Chapter 3. High availability for VPN-1/FireWall-1 151
The classical way of building a highly available VPN-1/FireWall-1
environment is to use two separate firewall modules and one dedicated
VPN-1/FireWall-1 management module on a third separate workstation.
Advantages of having one dedicated VPN-1/FireWall-1 management
• This is the simplest HA configuration. There is no need to worry how to
synchronize the security policy on multiple management station because
there is only one.
Disadvantages of having only one VPN-1/FireWall-1 management
• The VPN-1/FireWall-1 management workstation is a single point of failure.
As soon as it fails, the VPN-1/FireWall-1 functionality is reduced to filtering
only and changing the security policy (for example, changing rules, adding
users, and so forth) is impossible until the management workstation is
fixed or replaced which usually takes hours. All VPN-1/FireWall-1 logs and
configurations are potentially lost.
• The are additional hardware costs because of the extra hardware unit for
the VPN-1/FireWall-1 management workstation.
3.1.4 Our HA design
Because the classical setup did not meet our design goals, we decided to use
a slightly more complex but much more powerful approach. We use only two
workstations to provide one highly available firewall.
18.104.22.168 HACMP setup
In our HAMCP setup:
• HACMP is used for service IP address takeover only. Service IP
addresses are the highly available IP addresses that are considered to be
the highly available firewall. The firewall workstation that has the service
IP addresses is the active node from a HACMP perspective. It will get all
the IP traffic.
• Filesystems are not shared. It is recommended to setup local mirrors of all
filesystems in case of a hard drive failure, but this is not discussed in this
• We chose the HACMP rotating mode. When an error is detected on a
firewall, it will shutdown itself and the other firewall will take over the
service IP addresses. HACMP cascading mode would provide minimum
benefit but require redundant network adapters, thereby halving the