Community discussions

MUM Europe 2020
 
Gombeen666
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Tue Jun 25, 2019 5:33 pm

Firewall software or hardware

Mon Jul 01, 2019 1:14 pm

Which is best a single hardware firewall in front of two CCR1009 or use the firewall on both CCR's?
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 939
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: Firewall software or hardware

Mon Jul 01, 2019 2:04 pm

It depends on your needs.
Do you need stateful failover? Do you need DPI? Do you need address collection in the firewall to do further things with on the CCRs? Do you need application control?
Is firewall latency an issue? Do you need advanced logging facilities? Do you want it cloud managed? Do you need threat protection? What's your budget?

Anything from using routerOS integrated firewall over a dedicated Linux vm, pfSense, CheckPoint, Fortigate up to Palo Alto is possible and basically only depends on your needs, expectations and budget.

There is no ballpark perfect firewall.
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
Gombeen666
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Tue Jun 25, 2019 5:33 pm

Re: Firewall software or hardware

Mon Jul 01, 2019 6:02 pm

As it stands I believe that the firewall settings have to duplicated on both CCR's and if not done then there is no failover, so I thought have a hardware firewall in front of the CCR's,
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 939
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: Firewall software or hardware

Tue Jul 02, 2019 10:53 am

You are correct about the need of duplicating settings, but that counts for every setting, not only Firewall. And once created and proven good, I consider a firewall rather static... And with some scripting you could automate the replication to the other peer.

When getting one firewall in front of the pair, keep in mind that you add another SPOF (unless you deploy a HA cluster of at least two devices) and you certainly add another layer of complexity.
If you still feel like doing so, I personally like Fortigates and Palo Alto PA-series as firewalls. They're pretty easy to configure, fast and resilient. And they offer a decent stateful failover when deployed in clusters. Not really cheap but worth the invest, IMO.

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
sindy
Forum Guru
Forum Guru
Posts: 4220
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall software or hardware

Tue Jul 02, 2019 11:34 am

There is a mikrotik High Availability setup somewhere on github which deals with synchonisation of configuration between two machines (so changes made on the active are mirrored to the standby), however there is no method of synchronising firewall state (more precisely, the state of connection tracking which is the only stateful part of the firewall), i.e. when the active machine fails and the standby one takes over, some connections get broken and have to be re-established.

@cdiedrich, do you know how HA clusters/pairs of Fortigate and PA behave in this regard?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 939
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: Firewall software or hardware

Tue Jul 02, 2019 1:09 pm

@cdiedrich, do you know how HA clusters/pairs of Fortigate and PA behave in this regard?
I do - absolutely seamless. All connections are always in sync. Dealing with those as my daily business...
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
Gombeen666
Member Candidate
Member Candidate
Topic Author
Posts: 109
Joined: Tue Jun 25, 2019 5:33 pm

Re: Firewall software or hardware

Tue Jul 02, 2019 2:34 pm

....................
When getting one firewall in front of the pair, keep in mind that you add another SPOF (unless you deploy a HA cluster of at least two devices) and you certainly add another layer of complexity.
...........................
I agree it's another single point of failure but i guess there is less chances of a hardware firewall failure?
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 939
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: Firewall software or hardware

Tue Jul 02, 2019 2:58 pm

I agree it's another single point of failure but i guess there is less chances of a hardware firewall failure?
That's a misconception. It's built from the same components: power supplies (failure #1), fans (failure #2), semiconductors, physical connectors, HDDs/SSDs, etc that are all subject to the same wear and tear.
The benefit of choosing those appliances will definitely be their SLAs...

In case you already have a HA virtualization environment in place, it might be worth considering virtual appliances of the bementioned and protect the single instance through the hypervisor's HA techniques. For the cost of probably added latency as the vms don't have the custom ASICs the hardware has.

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data

Who is online

Users browsing this forum: eworm and 155 guests