We run redundant solutions for a number of our customers and have always
decoupled the routing and firewalling.
I can think of one situation where the customer manages the BGP and
firewall failover on their firewalls, it doesn't work too well.
The issue as I see it is that in the event of a device failure if you
only have firewalls you need to keep the firewall session states when
failing over to the second device, the BGP sessions will not if in an
active passive HA setup whereas user traffic states will. If you run in
an active active setup, BGP states will remain up however user traffic
states will not always be transferred.
If you're only using one firewall then this is not going to be an issue
but it depends if the solution you're deploying has only redundant
connectivity or redundant equipment as well.
My experience is mainly using Juniper routers and firewalls so not able
to comment on the Palo Alto platform.
Decoupling the two functions gives a much better model from an NSP sales
perspective as it means you're able to sell failover with no managed
equipment / just managed routers / full solution with routers and firewalls.
--
---
Patrick Sumby
Network Architect
Sohonet
On 07/12/2011 17:31, Gregory Croft wrote:
Hi All,
Does anyone have any experience with using firewalls as edge devices
when BGP is concerned?
Specifically the Palo Alto series of devices.
If so please contact me off list.
Thank you.
Thank you,
Gregory S. Croft