Automatic fail-over with redundant firewalls - Connectivity

This is a discussion on Automatic fail-over with redundant firewalls - Connectivity ; Hi The company I work for is operating a data center with redundant internet connections. To give you an idea what our network looks like: __________________ | | ____| Internet |____ | |__________________| | | | | | _____|____ ____|_____ ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Automatic fail-over with redundant firewalls

  1. Automatic fail-over with redundant firewalls

    Hi

    The company I work for is operating a data center with redundant
    internet connections.
    To give you an idea what our network looks like:

    __________________
    | |
    ____| Internet |____
    | |__________________| |
    | |
    | |
    _____|____ ____|_____
    | Router 1 |------ HRSP ------| Router 2 |
    |__________| |__________|
    | _|_____________________| |
    | | |______________________ |
    | | | |
    _____|_|__ __|_|_____
    | FW1 |------ ??? -------| FW2 |
    |__________| |__________|
    | |
    | ___________ |
    _____|____ | | ____|_____
    | Switch |__| DMZ |___| Switch |
    |__________| | | |__________|
    | |___________| |
    _____|____ ____|_____
    | FW3 |------ ??? -------| FW4 |
    |__________| |__________|
    | ___________ |
    _____|____ | | ____|_____
    | Switch |__| LAN |___| Switch |
    |__________| | | |__________|
    |___________|


    Recently our ISP set up HRSP on the outbound routers to implement
    automatic fail-over, so if one of them fails, the other automatically
    takes over it's IP and MAC address. For inbound connections, they've
    also configured BGP at their routers.

    Now we'd like to do something similar with our firewalls, so that
    when e.g. FW1 breaks, all traffic will be redirected transparently
    to FW2, if possible without interruption.
    The firewalls are all NetScreen 5GT's, and I've noticed that they
    support a "dual untrust" mode. Is this what we're looking for?
    Unfortunately, to activate this mode you have to reset the
    configuration. Has anybody experimented with tweaking a backed-up
    configuration and just setting dual untrust at the beginning?

    If not, are there any other, simpler options? We're also open to
    using other firewalls, if necessary.


    Cheers
    Markus Koller


  2. Re: Automatic fail-over with redundant firewalls

    A few additions:
    - above FW1/FW2 there's actually a switch on each side with
    2 connections to each router and 1 to the firewall
    - FW1 and FW2 are in bridge/"transparent" mode
    - FW3 and FW4 do NAT
    - the servers in LAN have FW3 set as default gateway,
    with no other GWs defined

    What we basically want is to be able to shut off any of the firewalls
    or switches, and have the network automatically adjust to that.

    Are there any solutions that
    - do this immediately, without loss of connections?
    - do this in a matter of seconds/minutes, without needing to change
    anything manually?


    Cheers,
    Markus


  3. Re: Automatic fail-over with redundant firewalls

    In article <1155815388.591999.215550@74g2000cwt.googlegroups.c om>,
    toupeira23@gmail.com says...
    > A few additions:
    > - above FW1/FW2 there's actually a switch on each side with
    > 2 connections to each router and 1 to the firewall
    > - FW1 and FW2 are in bridge/"transparent" mode
    > - FW3 and FW4 do NAT
    > - the servers in LAN have FW3 set as default gateway,
    > with no other GWs defined
    >
    > What we basically want is to be able to shut off any of the firewalls
    > or switches, and have the network automatically adjust to that.
    >
    > Are there any solutions that
    > - do this immediately, without loss of connections?
    > - do this in a matter of seconds/minutes, without needing to change
    > anything manually?


    Contact any of the major firewall vendors and ask for their solution -
    you'll get a better answer than posting here.

    CISCO, WatchGuard, etc...

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  4. Re: Automatic fail-over with redundant firewalls

    toupeira23@gmail.com wrote on 17 Aug 2006 02:48:19 -0700:

    > Hi
    >
    > The company I work for is operating a data center with redundant
    > internet connections.
    > To give you an idea what our network looks like:
    >
    > __________________
    > | |
    > ____| Internet |____
    > | |__________________| |
    > | |
    > | |
    > _____|____ ____|_____
    > | Router 1 |------ HRSP ------| Router 2 |
    > |__________| |__________|
    > | _|_____________________| |
    > | | |______________________ |
    > | | | |
    > _____|_|__ __|_|_____
    > | FW1 |------ ??? -------| FW2 |
    > |__________| |__________|
    > | |
    > | ___________ |
    > _____|____ | | ____|_____
    > | Switch |__| DMZ |___| Switch |
    > |__________| | | |__________|
    > | |___________| |
    > _____|____ ____|_____
    > | FW3 |------ ??? -------| FW4 |
    > |__________| |__________|
    > | ___________ |
    > _____|____ | | ____|_____
    > | Switch |__| LAN |___| Switch |
    > |__________| | | |__________|
    > |___________|
    >
    > Recently our ISP set up HRSP on the outbound routers to implement
    > automatic fail-over, so if one of them fails, the other automatically
    > takes over it's IP and MAC address. For inbound connections, they've
    > also configured BGP at their routers.
    >
    > Now we'd like to do something similar with our firewalls, so that
    > when e.g. FW1 breaks, all traffic will be redirected transparently
    > to FW2, if possible without interruption.
    > The firewalls are all NetScreen 5GT's, and I've noticed that they
    > support a "dual untrust" mode. Is this what we're looking for?
    > Unfortunately, to activate this mode you have to reset the
    > configuration. Has anybody experimented with tweaking a backed-up
    > configuration and just setting dual untrust at the beginning?
    >
    > If not, are there any other, simpler options? We're also open to
    > using other firewalls, if necessary.


    No idea about the NetScreens, have you tried contacting Juniper support?

