Community Pick: Many members of our community have endorsed this article.

Budget No-Single-Point-Of-Failure Firewall Configuration

Published:
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound traffic flowing.

We settled on the SonicWall UTM 2400 firewall.  Aside from all the normal security appliance bells and whistles (IPS, AV, Content Filtering, etc), the 2400 series offered some features specifically for high availability.

The 2400 UTM can be quickly and easily clustered into an active/passive arrangement.  Failover is fast (1-2 seconds), though not real-time.  But, for web applications, it seems to get it done.
Providing six physical ethernet ports, two can be dedicated to different ISP connections.  We combined a cheap ($40/mo) DSL line with our 15mb metro fiber pipe to provide backup.
We placed two simple switches between our ISP routers and the Firewalls, so each router is connected to each firewall.  In this manner, a failure of the ISP, router, switch, or fiewall would all be caught and initiate failover.
The Sonicwall supports multiple methods for keeping links alive.  We set each firewall to ping Google's DNS server (8.8.8.8).  After five failed attempts one second apart, the path that failed is considered "down" and failover is initiated.  However, the firewall is smart enough to NOT failover if BOTH paths are down (i.e, if the ping target is offline).
Inside the firewall, we have a clustered core switch for primary LAN connectivity.  We also use VMWare clustering with multiple web servers on the VMWare cluster.  The Soinicwall has a basic inbound load balancing feature that will perform port 80 requests to each web server.  If one of them stops responding for more than 5 attempts, it's considered down, and all inbound web traffic is routed to the alternate web server.
We also use EasyDNS to provide DNS hosting for $20/mo.  In the event of an ISP outage, DNS is required to provide an alternate inbound route for web traffic.  In the "beta" features at EasyDNS, you'll find a little feature that does constant probing of a web service, and should it fail, your DNS will be updated to point traffic in on your backup link.  In our case, if our 15mb metro fiber link goes down, our domain name gets redirected to our DSL ISP's IP range, and sent in that way.  It's a lot slower, but at least it works.  EasyDNS smartly provides real-time eamil alerts when this happens.
With this combination, including some poorly-documented features, we were able to spend very little money while providing near enterprise levels of reliability.  In fact, we replaced a larger "enterprise" firewall and load balancer with this Sonicwall 2400 UTM cluster.  Performance is better, management simpler, and it cost less than renewing support for my old systems for one year.
2
5,566 Views

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.