Redundant stateful firewalls with BGP routing
Posted on 2014-03-19
We're looking to improve our availability by using mulitple service providers and using BGP to provide routing. Ideally, we'd like to have both firewalls active.
Our first thought was to simply use BGP for hot failover, so that only one firewall is active at a time. We configured our BGP session so that one route would always be preferred. However, some providers prefer to route a different way for their own reasons. When that happens, traffic may enter on the standby firewall, which we would then route back out through the primary, however this fails due to the stateful firewalls not having the right states.
Should we change our firewalls to be stateless, would that fix our situation, but would it also affect performance?