05-05-2007 11:03 AM - edited 03-11-2019 03:09 AM
Hi,
I am reviewing the PIX config of my client who is configuring deny ip any any ACL on the failover interface between the 2 failover units!!
I was confused of this configuration and just would like to check if this will deny the stateful information flow b/ the 2 firewalls?
Please advise!
Regards,
Haitham
05-12-2007 06:38 PM
There should be NO ACL. Don't use a crossover ethernet cable or fiber to connect the two failover LAN interfaces. Instead, each interface should connect to a switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise, both units sense a link-down condition and assume that their interfaces have a failover.
Yes, a crossover will work; but it isnt a best practice.
Please rate if you are satisfied.
Cheers!
05-12-2007 07:37 PM
Even if there is a ACL that has a deny any any on that failover link interfaces then the failover communication still works.
But personaly I prefer to remove it !
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide