Hi
The company I work for is operating a data center with redundant internet connections. To give you an idea what our network looks like:
__________________ | | ____| Internet |____ | |__________________| | | | | | _____|____ ____|_____ | Router 1 |------ HRSP ------| Router 2 | |__________| |__________| | _|_____________________| | | | |______________________ | | | | | _____|_|__ __|_|_____ | FW1 |------ ??? -------| FW2 | |__________| |__________| | | | ___________ | _____|____ | | ____|_____ | Switch |__| DMZ |___| Switch | |__________| | | |__________| | |___________| | _____|____ ____|_____ | FW3 |------ ??? -------| FW4 | |__________| |__________| | ___________ | _____|____ | | ____|_____ | Switch |__| LAN |___| Switch | |__________| | | |__________| |___________|
Recently our ISP set up HRSP on the outbound routers to implement automatic fail-over, so if one of them fails, the other automatically takes over it's IP and MAC address. For inbound connections, they've also configured BGP at their routers.
Now we'd like to do something similar with our firewalls, so that when e.g. FW1 breaks, all traffic will be redirected transparently to FW2, if possible without interruption. The firewalls are all NetScreen 5GT's, and I've noticed that they support a "dual untrust" mode. Is this what we're looking for? Unfortunately, to activate this mode you have to reset the configuration. Has anybody experimented with tweaking a backed-up configuration and just setting dual untrust at the beginning?
If not, are there any other, simpler options? We're also open to using other firewalls, if necessary.
Cheers Markus Koller