Thread: [Fwbuilder-discussion] configuration for HA Firewalls to replicate config on fedora/centos
Brought to you by:
mikehorn
From: bagwemanisha <man...@gm...> - 2009-11-27 18:44:09
|
Hi , Can you help me with configuration document for configuring for HA Firewalls -operating system Fedora or centos . I need to update both firewalls simultaneously so that when one firewall go down automatically the other firewall becomes live . Thanks in advance Regards, Maneesha |
From: Frank T. <pc...@my...> - 2009-11-27 22:19:31
|
On Sat, 2009-11-28 at 00:06 +0530, bagwemanisha wrote: > Hi , > > Can you help me with configuration document for configuring for HA > Firewalls -operating system Fedora or centos . I need to update both > firewalls simultaneously so that when one firewall go down > automatically the other firewall becomes live . > > Thanks in advance You can use Heatrbeat for keeping track of the active/passive nodes of the firewalls and use incron to copy over configurations as they change. > > Regards, > Maneesha > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ Fwbuilder-discussion mailing list Fwb...@li... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion -- --------------------------------------------------- Frank Tanner III (pc...@my...) ICQ: 1730844 AIM: KalokSundancer MSN: pc...@my... YIM: fbtanner |
From: Trey N. <tn...@in...> - 2009-11-27 22:54:22
|
I personally like bridging the firewalls. That has the disadvantage of not maintaining established sessions but it is very easy to implement and it is also very quick to failover. Two bridging firewalls between two switches will use the spanning tree protocol to automatically reroute everything on failure with no extra configuration. Trey Nolen On Fri, 2009-11-27 at 15:19 -0700, Frank Tanner wrote: > On Sat, 2009-11-28 at 00:06 +0530, bagwemanisha wrote: > > Hi , > > > > Can you help me with configuration document for configuring for HA > > Firewalls -operating system Fedora or centos . I need to update both > > firewalls simultaneously so that when one firewall go down > > automatically the other firewall becomes live . > > > > Thanks in advance > > You can use Heatrbeat for keeping track of the active/passive nodes of > the firewalls and use incron to copy over configurations as they change. > > > > > Regards, > > Maneesha > > ------------------------------------------------------------------------------ > > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > > trial. Simplify your report design, integration and deployment - and focus on > > what you do best, core application coding. Discover what's new with > > Crystal Reports now. http://p.sf.net/sfu/bobj-july > > _______________________________________________ Fwbuilder-discussion mailing list Fwb...@li... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > > |
From: John G. <jo...@ga...> - 2009-12-10 00:31:40
|
I would disable the scripts that fwbuilder executes to add NAT addresses to the physical interfaces and use keepalived to manage the transition between the 2 firewalls. Push the exact same config from the fwbuilder app to both firewalls so that when it goes active the rules are already in place. The VRRP config will allow you to run active passive or active active configurations and well as do load balancing. Sample Active Passive Keepalived.conf vrrp_sync_group VG1 { group { VI_1 VI_2 } } vrrp_instance VI_1 { # un comment the line below to enable the master router on this system. state MASTER interface bond1 track_interface { # Interface state we monitor bond0 bond1 } garp_master_delay 10 smtp_alert virtual_router_id 51 # Change the priority to 80 on secondary router priority 180 nopreempt advert_int 1 authentication { auth_type PASS auth_pass ****** } virtual_ipaddress { 98.x.x.1 #Public vip-1 WWW, Update and source 98.x.x.2 #Public vip-2 ADS 98.x.x.3 #Public vip-3 Blog } } vrrp_instance VI_2 { # uncomment the line below to enable the master router on this system state MASTER interface bond0 track_interface { # Interface state we monitor bond0 bond1 } smtp_alert virtual_router_id 52 # Change the priority to 80 on secondary router priority 180 advert_int 1 authentication { auth_type PASS auth_pass **** } virtual_ipaddress { 10.x.x.254 } } John |