cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Firewalls

111
Views
0
Helpful
5
Replies
Contributor

firewall failover

Dears
 
Please find the attached topology.
 
I have some problem in understanding the fail over, whenever the port channel interface of DC-1 fails it shifts over to DC-2 FW but the perimeter firewalls doesn't shift and the traffic gets drops, hence if I m not wrong bydefault the failover should happen on perimeter as well please confirm

 

thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
Enthusiast

Re: firewall failover

Hi,

As per you topology you need a switch in between DC-FW & INT-FW. Because when ever your AorB interface went down DC-FW switch-over and it will not affect the INT-FW because your C,D,E,F interface are UP.

INT-FW Switch over occurs only when  C,D,E,F interface went down. 

 

HTH

Abheesh 

VIP Advisor

Re: firewall failover

There is always more than one solution ... But in this scenario, the switch between the two firewall systems is the most common one and proven to work as expected.

5 REPLIES
Highlighted
Collaborator

Re: firewall failover

Can you please clarify Which Port-channel we are referring ?

As long you are monitoring is configured with right interfaces and the failover condition met the requirements, it automatically fail-over to standby.

 

To confirm we need to understand your configuration also along with your diagram.

 

BB
*** Rate All Helpful Responses ***
VIP Advisor

Re: firewall failover

Fo me it looks like "works as designed" ...

 The INT-FW are probably the perimeter firewalls in your description. These have no clue that there is a change in upstream-reachability. Because these are independent systems, you should make sure that both INTFW can equally reach both DC1 and DC2 firewalls. Typically you achieve this with an additional (redundant) switch between these firewall systems.

Contributor

Re: firewall failover

Dear

so you are confirming that we need a switch in between the DC firewall and Perimeter firewall to address such issue, there is no other solution that can help to solve this problem.

 

Please advice.

VIP Advisor

Re: firewall failover

There is always more than one solution ... But in this scenario, the switch between the two firewall systems is the most common one and proven to work as expected.

Enthusiast

Re: firewall failover

Hi,

As per you topology you need a switch in between DC-FW & INT-FW. Because when ever your AorB interface went down DC-FW switch-over and it will not affect the INT-FW because your C,D,E,F interface are UP.

INT-FW Switch over occurs only when  C,D,E,F interface went down. 

 

HTH

Abheesh 

CreatePlease to create content
Ask the Expert- Introduction to Network Design