Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Redundant stateful firewalls with BGP routing

Posted on 2014-03-19
6
Medium Priority
?
427 Views
Last Modified: 2014-03-20
We're looking to improve our availability by using mulitple service providers and using BGP to provide routing.  Ideally, we'd like to have both firewalls active.

Our first thought was to simply use BGP for hot failover, so that only one firewall is active at a time.  We configured our BGP session so that one route would always be preferred. However, some providers prefer to route a different way for their own reasons.  When that happens, traffic may enter on the standby firewall, which we would then route back out through the primary, however this fails due to the stateful firewalls not having the right states.

Should we change our firewalls to be stateless, would that fix our situation, but would it also affect performance?
0
Comment
Question by:nj_glenn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 17

Accepted Solution

by:
pergr earned 2000 total points
ID: 39941891
It will depend on what firewalls you have.

Perhaps the two firewalls can be clustered instead, and then you put both ISP interfaces in the same zone, so that the asymmetric routing does not cause issues with the flow rules.

Another alternative is to have two routers do the BGP, and then connect these via a switch to the firewalls - with the preferred route always hitting the main firewall.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39942081
Unless you have a reason not to do it I vote for pergr suggestion of clustered firewall.  That is what we do.
0
 
LVL 17

Expert Comment

by:pergr
ID: 39943332
That's about it, but you can also do some tuning for load balancing.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 39943339
Can you put an exception in your firewalls for BGP traffic to/from your known neighbors to be stateless? That's what I did in ours and it works very well. You definitely do not want to make your firewalls entirely stateless, you may as well dump them and use a router with an access list.
0
 
LVL 1

Author Closing Comment

by:nj_glenn
ID: 39943349
Thanks for the fast response!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question