For the existing PIX Stateful Packet Inspection, it requires that all packets pass through the same PIX to build up the stateful information. If packet pass through multiple PIXes in parallel, no one PIX may build up stateful information and without proper stateful information packet will be dropped for security concern.
In order to make PIX to support Stateful Packet Inspection for network load balancing and failover, the stateful information need be synchronized among all participated PIX firewalls.
I'll check if we are offering anything on this yet or it should be on the roadmap.
You can easily replace the F5s with any Cisco or non-Cisco load-balancers. The load-balancers are the 'bread's and the firewall is the 'patty' in the middle.
2. The point to be noted here is that : why will you want to load-balance? Back in those days, you might have needed to, because of the limiting processing capablilities of the (PIX) firewalls. But with such powerful boxes (the 535s) available, you may not have a need to! - unless you are talking about OC48+ range.
Please remember in the only-redundant solution, the 'Failover' PIX costs only a faction of the 'Unrestricted' license.
Firewalls are designed with security in mind. Even they do only very little routing functionalities. Even for security purpose, they have to do a lot of processing, like look into each and every packet before allowing it to pass through it. They do not have knowledge about the network topology like routers running routing protocols and therefore may not be a good choice for load balancing.
As someone replied, maintaining the states between the devices and keeping them synchronized will be an additional burden for the firewalls.
Therefore it is always better to leave the firewall to do its job of security stuff and use other devices like routers (running BGP ) for load balancing.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...