won't pick it up so the firewall needs to know what
is going with the device further upstream both physically and
logically.
Most Tier-2 installs inside a university may use layer 2
connection, however to facilitate proper failover you should run
a layer 3 protocol such as OSPF or BGP. RIP would cut it just
but the best solution I have built used weighted BGP routes into
the firewalls so that you don't end up in the scenario where the
primary firewall internal link fails and the internal system
switches over to the backup solution and the main link, which
hasn't failed in the campus, still tries to send traffic down a
dead link. This happens more often than people would think.
Therefore, you have to configure interface tracking on the
internal and external interfaces of the firewall, make sure that
it can track the routing protocol used and this is also used on
the routers or Layer 3 switches that the firewall is connected
to. Then configure VRRP or HSRP on the internal network, if you
want to be belts, braces and a super glued waste band grade of
resilience go for Multi group HSRP or VRRP but this means that
you will have effectively two gates which could split the
cluster's externally facing devices as one recommendation is to
have them on separate networks. That is a site design choice.
The WAN design involves weighted routes and directly
connected interface tracking. Also, the devices you are
connected to in the WAN have to "know" about one another at
Layer 3 to do what is briefly described above.
Then configure the heart beat timeout between firewalls to be
ultra low and you have to be sure of the link between the
devices as this is the core of the setup. The active/passive or
active/active setup is a winner but it is complex to do
properly.
Layer 2 failover is complex to do as you are limited in terms
of protocol choice STP isn't quick enough and RSTP isn't that
quick either and it doesn't get round the issue described above
with the interface failures.
Some places to look are:
This gives an overview of how the failover protocols work,
but it is Cisco centric.
Also,
Hope this helps. My main experience is Cisco and Checkpoint
and Cisco and PIX but I have also built out solutions on
Extreme and Foundry systems using Checkpoint as the firewall.
My main question is how resilient do you want it to be?
Regards,
mark
On 30 Jan 2012, at 17:53, Santanu Das wrote:
Dear all,
It's a bit off-tpoic but I though I ask here: If I want to
add a second
firewall for redundancy purpose only, so that nothing gets
locked out in
case there is a failure, what are the requirements to
provide this
service? Any suggestion(s) greatly appreciated.
Cheers,
Santanu
--------------------------------------------
Mark Mitchell,
ScotGrid Technical Co-ordinator,
Rm 481,
Kelvin Building,
School of Physics and Astronomy,
University of Glasgow,
G12 8QQ, UK
Telephone: +44-141-330 6439
E Mail:
[log in to unmask]