RE: [fw-wiz] Firewall Load balancing solution

From: Dawes, Rogan (ZA - Johannesburg) (rdawes@deloitte.co.za)
Date: 09/30/02 

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za>
To: firewall-wizards@nfr.net
Date: Mon Sep 30 08:26:00 2002

Typically you can only load balance between two firewalls of the same type,
if you want to be able to failover between them in a transparent fashion.
This is because the two firewalls need to share state information as to what
connections are being permitted through, and firewalls of different
manufacture require different state information.

If you don't care if a user's session gets dropped, and they have to restart
it, you should be able to mix your technologies. I wouldn't advise it
though, bacause it can be complicated to debug problems, especially those
caused by rule base mismatches. More so when you don't know WHICH rulebase
is causing the problem. Firewalls (from the same vendor) that are configured
in a hot standby or load balancing configuration typically both get the same
copy of the rulebase, and so synchronisation problems are not an issue.

However, if you are thinking of deploying a multi-tiered, multi-vendor
firewall solution (two Pix in front, two CheckPoint behind) this should be
achievable. Some would even say advisable, due to reduction in Single Point
of Failure.

I am quite interested to know if anyone has experience with firewalls using
VRRP to provide load balancing, and what the advantages and disadvantages
are.

Rogan

> -----Original Message-----
> From: Phu Quy [mailto:npquy@vnn.vn]
> Sent: 30 September 2002 01:11
> To: firewall-wizards@nfr.net
> Subject: [fw-wiz] Firewall Load balancing solution
>
>
>
> Dear all,
>
> I would like to deploy a firewall load balacing solution for
> our network, Now we have 2 Cisco PIX firewall and we will
> have 2 checkpoint servers in next some months, I don't know
> which solution is good for us. I have to choose between Cisco
> solution and other.
> - With Cisco solution, we need buy a Content switching
> module for our catalyst 6509 , but I don't know can It use
> for checkpoint firewall and Cisco Pix firewall load balancing
> ( mix together )
>
> - With other solution, We intend to buy 2 ServerIron400 from
> Foundry Network for content switching components, But I don't
> know can I use many verdor of firewall in this structure also
>
> Pls give me your advise
>
> Thanks so much
> Regards,
> Quy Nguyen
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

Relevant Pages

  • Re: Networking question
    ... | services to the various PCs? ... Is this a firewall thing or DNS? ... Load balancing is generally given to the process is balancing out a ... However if its just a local network of computers in an office ...
    (Fedora)
  • Re: [fw-wiz] Firewall Load balancing solution
    ... The Nokia/Checkpoint VRRP solution works very well, ... > in a hot standby or load balancing configuration typically both get the ... > firewall solution this should be ... >> for checkpoint firewall and Cisco Pix firewall load balancing ...
    (Firewall-Wizards)
  • Re: [fw-wiz] External Load Balancing
    ... > from inside has a one in four chance of hitting a specific firewall. ... > We are beginning to look at load balancing the external side of our ... > network so that a packet from the outside has a one in four chance of ... And the other way is to make it so complicated that there are no obvious deficiencies. ...
    (Firewall-Wizards)
  • [fw-wiz] Watchguard V60 capacity
    ... We're using them to firewall a fairly active client with a ... "The load balancing server 0.0.0.0 is not responding". ...
    (Firewall-Wizards)
  • Re: Linux Firewall ???
    ... Load balancing maybe? ... We have a gigabit backbone, ... Maybe the Pro version. ... we could also run Leaktest directly on the firewall.. ...
    (comp.security.firewalls)