Automatic fail-over with redundant firewalls
Hi
The company I work for is operating a data center with redundant
internet connections.
To give you an idea what our network looks like:
__________________
| |
____| Internet |____
| |__________________| |
| |
| |
_____|____ ____|_____
| Router 1 |------ HRSP ------| Router 2 |
|__________| |__________|
| _|_____________________| |
| | |______________________ |
| | | |
_____|_|__ __|_|_____
| FW1 |------ ??? -------| FW2 |
|__________| |__________|
| |
| ___________ |
_____|____ | | ____|_____
| Switch |__| DMZ |___| Switch |
|__________| | | |__________|
| |___________| |
_____|____ ____|_____
| FW3 |------ ??? -------| FW4 |
|__________| |__________|
| ___________ |
_____|____ | | ____|_____
| Switch |__| LAN |___| Switch |
|__________| | | |__________|
|___________|
Recently our ISP set up HRSP on the outbound routers to implement
automatic fail-over, so if one of them fails, the other automatically
takes over it's IP and MAC address. For inbound connections, they've
also configured BGP at their routers.
Now we'd like to do something similar with our firewalls, so that
when e.g. FW1 breaks, all traffic will be redirected transparently
to FW2, if possible without interruption.
The firewalls are all NetScreen 5GT's, and I've noticed that they
support a "dual untrust" mode. Is this what we're looking for?
Unfortunately, to activate this mode you have to reset the
configuration. Has anybody experimented with tweaking a backed-up
configuration and just setting dual untrust at the beginning?
If not, are there any other, simpler options? We're also open to
using other firewalls, if necessary.
Cheers
Markus Koller
Re: Automatic fail-over with redundant firewalls
A few additions:
- above FW1/FW2 there's actually a switch on each side with
2 connections to each router and 1 to the firewall
- FW1 and FW2 are in bridge/"transparent" mode
- FW3 and FW4 do NAT
- the servers in LAN have FW3 set as default gateway,
with no other GWs defined
What we basically want is to be able to shut off any of the firewalls
or switches, and have the network automatically adjust to that.
Are there any solutions that
- do this immediately, without loss of connections?
- do this in a matter of seconds/minutes, without needing to change
anything manually?
Cheers,
Markus
Re: Automatic fail-over with redundant firewalls
In article <1155815388.591999.215550@74g2000cwt.googlegroups.com>,
[email]toupeira23@gmail.com[/email] says...[color=blue]
> A few additions:
> - above FW1/FW2 there's actually a switch on each side with
> 2 connections to each router and 1 to the firewall
> - FW1 and FW2 are in bridge/"transparent" mode
> - FW3 and FW4 do NAT
> - the servers in LAN have FW3 set as default gateway,
> with no other GWs defined
>
> What we basically want is to be able to shut off any of the firewalls
> or switches, and have the network automatically adjust to that.
>
> Are there any solutions that
> - do this immediately, without loss of connections?
> - do this in a matter of seconds/minutes, without needing to change
> anything manually?[/color]
Contact any of the major firewall vendors and ask for their solution -
you'll get a better answer than posting here.
CISCO, WatchGuard, etc...
--
[email]spam999free@rrohio.com[/email]
remove 999 in order to email me
Re: Automatic fail-over with redundant firewalls
[email]toupeira23@gmail.com[/email] wrote on 17 Aug 2006 02:48:19 -0700:
[color=blue]
> Hi
>
> The company I work for is operating a data center with redundant
> internet connections.
> To give you an idea what our network looks like:
>
> __________________
> | |
> ____| Internet |____
> | |__________________| |
> | |
> | |
> _____|____ ____|_____
> | Router 1 |------ HRSP ------| Router 2 |
> |__________| |__________|
> | _|_____________________| |
> | | |______________________ |
> | | | |
> _____|_|__ __|_|_____
> | FW1 |------ ??? -------| FW2 |
> |__________| |__________|
> | |
> | ___________ |
> _____|____ | | ____|_____
> | Switch |__| DMZ |___| Switch |
> |__________| | | |__________|
> | |___________| |
> _____|____ ____|_____
> | FW3 |------ ??? -------| FW4 |
> |__________| |__________|
> | ___________ |
> _____|____ | | ____|_____
> | Switch |__| LAN |___| Switch |
> |__________| | | |__________|
> |___________|
>
> Recently our ISP set up HRSP on the outbound routers to implement
> automatic fail-over, so if one of them fails, the other automatically
> takes over it's IP and MAC address. For inbound connections, they've
> also configured BGP at their routers.
>
> Now we'd like to do something similar with our firewalls, so that
> when e.g. FW1 breaks, all traffic will be redirected transparently
> to FW2, if possible without interruption.
> The firewalls are all NetScreen 5GT's, and I've noticed that they
> support a "dual untrust" mode. Is this what we're looking for?
> Unfortunately, to activate this mode you have to reset the
> configuration. Has anybody experimented with tweaking a backed-up
> configuration and just setting dual untrust at the beginning?
>
> If not, are there any other, simpler options? We're also open to
> using other firewalls, if necessary.[/color]
No idea about the NetScreens, have you tried contacting Juniper support?
I'm using CISCO PIX 515 boxes here with failover, so far zero downtime in 8
years of running (including upgrades, updates, and taking a unit out for
over a week for parts replacement). Failover over configuration was simply
(a couple of extra config settings and a cable), and with a spare ethernet
interface on each they'll even failover connection state data too (the
serial cable on it's own doesn't do this).
