Re: PIX Firewall Resilience Question

[Mike Barkett <mbarkett () digex net>]

On Thu, 2 Mar 2000, Garrahan, Kelvin wrote:

GK>Date: Thu, 2 Mar 2000 16:28:31 -0000 
GK>From: "Garrahan, Kelvin" <Kelvin.Garrahan () compaq com>
GK>To: "'firewall-wizards () nfr net'" <firewall-wizards () nfr net>
GK>Subject: PIX Firewall Resilience Question
GK>
GK>Failover between the Firewalls is handled by the PIX failover cable.
GK>
GK>My questions are;
GK>
GK>1) Can you have two interfaces connected to the same network even if each
GK>interface resides on a separate switch?

Yes, at a very simple level, just connect the switches via 
crossover(s).  You'll want something that with a good STP that can handle
two crossovers, i.e. Catalyst switches.  Although redundant crossovers are
not as necessary with the PIX HA, since that is handled via the failover
cable.

GK>2) If the above can be done how is routing handled? from memory you assign
GK>routes to interfaces
GK>
GK>I think even if the above works the rules base would become very
GK>complicated.
GK>Thanks in advance
GK>

Not necessarily.  If I remember correctly, under PIX version 4.23 and up,
you just configure the primary like normal, tell it about the secondary,  
and it updates the secondary when you 'wr mem'.  There is another command
like 'wr system' or 'wr failover' that escapes me right now, which will
just write to the secondary.

GK>
GK>Kelvin Garrahan
GK>Security Consultant
GK>Compaq Professional Services,
GK>Park House,
GK>N.C.R.,
GK>Dublin 7.
GK>Tel:  353-1-8385433
GK>Fax: 353-1-8384239 
GK>Email: Kelvin.garrahan () compaq com
GK> <<Garrahan, Kelvin.vcf>> 

Dublin, eh?  I'll be there for St. Patty's day.  Where's the place to
be/avoid?

-MAB