topic Re: firewall failove in Network Security

firewall failove

mirehteshamali — Mon, 11 Mar 2019 20:01:13 GMT

hi all,

i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .

example

interface Ethernet0/0
nameif outside
security-level 0
ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2
!
interface Ethernet1/0
nameif inside
security-level 100
ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11

question :

default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .

in this case the secondary ip add 10.0.0.11 is actually nerver used ?

similarly do i need to have two public ip address for outside (one for primary and one for secondary ) ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.

is my logic correct ?

thanks

Re: firewall failove

Maykol Rojas — Sat, 05 Mar 2011 06:48:11 GMT

Hello and Thanks for posting.

In a matter of speaking yes, the secondary IP's are never used. But they are used at the same time. You see, the only way that the firewall can know that an interface is down is doing the hello packets. This packets are sent to the standby IP and from the standby to the primary. In the moment that one of the IP´s stop responding, the failover will occurr, that is mostlikely the use of the secondary IP.

If you like, you wouldnt need to have sencondary IP's, you can use just the no monitor interface command and that way you wouldnt need to use them. However, it is not a best practice because you wont be able to determine if there is an interface problem.

I hope this is helpful, Any questions let me know.

Mike Rojas

Re: firewall failove

mirehteshamali — Sat, 05 Mar 2011 06:58:10 GMT

thanks for prompt reply

can i say no monitor outside

use any dummy ip for secondary (may be this ip is allocated to another costomer by the isp but i dont care as i m using it internally but as for as "global presence / reach is concerned i have one ip for me " ) and still continue with one ip for outside as secondary is never used for connectivity or rechability .

thanks

Re: firewall failove

Maykol Rojas — Sat, 05 Mar 2011 07:00:55 GMT

Hi,

If you dont have an available IP, first option would be better, never thought of the second one, but I guess you can do something like that

Cheers

Mike

Re: firewall failove

mirehteshamali — Sat, 05 Mar 2011 09:35:47 GMT

Any one can confirm that to me ,

Re: firewall failove

Maykol Rojas — Sat, 05 Mar 2011 17:43:14 GMT

Hi,

The problem is that the IP has to be on same broadcast domain, so you may to make your mask on the outside bigger, it will not match with the one with your ISP but other than that you wont have any issues.

Mike

Re: firewall failove

mirehteshamali — Sun, 06 Mar 2011 08:18:39 GMT

Thanks for reply