Firewall High-Availability

The following diagram depicts a simplified, hypothetical, physical connection diagram between a client and a server that are connected using routed networks, which are separated by a pair of firewalls.

digraph firewall { splines = true; overlab = prism; edge [ color=gray50, fontname=Calibri, fontsize=11 ]; node [ style=filled, shape=record, fontname=Calibri, fontsize=11 ]; "grid1x1" [style=invis, shape=point]; "Client"; "grid1x3" [style=invis, shape=point]; { rank=same "grid1x1" "Client" "grid1x3" } "Firewall #1" [fontcolor="green"]; "grid2x2" [style=invis, shape=point]; "Firewall #2"; { rank=same "Firewall #1" "grid2x2" "Firewall #2" } "grid3x1" [style=invis, shape=point]; "Server"; "grid3x3" [style=invis, shape=point]; { rank=same "grid3x1" "Server" "grid3x3" } "grid1x1" -> "Client" -> "grid1x3" [style=invis]; "Firewall #1" -> "grid2x2" -> "Firewall #2" [style=invis]; "grid3x1" -> "Server" -> "grid3x3" [style=invis]; "Client" -> "Firewall #1" [dir="none"]; "Client" -> "Firewall #2" [dir="none"]; "Firewall #1" -> "Server" [dir="none"]; "Firewall #2" -> "Server" [dir="none"]; }

If a client’s connection to a server were to descend the first firewall, but the server uses the second firewall as its gateway for routed network traffic back to the client, it will not accept the traffic. This is depicted by the following diagram:

digraph firewall { splines = true; overlab = prism; edge [ color=gray50, fontname=Calibri, fontsize=11 ]; node [ style=filled, shape=record, fontname=Calibri, fontsize=11 ]; "grid1x1" [style=invis, shape=point]; "Client"; "grid1x3" [style=invis, shape=point]; { rank=same "grid1x1" "Client" "grid1x3" } "Firewall #1" [fontcolor="green"]; "grid2x2" [style=invis, shape=point]; "Firewall #2" [fontcolor="red"]; { rank=same "Firewall #1" "grid2x2" "Firewall #2" } "grid3x1" [style=invis, shape=point]; "Server"; "grid3x3" [style=invis, shape=point]; { rank=same "grid3x1" "Server" "grid3x3" } "grid1x1" -> "Client" -> "grid1x3" [style=invis]; "Firewall #1" -> "grid2x2" -> "Firewall #2" [style=invis]; "grid3x1" -> "Server" -> "grid3x3" [style=invis]; "Client" -> "Firewall #1" [color="green"]; "Client" -> "Firewall #2" [dir="none"]; "Firewall #1" -> "Server" [color="green"]; "Firewall #2" -> "Server" [dir="back", color="green"]; }

Therefore, the traffic from the server back to the client (the “response”, if you will) will need to descend the same firewall as the inbound traffic;

digraph firewall { splines = true; overlab = prism; edge [ color=gray50, fontname=Calibri, fontsize=11 ]; node [ style=filled, shape=record, fontname=Calibri, fontsize=11 ]; "grid1x1" [style=invis, shape=point]; "Client"; "grid1x3" [style=invis, shape=point]; { rank=same "grid1x1" "Client" "grid1x3" } "Firewall #1" [fontcolor="green"]; "grid2x2" [style=invis, shape=point]; "Firewall #2"; { rank=same "Firewall #1" "grid2x2" "Firewall #2" } "grid3x1" [style=invis, shape=point]; "Server"; "grid3x3" [style=invis, shape=point]; { rank=same "grid3x1" "Server" "grid3x3" } "grid1x1" -> "Client" -> "grid1x3" [style=invis]; "Firewall #1" -> "grid2x2" -> "Firewall #2" [style=invis]; "grid1x1" -> "grid2x2" -> "grid3x1" [style=invis]; "grid3x1" -> "Server" -> "grid3x3" [style=invis]; "Client" -> "Firewall #1" [color="green"]; "Client" -> "Firewall #1" [dir=back, color="green"]; "Client" -> "Firewall #2" [dir="none"]; "Firewall #1" -> "Server" [color="green"]; "Firewall #1" -> "Server" [dir="back", color="green"]; "Firewall #2" -> "Server" [dir="none"]; }

