BGP and Firewalls...

Patrick Sumby patrick.sumby at sohonet.co.uk
Fri Dec 16 14:16:22 UTC 2011


We run redundant solutions for a number of our customers and have always 
decoupled the routing and firewalling.

I can think of one situation where the customer manages the BGP and 
firewall failover on their firewalls, it doesn't work too well.

The issue as I see it is that in the event of a device failure if you 
only have firewalls you need to keep the firewall session states when 
failing over to the second device, the BGP sessions will not if in an 
active passive HA setup whereas user traffic states will. If you run in 
an active active setup, BGP states will remain up however user traffic 
states will not always be transferred.

If you're only using one firewall then this is not going to be an issue 
but it depends if the solution you're deploying has only redundant 
connectivity or redundant equipment as well.

My experience is mainly using Juniper routers and firewalls so not able 
to comment on the Palo Alto platform.

Decoupling the two functions gives a much better model from an NSP sales 
perspective as it means you're able to sell failover with no managed 
equipment / just managed routers / full solution with routers and firewalls.

-- 
---
Patrick Sumby
Network Architect
Sohonet


On 07/12/2011 17:31, Gregory Croft wrote:
> Hi All,
>
>
>
> Does anyone have any experience with using firewalls as edge devices
> when BGP is concerned?
>
> Specifically the Palo Alto series of devices.
>
>
>
> If so please contact me off list.
>
>
>
> Thank you.
>
>
>
>
>
> Thank you,
>
> Gregory S. Croft
>
>
>
>
>





More information about the NANOG mailing list