Re: High availability firewalls

["Randy.Witlicki."<randy.witlicki () valley net>]

> Does anyone have any suggestions on how to build high availability
> networks which have a firewall as their one part?

.... much snipped ...

> The question is, how to actually technically to it? On the firewalls side,
> when firewall 1 goes down, the HA software assigns IP-address and
> MAC-address of firewall 1 to firewall 2. Now how shall I let routers know
> that 1 must go down and 2 must go up? What should be used, OSPF, RIP, and
> how?
  Two things come to mind:
  1.) The cisco PIX firewall has a Failover option - you purchase a
second PIX and connect the two with a failover cable:

LAN 1 ------ router 1 -------- firewall 1 ------ LAN 2
                           |      X          |
                           |---firewall 2 ---|
 Where "X" is the failover cable and firewall # 2 is idle
until firewall # 1 fails.  Probably other vendors besides cisco
have this kind of technology available.

  2.) On one of the lists a while back somebody suggested having
a second firewall with a higher cost (cost not price in money,
but cost in routing metrics).  The second router would only route
packets if the primary firewall went down.  I haven't heard if
anybody has actually implemented this.

  - Randy
 -