For a fail over situation, both the traffic from the client to the server and the traffic from the server to the client will need to descend the second firewall:

digraph firewall { splines = true; overlab = prism; edge [ color=gray50, fontname=Calibri, fontsize=11 ]; node [ style=filled, shape=record, fontname=Calibri, fontsize=11 ]; "grid1x1" [style=invis, shape=point]; "Client"; "grid1x3" [style=invis, shape=point]; { rank=same "grid1x1" "Client" "grid1x3" } "Firewall #1"; "grid2x2" [style=invis, shape=point]; "Firewall #2" [fontcolor="green"]; { rank=same "Firewall #1" "grid2x2" "Firewall #2" } "grid3x1" [style=invis, shape=point]; "Server"; "grid3x3" [style=invis, shape=point]; { rank=same "grid3x1" "Server" "grid3x3" } "grid1x1" -> "Client" -> "grid1x3" [style=invis]; "Firewall #1" -> "grid2x2" -> "Firewall #2" [style=invis]; "grid1x3" -> "grid2x2" -> "grid3x3" [style=invis]; "grid3x1" -> "Server" -> "grid3x3" [style=invis]; "Client" -> "Firewall #1" [dir=none]; "Client" -> "Firewall #2" [color="green"]; "Client" -> "Firewall #2" [dir=back, color="green"]; "Firewall #1" -> "Server" [dir="none"]; "Firewall #2" -> "Server" [color="green"]; "Firewall #2" -> "Server" [dir="back", color="green"]; }

To ensure this happens, both firewalls have a system IP address configured on a failover network. This network should consist of dedicated links, preferrably physical ones;

  • Firewall #1 and Firewall #2 negotiate over this network, who holds the active role – performing the actual duties of router, gateway and firewall.
  • Upon agreement that Firewall #1 should have the active role, Firewall #1 takes on two or more IP addresses;
    1. An inbound gateway IP address for the client to server traffic to be routed through,
    2. An outbound gateway IP address for the server to client traffic to be routed through.
  • The firewall with the active role distributes its kernel connection state tables with the passive firewall.

