We have Client in Cork want to know about the FW HA across Different Location.
We have some ideas of spreading current firewall cluster between new Data Cente in Dublin and DR site different location.
Is it not good idea because of possible split brain scenarios due to periodical link latency.
Basically to take passive current FW appliance and rack it to different location so that active/passive cluster is spread .
You can overcome any latency situation by adjusting the HA settings themselves, but I kind of have to ask why you would want to setup like this. Usually if you build out a different data center in a completely different location you utilize load-balancing or DNS changes to kick the traffic over when you need it. I've never seen anyone have such geographically diversified firewalls running in an active/passive pair; not because you can't do so, but why would you want to?
Yes it's possible, the recommendation would be to set the HA timers with the time consideration that it will take to travel whatever distance you are putting them across. This will depend on the link and how long it actually is. You'll need to set the HA Timers to 'Advanced' and actually manually set these in accordance with the latency on this link.
This type of setup would not be recommended. You're essentially asking to seperate an HA Active/Passive pair over 260km and expecting it to perform well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!