• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 440
  • Last Modified:

Redundant stateful firewalls with BGP routing

We're looking to improve our availability by using mulitple service providers and using BGP to provide routing.  Ideally, we'd like to have both firewalls active.

Our first thought was to simply use BGP for hot failover, so that only one firewall is active at a time.  We configured our BGP session so that one route would always be preferred. However, some providers prefer to route a different way for their own reasons.  When that happens, traffic may enter on the standby firewall, which we would then route back out through the primary, however this fails due to the stateful firewalls not having the right states.

Should we change our firewalls to be stateless, would that fix our situation, but would it also affect performance?
1 Solution
It will depend on what firewalls you have.

Perhaps the two firewalls can be clustered instead, and then you put both ISP interfaces in the same zone, so that the asymmetric routing does not cause issues with the flow rules.

Another alternative is to have two routers do the BGP, and then connect these via a switch to the firewalls - with the preferred route always hitting the main firewall.
Unless you have a reason not to do it I vote for pergr suggestion of clustered firewall.  That is what we do.
That's about it, but you can also do some tuning for load balancing.
Can you put an exception in your firewalls for BGP traffic to/from your known neighbors to be stateless? That's what I did in ours and it works very well. You definitely do not want to make your firewalls entirely stateless, you may as well dump them and use a router with an access list.
nj_glennAuthor Commented:
Thanks for the fast response!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now