digraph fwha { rankdir = LR; splines = true; overlab = prism; edge [ color=gray50, fontname=Calibri, fontsize=11, dir=none ]; node [ style=filled, shape=record, fontname=Calibri, fontsize=11 ]; "vlan0001" [ href="../appendices/firewall-high-availability.html#vlan0001", target="_top" ]; "vlan0002" [ href="../appendices/firewall-high-availability.html#vlan0002", target="_top" ]; "vlan0003" [ href="../appendices/firewall-high-availability.html#vlan0003", target="_top" ]; "Internet" -> "vlan0001"; subgraph cluster_fw_ext_out { "fw-ext-out001" [ href="../appendices/firewall-high-availability.html#fw-ext-out", target="_top" ]; "fw-ext-out002" [ href="../appendices/firewall-high-availability.html#fw-ext-out", target="_top" ]; } "vlan0001" -> "fw-ext-out001", "fw-ext-out002" [ label="eth0" ]; "fw-ext-out001", "fw-ext-out002" -> "vlan0003" [ label="eth1" ]; "vlan 4..7" [shape="point", size=0]; "fw-ext-out001", "fw-ext-out002" -> "vlan 4..7" [label="eth2.$x"]; subgraph cluster_perimeter { "vlan0004" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0004", target="_top" ]; "vlan0005" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0005", target="_top" ]; "vlan0006" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0006", target="_top" ]; "vlan0007" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0007", target="_top" ]; "vlan0104" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0104", target="_top" ]; "vlan0105" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0105", target="_top" ]; "vlan0106" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0106", target="_top" ]; "vlan0107" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0107", target="_top" ]; subgraph cluster_ext_mx_in { "ext-mx-in001" [ href="../appendices/firewall-high-availability.html#ext-mx-in", target="_top" ]; "ext-mx-in002" [ href="../appendices/firewall-high-availability.html#ext-mx-in", target="_top" ]; } subgraph cluster_ext_mx_out { "ext-mx-out001" [ href="../appendices/firewall-high-availability.html#ext-mx-out", target="_top" ]; "ext-mx-out002" [ href="../appendices/firewall-high-availability.html#ext-mx-out", target="_top" ]; } subgraph cluster_ext_subm { "ext-subm001" [ href="../appendices/firewall-high-availability.html#ext-subm", target="_top" ]; "ext-subm002" [ href="../appendices/firewall-high-availability.html#ext-subm", target="_top" ]; } subgraph cluster_rev_prx_http { "rev-prx-http001" [ href="../appendices/firewall-high-availability.html#rev-prx-http", target="_top" ]; "rev-prx-http002" [ href="../appendices/firewall-high-availability.html#rev-prx-http", target="_top" ]; } "vlan 4..7" -> "vlan0004"; "vlan0004" -> "ext-mx-in001", "ext-mx-in002" [ label="eth0" ]; "ext-mx-in001", "ext-mx-in002" -> "vlan0104" [ label="eth1" ]; "vlan 4..7" -> "vlan0005" -> "ext-mx-out001", "ext-mx-out002" -> "vlan0105"; "vlan 4..7" -> "vlan0006" -> "ext-subm001", "ext-subm002" -> "vlan0106"; "vlan 4..7" -> "vlan0007" -> "rev-prx-http001", "rev-prx-http002" -> "vlan0107"; } "vlan 104..107" [shape="point", size=0]; "vlan0104", "vlan0105", "vlan0106", "vlan0107" -> "vlan 104..107"; subgraph cluster_fw_ext_inn { "fw-ext-inn001" [href="../appendices/firewall-high-availability.html#fw-ext-inn", target="_top"]; "fw-ext-inn002" [href="../appendices/firewall-high-availability.html#fw-ext-inn", target="_top"]; } "vlan 104..107" -> "fw-ext-inn001", "fw-ext-inn002"; "vlan0200" [href="../appendices/firewall-high-availability.html#vlan0200", target="_top"]; "vlan0201" [shape="point", size=0]; "vlan0300" [href="../appendices/firewall-high-availability.html#vlan0300", target="_top"]; "fw-ext-inn001", "fw-ext-inn002" -> "vlan0200", "vlan0201"; subgraph cluster_fw_int { "fw-int001" [href="../appendices/firewall-high-availability.html#fw-int", target="_top"]; "fw-int002" [href="../appendices/firewall-high-availability.html#fw-int", target="_top"]; } subgraph cluster_net_internal { "vlan0301" [shape="point", size=0]; "vlan0302" [shape="point", size=0]; "vlan0303" [shape="point", size=0]; "vlan0304" [shape="point", size=0]; "vlan0305" [shape="point", size=0]; "vlan0306" [shape="point", size=0]; "vlan0307" [shape="point", size=0]; "vlan0308" [shape="point", size=0]; "vlan0309" [shape="point", size=0]; "vlan0310" [shape="point", size=0]; "vlan0311" [shape="point", size=0]; "vlan0312" [shape="point", size=0]; "vlan0313" [shape="point", size=0]; "vlan0314" [shape="point", size=0]; "vlan0315" [shape="point", size=0]; "vlan0316" [shape="point", size=0]; subgraph cluster_int_mx { "int-mx001" [href="../appendices/firewall-high-availability.html#int-mx", target="_top"]; "int-mx002" [href="../appendices/firewall-high-availability.html#int-mx", target="_top"]; } subgraph cluster_dbr { "dbr001" [href="../appendices/firewall-high-availability.html#dbr", target="_top"]; "dbr002" [href="../appendices/firewall-high-availability.html#dbr", target="_top"]; } subgraph cluster_dbw { "dbw001" [href="../appendices/firewall-high-availability.html#dbw", target="_top"]; "dbw002" [href="../appendices/firewall-high-availability.html#dbw", target="_top"]; } subgraph cluster_ldapr { "ldapr001" [href="../appendices/firewall-high-availability.html#ldapr", target="_top"]; "ldapr002" [href="../appendices/firewall-high-availability.html#ldapr", target="_top"]; } subgraph cluster_ldapw { "ldapw001" [href="../appendices/firewall-high-availability.html#ldapw", target="_top"]; "ldapw002" [href="../appendices/firewall-high-availability.html#ldapw", target="_top"]; } subgraph cluster_memc_pub { "memc-pub001" [href="../appendices/firewall-high-availability.html#memc-pub", target="_top"]; "memc-pub002" [href="../appendices/firewall-high-availability.html#memc-pub", target="_top"]; } subgraph cluster_memc_pvt { "memc-pvt001" [href="../appendices/firewall-high-availability.html#memc-pvt", target="_top"]; "memc-pvt002" [href="../appendices/firewall-high-availability.html#memc-pvt", target="_top"]; } subgraph cluster_roundcube { "roundcube001" [href="../appendices/firewall-high-availability.html#roundcube", target="_top"]; "roundcube002" [href="../appendices/firewall-high-availability.html#roundcube", target="_top"]; } subgraph cluster_chwala { "chwala001" [href="../appendices/firewall-high-availability.html#chwala", target="_top"]; "chwala002" [href="../appendices/firewall-high-availability.html#chwala", target="_top"]; } subgraph cluster_activesync { "activesync001" [href="../appendices/firewall-high-availability.html#activesync", target="_top"]; "activesync002" [href="../appendices/firewall-high-availability.html#activesync", target="_top"]; } subgraph cluster_wap { "wap001" [href="../appendices/firewall-high-availability.html#wap", target="_top"]; "wap002" [href="../appendices/firewall-high-availability.html#wap", target="_top"]; } subgraph cluster_hkccp { "hkccp001" [href="../appendices/firewall-high-availability.html#hkccp", target="_top"]; "hkccp002" [href="../appendices/firewall-high-availability.html#hkccp", target="_top"]; } subgraph cluster_ext_imapf { "ext-imapf001" [href="../appendices/firewall-high-availability.html#ext-imapf", target="_top"]; "ext-imapf002" [href="../appendices/firewall-high-availability.html#ext-imapf", target="_top"]; } subgraph cluster_int_imapf { "int-imapf001" [href="../appendices/firewall-high-availability.html#int-imapf", target="_top"]; "int-imapf002" [href="../appendices/firewall-high-availability.html#int-imapf", target="_top"]; } subgraph cluster_imapb { "imapb001" [href="../appendices/firewall-high-availability.html#imapb", target="_top"]; "imapb002" [href="../appendices/firewall-high-availability.html#imapb", target="_top"]; } subgraph cluster_imapm { "imapm001" [href="../appendices/firewall-high-availability.html#imapm", target="_top"]; "imapm002" [href="../appendices/firewall-high-availability.html#imapm", target="_top"]; } } "vlan0201" -> "fw-int001", "fw-int002" -> "vlan0300", "vlan0301", "vlan0302", "vlan0303", "vlan0304", "vlan0305", "vlan0306", "vlan0307", "vlan0308", "vlan0309", "vlan0310", "vlan0311", "vlan0312", "vlan0313", "vlan0314", "vlan0315", "vlan0316"; "vlan0301" -> "int-mx001", "int-mx002"; "vlan0302" -> "dbr001", "dbr002"; "vlan0303" -> "dbw001", "dbw002"; "vlan0304" -> "ldapr001", "ldapr002"; "vlan0305" -> "ldapw001", "ldapw002"; "vlan0306" -> "memc-pub001", "memc-pub002"; "vlan0307" -> "memc-pvt001", "memc-pvt002"; "vlan0308" -> "roundcube001", "roundcube002"; "vlan0309" -> "chwala001", "chwala002"; "vlan0310" -> "activesync001", "activesync002"; "vlan0311" -> "wap001", "wap002"; "vlan0312" -> "hkccp001", "hkccp002"; "vlan0313" -> "ext-imapf001", "ext-imapf002"; "vlan0314" -> "int-imapf001", "int-imapf002"; "vlan0315" -> "imapb001", "imapb002"; "vlan0316" -> "imapm001", "imapm002"; }

Systems

fw-ext-out

Connected to vlan0001 on eth0. This interface does not to be 802.1q encapsulated.

Connected to vlan0003 on eth1. This link should either be 802.1q encapsulated natively, on the switch, or connect to eth1 on fw-ext-out.

Let the IP address on eth1 be 10.0.3.1/24.

Connected to vlan0004 on eth2.4. This link is 802.1q encapsulated by fw-ext-out.

The eth2 interface can be connected to as many additional 802.1q encapsulated perimeter networks as necessary and appropriate.

Routes are added for perimeter network vlans 7 through 11.

ext-mx-in

ext-mx-out

fw-ext-inn

VLANs

vlan0001

This network is associated with the Internet, and includes any IP space not your own. It may be associated with a router peering network.

vlan0002

Let this be the IP space allocated by your ISP, or 1.2.3.0/24.

vlan0003

Let this be a segment of a Class A private IP space, or 10.0.3.0/24.

vlan0004

Let this be a segment of a Class A private IP space, or 10.0.4.0/24.

External Inbound Mail Exchangers

ext-mx-in001

  • IP Address: 10.0.4.1/24
  • Default Gateway: 10.0.4.254
  • DNS:

ext-mx-in002