> Has anyone set up a hot firewall backup for their system? We are
> wanting to provide as close to 24x7 access to the Web as we can,
> and would like to put in a hot backup for the firewall.
I have not installed one, but I've done Proof-of-concept on the
below, and it works well.
Router_A Router_B ......
Router_A and Router_B would be your departmental routers, or your
campus routers, depending on the size of your network.
Regardless, they're meant to be the "top" or the hierarchical
network one step below the common meet point or DMZ.
Router_A is configured to default to Firewall_A.
Router_A has a less preferable default route to Firewall_B.
Router_B is configued to default to Firewall_A (just like Router_A)
Router_B has a less preferable default route to Firewall_B.
In the situation where Firewall_A were to break, Router_A would
realize that that route wasn't available, and switch over to
Firewall_B. This can be done manually or automatically.
This sort of construction gives you some very very nifty possibilities,
like loadsharing between firewalls from your internal network with
fully meshed redundancy and such.... Router_A could default
primary to Firewall_A and secondary to Firewall_B, as well as
Router_B defaulting primary Firewall_B, and secondary to
> We have
> been unable to resolve IP addressing and routing questions, and
> have found no auto-sensing and -switching device to make this
Well, certainly the "broked-ness" of the firewall can vary. The
above situation can be constructed to fallover automatically when
a firewall's interface crashes (ie power problem or crash). If
this isn't a good enough "broked" then you could script some
checking from inside and trigger manual fall-over.
The issue of synchronizing the databases (not logs) is rather
straight-forward, yet time consuming...
> Has anyone done this sort of thing? Any suggestions? Or
> people to contact for advice? Thanks.
If the above stuffs is interesting, or if you've questions, mail
From: "Dick Mosher" <dick_mosher @