Hello Nick, Thanks for your comments. I kinda agree with you on avoid using transparent mode however not clear why you wouldn't want your north-south traffic pass through perimeter security devices (FWs). how would you protect your network from outside if you don't have firewalls in the traffic path? I have seen some enterprises use by-pass switches to go around the firewalls in case of an unexpected failure from where firewalls can't recover.
Thanks On Mon, Aug 10, 2020 at 3:41 PM Nick Hilliard <n...@foobar.org> wrote: > Yham wrote on 10/08/2020 19:53: > > Hello Gentlemen, > > > > We are redesigning the core network where we have > > - Edge routers peering BGP with internet providers and partners > > - Perimeter firewalls to secure north-south traffic > > Unless there's a specific policy objective which overrides any technical > consideration, you may want to consider not putting firewalls inline > like this, as they often introduce serious failure modes which are > difficult to work around. Best case in a service provider environment, > they should service only the addresses which need to be firewalled and > should not be used as the default configuration for all traffic. > > > I wanted to ask if there are the best practices when deploying the > > perimeter firewalls? > > > Is Active/Active is better than Active/Standby HA model? > > No, active/active is troublesome - you end up sharing state between > multiple systems, which introduces complexity and potential for failure. > Active/standby also keeps you honest by ensuring that you end up with > resiliency. > > > Is a pair of Firewalls in Routed mode performs better than in > > Transparent/Layer2 mode? > > you lose features in transparent mode, e.g. routing and a bunch of > others. There's no compelling reason to use it for most situations. > > > Regarding Firewalls mode, I know you can't use some firewall features > (such > > as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls, > > you can make certain pair of interfaces transparent to your upstream and > > downstream and another pair of interfaces in layer3 mode for VPN, NAT > etc. > > > > Any comments, please? > > Keep as much traffic away from firewalls as possible. Keep your > configuration as simple as possible (this takes time and effort). If > you're using Juniper firewalls, keep each customer in an apply-group. > > Nick > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/