Dan
Re: Automatic fail-over with redundant firewalls
On 17 Aug 2006 02:48:19 -0700, [email]toupeira23@gmail.com[/email] wrote:
[color=blue]
>Now we'd like to do something similar with our firewalls, so that
>when e.g. FW1 breaks, all traffic will be redirected transparently
>to FW2, if possible without interruption.
>The firewalls are all NetScreen 5GT's, and I've noticed that they
>support a "dual untrust" mode. Is this what we're looking for?
>Unfortunately, to activate this mode you have to reset the
>configuration. Has anybody experimented with tweaking a backed-up
>configuration and just setting dual untrust at the beginning?
>
>If not, are there any other, simpler options? We're also open to
>using other firewalls, if necessary.[/color]
No, the dual untrust mode is for support a pair of redundant circuits
in case one of them outage. It is not same as your requirement
mentioned which is hardware level auto-failover, but just in trunk
level redundancy handling.
Please read the documents with following links to make you more
understand about Netscreen's high availability approaches and the
model to support different approaches:
[url]http://www.juniper.net/products/integrated/high_availability.pdf[/url]
[url]http://www.juniper.net/products/glance/all_nscn_products.pdf[/url]
In your case, you need to have at least a pair of firewalls support
Active/Passive which should be Netscreen-50 (or advance) model.
Michael
Re: Automatic fail-over with redundant firewalls
On 17 Aug 2006 02:48:19 -0700, [email]toupeira23@gmail.com[/email] wrote:
[color=blue]
>Now we'd like to do something similar with our firewalls, so that
>when e.g. FW1 breaks, all traffic will be redirected transparently
>to FW2, if possible without interruption.
>The firewalls are all NetScreen 5GT's, and I've noticed that they
>support a "dual untrust" mode. Is this what we're looking for?
>Unfortunately, to activate this mode you have to reset the
>configuration. Has anybody experimented with tweaking a backed-up
>configuration and just setting dual untrust at the beginning?
>
>If not, are there any other, simpler options? We're also open to
>using other firewalls, if necessary.[/color]
No, the dual untrust mode is for support a pair of redundant circuits
in case one of them outage. It is not same as your requirement
mentioned which is hardware level auto-failover, but just in trunk
level redundancy handling.
Please read the documents with following links to make you more
understand about Netscreen's high availability approaches and the
model to support different approaches:
[url]http://www.juniper.net/products/integrated/high_availability.pdf[/url]
[url]http://www.juniper.net/products/glance/all_nscn_products.pdf[/url]
In your case, you need to have at least a pair of firewalls support
Active/Passive which should be Netscreen-50 (or advance) model.
Michael
Re: Automatic fail-over with redundant firewalls
[email]toupeira23@gmail.com[/email] wrote:
[color=blue]
> Now we'd like to do something similar with our firewalls, so that
> when e.g. FW1 breaks, all traffic will be redirected transparently
> to FW2, if possible without interruption.[/color]
A prototype of a HA setup.
[color=blue]
> The firewalls are all NetScreen 5GT's, and I've noticed that they
> support a "dual untrust" mode. Is this what we're looking for?[/color]
What about looking at the product specification?
[url]http://www.juniper.net/products/integrated/ns_5series.html[/url]
5 GT's offer HA-Lite ...
What you want is something lile active/passive and that starts with the
Netscreen 50:
[url]http://www.juniper.net/products/integrated/ns_2550.html[/url]
You want real high-availiability. You want devices, that can be clustered
(automatic failover active/passive or even actice/active). What you want is
at least active/passive and that starts with the Netscreen 50 (is you like
to stick to Netscreen).
[url]http://www.juniper.net/products/integrated/ns_2550.html[/url]
High-availiability can be done with quite some products, both commercial and
free, among these are:
- OpenBSD
- Linux
- various boxes from nearly all majow vendors (usually the SOHO types do NOT
NOT offer HA).
Currently I'm installing 4 HA-clustered firewalls at three different
locations. THere is no Netscreen among them. Details about those
installations upon request.
[color=blue]
> Unfortunately, to activate this mode you have to reset the
> configuration. Has anybody experimented with tweaking a backed-up
> configuration and just setting dual untrust at the beginning?[/color]
Forget about the 5GT for HA. Serious failover solutions from most commercial
vendors I know start in the range of a Netscreen 50. If you want a cheap
solution hire someone who has a lot of experience with OpenBSD and HA.
[color=blue]
> If not, are there any other, simpler options? We're also open to
> using other firewalls, if necessary.[/color]
Well, see above ...
best wishes
Wolfgang
Re: Automatic fail-over with redundant firewalls
Spack wrote:
[color=blue]
> No idea about the NetScreens, have you tried contacting Juniper support?[/color]
Normally taking a closer look at the datasheet should be enough to find out.
Netscreen boxes can well be considered as professional equipment but a 5GT
is not the right box to be used in a datacenter. Like a PIX 501 it is a
SOHO box.
[color=blue]
> I'm using CISCO PIX 515 boxes here with failover, so far zero downtime in
> 8 years of running (including upgrades, updates, and taking a unit out for
> over a week for parts replacement). Failover over configuration was simply
> (a couple of extra config settings and a cable), and with a spare ethernet
> interface on each they'll even failover connection state data too (the
> serial cable on it's own doesn't do this).[/color]
What you describe for your PIX 515 is quite normal in that range. The
devices above the SOHO range from most major vendors offer failover
possibilities. Some offer active/passive mode only, others even
active/actiive mode as an option.
Wolfgang
