OK to share DMZ int as stateful failover link?

DANIEL WANG · ‎01-20-2004

We have two 515e PIXes at 6.3(3) with serial link failover enabled and are looking to set up stateful failover. But all four of our interfaces are being used. The DMZ interface has very little traffic to and from a lightly used public web server. Will it be wise to put stateful failover on it?

I guess I could configured the inside interface for stateful failover since we are only running a T1 connection to the outside. But I just wanted to choose the least used link for the stateful traffic.

Any security risk of using DMZ interface that I can't foresee here?

Thanks!

gfullage · ‎01-21-2004

We don't recommend it, but in real life it should be OK. As long as the DMZ is lightly loaded then you should be OK, but you'll want to keep an eye on the traffic levels to make sure you don't affect traffic to the web server. I do it here in th elab all the time and push some pretty heavy loads through it.

With stateful failover, it's not so much the traffic load on the PIX that will cause a lot of failover traffic, but more the amount of new connections going through them that increases the stateful traffic. Even a lightly loaded PIX (low CPU) can have a large number of TCP and UDP sessions created on it, so just keep an eye on it and you should be OK.

DANIEL WANG · ‎01-26-2004

Thanks very much. I will monitor the DMZ traffic load.