Firewall redundancy - how?

[ss2chef]

a high availability service from home = terms that contradict

Look into a reverse proxy where conditional rules can be applied

[CybertecOne]

For all others, that you can't see what he's trying to do is a shame. Its a simple concept, redundant firewalls help alleviate firewalls as the single path failure in house.

I'm glad that other people understand the concept - I am still unsure of what is meant to be happening...... would a failsafe firewall only be protecting a failsafe WAN ?

Or am I of the understanding that you have a single WAN configured with 2 firewalls (FW1 & FW2 for instance) and the configuration would resemble something like:

WAN -> FW1 -> Working OK, But if FW1 fail, pass traffic to FW2

This means that if the first firewall has failed/stop responding, all traffic will be passed to the second firewall. This prevents a network failure if the first firewall stops responding? is this correct?

My next question is then "what is passing the traffic to the first firewall, then determining if the traffic flow is OK, and if it is not, then deciding to pass traffic to the second firewall?".

[shakeshuck]

CTO,

Yes, that's the general idea; however you are correct, TG2's solution had a switch at the front which does create yet another SPF.

I have noticed that some of the h/w firewalls can be set to pass all traffic if a failure occurs. In this case, two firewalls in series (as you initally mentioned) would do the job. I don't know what sort of effect it would have on traffic, though, if everything was being filtered twice.

[CybertecOne]

I don't know what sort of effect it would have on traffic, though, if everything was being filtered twice.

You are always limited by the bottleneck. Check the traffic throughput of the firewall device on the manufacturer website and if it is equal to or greater than your WAN/LAN infrastructure, then you will be fine.


CTO