1. Home
  2. Networking Firewalls
  3. Automatic fail-over with redundant firewalls

Automatic fail-over with redundant firewalls

Hi

The company I work for is operating a data center with redundant internet connections. To give you an idea what our network looks like:

__________________ | | ____| Internet |____ | |__________________| | | | | | _____|____ ____|_____ | Router 1 |------ HRSP ------| Router 2 | |__________| |__________| | _|_____________________| | | | |______________________ | | | | | _____|_|__ __|_|_____ | FW1 |------ ??? -------| FW2 | |__________| |__________| | | | ___________ | _____|____ | | ____|_____ | Switch |__| DMZ |___| Switch | |__________| | | |__________| | |___________| | _____|____ ____|_____ | FW3 |------ ??? -------| FW4 | |__________| |__________| | ___________ | _____|____ | | ____|_____ | Switch |__| LAN |___| Switch | |__________| | | |__________| |___________|

Recently our ISP set up HRSP on the outbound routers to implement automatic fail-over, so if one of them fails, the other automatically takes over it's IP and MAC address. For inbound connections, they've also configured BGP at their routers.

Now we'd like to do something similar with our firewalls, so that when e.g. FW1 breaks, all traffic will be redirected transparently to FW2, if possible without interruption. The firewalls are all NetScreen 5GT's, and I've noticed that they support a "dual untrust" mode. Is this what we're looking for? Unfortunately, to activate this mode you have to reset the configuration. Has anybody experimented with tweaking a backed-up configuration and just setting dual untrust at the beginning?

If not, are there any other, simpler options? We're also open to using other firewalls, if necessary.

Cheers Markus Koller

Reply to
toupeira23
Loading thread data ...

A few additions:

- above FW1/FW2 there's actually a switch on each side with 2 connections to each router and 1 to the firewall

- FW1 and FW2 are in bridge/"transparent" mode

- FW3 and FW4 do NAT

- the servers in LAN have FW3 set as default gateway, with no other GWs defined

What we basically want is to be able to shut off any of the firewalls or switches, and have the network automatically adjust to that.

Are there any solutions that

- do this immediately, without loss of connections?

- do this in a matter of seconds/minutes, without needing to change anything manually?

Cheers, Markus

Reply to
toupeira23

Contact any of the major firewall vendors and ask for their solution - you'll get a better answer than posting here.

CISCO, WatchGuard, etc...

Reply to
Leythos

snipped-for-privacy@gmail.com wrote on 17 Aug 2006 02:48:19 -0700:

No idea about the NetScreens, have you tried contacting Juniper support?

I'm using CISCO PIX 515 boxes here with failover, so far zero downtime in 8 years of running (including upgrades, updates, and taking a unit out for over a week for parts replacement). Failover over configuration was simply (a couple of extra config settings and a cable), and with a spare ethernet interface on each they'll even failover connection state data too (the serial cable on it's own doesn't do this).

Dan

Reply to
Spack

A prototype of a HA setup.

What about looking at the product specification?

formatting link

5 GT's offer HA-Lite ...

What you want is something lile active/passive and that starts with the Netscreen 50:

formatting link
You want real high-availiability. You want devices, that can be clustered (automatic failover active/passive or even actice/active). What you want is at least active/passive and that starts with the Netscreen 50 (is you like to stick to Netscreen).

formatting link
High-availiability can be done with quite some products, both commercial and free, among these are:

- OpenBSD

- Linux

- various boxes from nearly all majow vendors (usually the SOHO types do NOT NOT offer HA).

Currently I'm installing 4 HA-clustered firewalls at three different locations. THere is no Netscreen among them. Details about those installations upon request.

Forget about the 5GT for HA. Serious failover solutions from most commercial vendors I know start in the range of a Netscreen 50. If you want a cheap solution hire someone who has a lot of experience with OpenBSD and HA.

Well, see above ...

best wishes Wolfgang

Reply to
Wolfgang Kueter

Thanks for all the replies, and sorry if my post was a little naive ;) Anyway, I think I know now what to look for...

Cheers, Markus

Reply to
toupeira23

Normally taking a closer look at the datasheet should be enough to find out. Netscreen boxes can well be considered as professional equipment but a 5GT is not the right box to be used in a datacenter. Like a PIX 501 it is a SOHO box.

What you describe for your PIX 515 is quite normal in that range. The devices above the SOHO range from most major vendors offer failover possibilities. Some offer active/passive mode only, others even active/actiive mode as an option.

Wolfgang

Reply to
Wolfgang Kueter

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.