Solved

Redundant stateful firewalls with BGP routing

Posted on 2014-03-19
6
379 Views
Last Modified: 2014-03-20
We're looking to improve our availability by using mulitple service providers and using BGP to provide routing.  Ideally, we'd like to have both firewalls active.

Our first thought was to simply use BGP for hot failover, so that only one firewall is active at a time.  We configured our BGP session so that one route would always be preferred. However, some providers prefer to route a different way for their own reasons.  When that happens, traffic may enter on the standby firewall, which we would then route back out through the primary, however this fails due to the stateful firewalls not having the right states.

Should we change our firewalls to be stateless, would that fix our situation, but would it also affect performance?
0
Comment
Question by:nj_glenn
6 Comments
 
LVL 17

Accepted Solution

by:
pergr earned 500 total points
Comment Utility
It will depend on what firewalls you have.

Perhaps the two firewalls can be clustered instead, and then you put both ISP interfaces in the same zone, so that the asymmetric routing does not cause issues with the flow rules.

Another alternative is to have two routers do the BGP, and then connect these via a switch to the firewalls - with the preferred route always hitting the main firewall.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Unless you have a reason not to do it I vote for pergr suggestion of clustered firewall.  That is what we do.
0
 
LVL 17

Expert Comment

by:pergr
Comment Utility
That's about it, but you can also do some tuning for load balancing.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Can you put an exception in your firewalls for BGP traffic to/from your known neighbors to be stateless? That's what I did in ours and it works very well. You definitely do not want to make your firewalls entirely stateless, you may as well dump them and use a router with an access list.
0
 
LVL 1

Author Closing Comment

by:nj_glenn
Comment Utility
Thanks for the fast response!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Low Cost Managed Switch 19 85
SSL RA VPN 7 70
Palo Alto Networks Global Protect 2 49
Sophos EC migration to Cloud. 1 41
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now