...yes, I did it using an HA product, Stonebeat by Stonesoft. The actual
version implement
load sharing (not load balancing) capability. You can use static route (it's
the suggested solution)
instead of implement a routing algoritm (less safe), in addition since the
mac address is moved
from one system to the other one, you have no to take care of the arp
timeout of the routers arp table.
The switch is really fast and the tcp session (if the firewalls are
syncronized) are not dropped.
The product has a built-in test subsystem that help you to discover HW and
SW faults.
The next version of Stonebeat software (it will be named stonebeat cluster)
will implement a full
load sharing.
You can find infos and download a trial version from www.stonebeat.com
IMHO is a really good product (I'm not from Stonesoft), the only problem is
that (as all the HA products)
it's quite expensive.
Regards,
Luigi
Neil Lehrer wrote:
> hi,
>
> has anyone load balanced [with fail-over] a pair of firewalls on three
> sides? consider an implementation where there is an inside, outside, and
> dmz. traffic originates:
>
> inside to outside
> inside to dmz
>
> dmz to outside
> dmz to inside
>
> outside to dmz
>
> with this config i would think i need load balancing devices on all 3
> sides to assure correct functioning.
>
> would there be any issues based on the type of firewall?
>
> comments?
>
> thanks.
>
> --
>
> regards
>
> +++++++++++++++++++++++++++++++++++++++++++++++
> + Neil Lehrer
> +
> + International Broadcasting Bureau
> + System Development Division
> +
> + voice 202 619-2524
> + fax 202 619-3576
> + [EMAIL PROTECTED]
> +
> + " is this crisis an opportunity or just
> + another grab the fire extinguisher moment?"
> +
> ++++++++++++++++++++++++++++++++++++++++++++++++
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
