topic Edge Firewall Design in General Topics

Edge Firewall Design

s.williams1 — Wed, 27 Dec 2017 15:56:47 GMT

I am trying to design the edge firewall and core network currently and I have a core Layer not in a "stack" or "VSS" so they are independent Core switches. They are doing the routing to the private WAN, and will be doing the routing to the Edge Firewalls. ECMP requires a dynamic routing protocol which usually you wouldn't run on an edge firewall, you would just have the core set to default static route to the firewall. That being said not having a Stacked Core to operate as one, I would need each core switch connected to each firewall, so the paths are crossed. If I connect one core switch to one firewall and the other switch to the other firewall then a failure of the primary's firewall connected Core will fail the whole firewall pair over when they really didn't need to be. So I am interested in how others are designing their edge firewalls to the Internet?

Thoughts? Ideas? Caveats?

Re: Edge Firewall Design

9t89m8fu — Thu, 28 Dec 2017 14:46:30 GMT

First off, ECMP does not require a dynamic routing protocol. You can do ECMP with static routes if you want (not that I'm recommending this, but it's an option).

Second, there is absolutely no reason you couldn't run an IGP between your firewall cluster and L3 switches. This is perfectly fine, and common in larger networks. If your switches are not stacked, this is your best option (if anything, I would personally avoid stacking core switches).

Third, depending on your firewall model, ECMP may not get you any benefit. If your firewall can only process 1Gb/s for example, there's little benefit in having two ECMP 1Gb/s downlinks. All you really care about in that scenario is redundancy.

Re: Edge Firewall Design

s.williams1 — Thu, 28 Dec 2017 14:50:25 GMT

Yes I am not stacking core switches. Not even VSS. I rather let routing handle the failover. We have 3050s.

The 3650s would be running HSRP.

Re: Edge Firewall Design

OtakarKlier — Thu, 28 Dec 2017 22:38:47 GMT

Hello,

I take it that the PAN's would be Active/Active? Also is there a reason for the external switches and additional firewalls upstream? I try to follow the KISS principle and I try to make my PAN's the edge with the ISP upstream. I found that additional complexity upstream didnt help things, just made them worse.

Just my two cents.

Re: Edge Firewall Design

s.williams1 — Fri, 29 Dec 2017 16:18:20 GMT

PAs would be active/standby. I would never make my firewalls my edge, it limits my ability to traffic engineer my BGP traffic. I would never want my firewalls taking on public BGP route tables.

Re: Edge Firewall Design

OtakarKlier — Fri, 29 Dec 2017 16:33:03 GMT

Hello,

In light of that informtaion, I think your desgin looks OK. I always like to add device priority ina ddition to link and path monitoring.

Regards,

Re: Edge Firewall Design

DamianCleveland — Wed, 03 Jan 2018 19:23:06 GMT

Hello.

Great conversation.

I'm curious why you're going A/P over A/A, since there does appear to be a chance for asyncronous routing(if that makes sense).

Where I am, there are two Palos in AA, even though there's a singular internet connection(I didn't design it). However, I am responsible for rebuiliding things in a way similar to yours(except, it's been decided that VSS will run on the cores)

Thank you

Re: Edge Firewall Design

s.williams1 — Wed, 03 Jan 2018 19:52:30 GMT

I would never run VSS on the core. I keep them separate and let routing take care of the fail-over as well as leveraging ECMP where I can. VSS is a pain to upgrade and have had more outages doing upgrades on a VSS pair then separate units.

The asyncronous routing should be fine because the switches between the edge firewalls and the edge routers will be running HSRP so only one will be actively forwarding traffic.

Re: Edge Firewall Design

OtakarKlier — Wed, 03 Jan 2018 20:06:08 GMT

Hello,

As for the A/P vs A/A discussion, I see quite a lot of 'fixes' for A/A then A/P. Also in the past I have had many people ask me, why do you want that extra headache. I undertstand the need for A/A but I have worked in fairly large environments and a failover was never noticed. Granted we were not running voice or video over the PAN's :).

Regards,

Re: Edge Firewall Design

s.williams1 — Wed, 03 Jan 2018 20:07:44 GMT

I agree, the extra headache is not worth it. Just like my ASA days I tried to avoid multi-context Active/Active firewalls like the plague.

Re: Edge Firewall Design

OtakarKlier — Wed, 03 Jan 2018 20:11:59 GMT

I do the same with ASA's ;), aovoid them if I can. As for another A/P good thing. I used to upgrade a pair of 2050's years ago and I would VPN in with GP, upgrade the passive, reboot it, fail over, then upgrade and reboot the new passive without getting dropped from GP VPN.

Re: Edge Firewall Design

s.williams1 — Wed, 03 Jan 2018 20:14:00 GMT

Yes! Remote access for administration is criticial. I have a back door though on a cable modem connected to a PA500 for my "OOPS" moments.