Yham wrote on 10/08/2020 19:53:
Hello Gentlemen,
We are redesigning the core network where we have
- Edge routers peering BGP with internet providers and partners
- Perimeter firewalls to secure north-south traffic
Unless there's a specific policy objective which overrides any technical
consideration, you may want to consider not putting firewalls inline
like this, as they often introduce serious failure modes which are
difficult to work around. Best case in a service provider environment,
they should service only the addresses which need to be firewalled and
should not be used as the default configuration for all traffic.
I wanted to ask if there are the best practices when deploying the
perimeter firewalls?
Is Active/Active is better than Active/Standby HA model?
No, active/active is troublesome - you end up sharing state between
multiple systems, which introduces complexity and potential for failure.
Active/standby also keeps you honest by ensuring that you end up with
resiliency.
Is a pair of Firewalls in Routed mode performs better than in
Transparent/Layer2 mode?
you lose features in transparent mode, e.g. routing and a bunch of
others. There's no compelling reason to use it for most situations.
Regarding Firewalls mode, I know you can't use some firewall features (such
as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls,
you can make certain pair of interfaces transparent to your upstream and
downstream and another pair of interfaces in layer3 mode for VPN, NAT etc.
Any comments, please?
Keep as much traffic away from firewalls as possible. Keep your
configuration as simple as possible (this takes time and effort). If
you're using Juniper firewalls, keep each customer in an apply-group.
Nick
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
