#For a routing firewall (ie from NAT to public space, or a gateway
#machine acting as a firewall), have your failover machine inside the
#trusted network pinging the private (gateway) interface of the normal
#firewall. On a failure, have the failover machine change its ip
#address on its private interface to that of the gateway, and have it
#bring up the public interface (which should be on the same network
#segment as the public interface for the production firewall).
This would probably work 80% of the time but there are some instances
where it would not work. If the primary firewall has a bad internal
network card or there is a network problem (i.e. bad cable or something)
that prevents the ping from reaching the primary firewall then when the
secondary firewall assumes the IP address of the primary you will see an
ARP battle. Both of the external interfaces will answer to the same ip
address. Also, if you do implement this you will want each firewall to
have it's own IP address and then use a shared IP address that is
advertized as the gateway to your network and is assumed by whoever is the
primary. I have seen this idea implemented and it ended up being more
trouble than it was worth. A hot standby configured exactly the same where
you just plug in the cables would be less hassle and almost as good. You
would also have to work out a way for the primary to come back up as a
secondary or for the secondary that has promoted itself to primary to go
back to being a secondary when the primary comes back up.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
