Failover Communication

Unanswered Question
May 5th, 2007
User Badges:

Hi,


I am reviewing the PIX config of my client who is configuring deny ip any any ACL on the failover interface between the 2 failover units!!


I was confused of this configuration and just would like to check if this will deny the stateful information flow b/ the 2 firewalls?


Please advise!


Regards,

Haitham

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

There should be NO ACL. Don't use a crossover ethernet cable or fiber to connect the two failover LAN interfaces. Instead, each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their interfaces have a failover.


Yes, a crossover will work; but it isnt a best practice.


Please rate if you are satisfied.


Cheers!

Patrick Iseli Sat, 05/12/2007 - 19:37
User Badges:
  • Gold, 750 points or more

Even if there is a ACL that has a deny any any on that failover link interfaces then the failover communication still works.


But personaly I prefer to remove it !


sincerely

Patrick

Actions

This Discussion