    I'm using CISCO PIX 515 boxes here with failover, so far zero downtime in 8
    years of running (including upgrades, updates, and taking a unit out for
    over a week for parts replacement). Failover over configuration was simply
    (a couple of extra config settings and a cable), and with a spare ethernet
    interface on each they'll even failover connection state data too (the
    serial cable on it's own doesn't do this).

    Dan



  5. Re: Automatic fail-over with redundant firewalls

    On 17 Aug 2006 02:48:19 -0700, toupeira23@gmail.com wrote:

    >Now we'd like to do something similar with our firewalls, so that
    >when e.g. FW1 breaks, all traffic will be redirected transparently
    >to FW2, if possible without interruption.
    >The firewalls are all NetScreen 5GT's, and I've noticed that they
    >support a "dual untrust" mode. Is this what we're looking for?
    >Unfortunately, to activate this mode you have to reset the
    >configuration. Has anybody experimented with tweaking a backed-up
    >configuration and just setting dual untrust at the beginning?
    >
    >If not, are there any other, simpler options? We're also open to
    >using other firewalls, if necessary.



    No, the dual untrust mode is for support a pair of redundant circuits
    in case one of them outage. It is not same as your requirement
    mentioned which is hardware level auto-failover, but just in trunk
    level redundancy handling.

    Please read the documents with following links to make you more
    understand about Netscreen's high availability approaches and the
    model to support different approaches:

    http://www.juniper.net/products/inte...ailability.pdf

    http://www.juniper.net/products/glan...n_products.pdf

    In your case, you need to have at least a pair of firewalls support
    Active/Passive which should be Netscreen-50 (or advance) model.


    Michael

  6. Re: Automatic fail-over with redundant firewalls

    On 17 Aug 2006 02:48:19 -0700, toupeira23@gmail.com wrote:

    >Now we'd like to do something similar with our firewalls, so that
    >when e.g. FW1 breaks, all traffic will be redirected transparently
    >to FW2, if possible without interruption.
    >The firewalls are all NetScreen 5GT's, and I've noticed that they
    >support a "dual untrust" mode. Is this what we're looking for?
    >Unfortunately, to activate this mode you have to reset the
    >configuration. Has anybody experimented with tweaking a backed-up
    >configuration and just setting dual untrust at the beginning?
    >
    >If not, are there any other, simpler options? We're also open to
    >using other firewalls, if necessary.



    No, the dual untrust mode is for support a pair of redundant circuits
    in case one of them outage. It is not same as your requirement
    mentioned which is hardware level auto-failover, but just in trunk
    level redundancy handling.

    Please read the documents with following links to make you more
    understand about Netscreen's high availability approaches and the
    model to support different approaches:

    http://www.juniper.net/products/inte...ailability.pdf

    http://www.juniper.net/products/glan...n_products.pdf

    In your case, you need to have at least a pair of firewalls support
    Active/Passive which should be Netscreen-50 (or advance) model.


    Michael

  7. Re: Automatic fail-over with redundant firewalls

    toupeira23@gmail.com wrote:

    > Now we'd like to do something similar with our firewalls, so that
    > when e.g. FW1 breaks, all traffic will be redirected transparently
    > to FW2, if possible without interruption.


    A prototype of a HA setup.

    > The firewalls are all NetScreen 5GT's, and I've noticed that they
    > support a "dual untrust" mode. Is this what we're looking for?


    What about looking at the product specification?

    http://www.juniper.net/products/inte...s_5series.html

    5 GT's offer HA-Lite ...

    What you want is something lile active/passive and that starts with the
    Netscreen 50:

    http://www.juniper.net/products/integrated/ns_2550.html

    You want real high-availiability. You want devices, that can be clustered
    (automatic failover active/passive or even actice/active). What you want is
    at least active/passive and that starts with the Netscreen 50 (is you like
    to stick to Netscreen).

    http://www.juniper.net/products/integrated/ns_2550.html

    High-availiability can be done with quite some products, both commercial and
    free, among these are:

    - OpenBSD
    - Linux
    - various boxes from nearly all majow vendors (usually the SOHO types do NOT
    NOT offer HA).

    Currently I'm installing 4 HA-clustered firewalls at three different
    locations. THere is no Netscreen among them. Details about those
    installations upon request.

    > Unfortunately, to activate this mode you have to reset the
    > configuration. Has anybody experimented with tweaking a backed-up
    > configuration and just setting dual untrust at the beginning?


    Forget about the 5GT for HA. Serious failover solutions from most commercial
    vendors I know start in the range of a Netscreen 50. If you want a cheap
    solution hire someone who has a lot of experience with OpenBSD and HA.

    > If not, are there any other, simpler options? We're also open to
    > using other firewalls, if necessary.


    Well, see above ...

    best wishes
    Wolfgang



  8. Re: Automatic fail-over with redundant firewalls

    Spack wrote:


    > No idea about the NetScreens, have you tried contacting Juniper support?


    Normally taking a closer look at the datasheet should be enough to find out.
    Netscreen boxes can well be considered as professional equipment but a 5GT
    is not the right box to be used in a datacenter. Like a PIX 501 it is a
    SOHO box.

    > I'm using CISCO PIX 515 boxes here with failover, so far zero downtime in
    > 8 years of running (including upgrades, updates, and taking a unit out for
    > over a week for parts replacement). Failover over configuration was simply
    > (a couple of extra config settings and a cable), and with a spare ethernet
    > interface on each they'll even failover connection state data too (the
    > serial cable on it's own doesn't do this).


    What you describe for your PIX 515 is quite normal in that range. The
    devices above the SOHO range from most major vendors offer failover
    possibilities. Some offer active/passive mode only, others even
    active/actiive mode as an option.

    Wolfgang


+ Reply to Thread