All, Bret's routing solution is an excellent option; I've personally done this as well, although instead of extra routers we used a combination of floating statics and default route advertisement, mostly implemented with GateD on the firewall boxes. (Yes, I know it's less than ideal to be running dynamic routing protocols on a firewall, but it's the price you pay for redundancy :-) Another option you may want to consider is a load-balancing product with failover capabilities, eg. RAD's FireProof line of products. Not only do you get a failover solution, but better throughput (an especially important consideration for AG firewalls). Be aware that, with AGs like Gauntlet, you will most likely lose some connections in the event of a firewall failure. If your application(s) attempt to re-establish connections, you should be fine. OTOH, if your applications depend on persistent, unbroken connections, you're screwed. One advantage (one of the few IMHO :-) of SPFs is that they can share state information, so the failover impact on established connections is minimal. A failover time of one second is probably unrealistic; even the best failover solutions I've seen take at least a few seconds, and sometimes much longer. Failover mechanisms depend on the exchange of information (pings, heartbeat messages, multicast, routing updates, sync messages, etc.) from one device to others. A brief absence of such exchanges *might* indicate a failure. If your time threshhold is too low, you might get a lot of accidental failovers caused by sluggish servers, network delay, munched packets, etc. In any event, do your best, and then plan for failure anyway. There's no such thing as 100% uptime, and if any failover solutions vendor tells you otherwise, they're lying. You might want to review your expectations, and a little contingency planning never hurt anyone. Regards, Christopher Zarcone Network Security Consultant RPM Consulting, Inc. #include <std.disclaimer.h> My opinions are completely my own and based on no useful knowledge whatsoever, and in fact should not be considered by anyone. >Date: Fri, 27 Aug 1999 09:17:54 >From: Technical Incursion Countermeasures <[EMAIL PROTECTED]> >Subject: Re: Redundant of Guantlet FW > >You can use a couple of routers to put the second gauntlet "off to one >side". Then it works as two independent firewalls with the second one being >slightly less likely to get packets (more expensive route). The sites I've >seen it setup on it works without a glitch - better than the problems you >get trying to keep state tables synched :}... > >>Currently, I'm using Gauntet FW running on Solaris 2.6 to protect the on-line payment server. >>Since transactions to the server is extremely critical, so the server and the firewall can not affort to be down even >>for a second (down time = money lost). >>Is there any solutions to avoid Single Points of Failure (SPOFs)? Such as, mirror or redundant firewall. >>As I know, StoneBeat can redundant Check Point Firewall 1. Unfortunately, it does not support Gauntlet FW? >>Any suggestions will appreciate. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
