In today’s fast-paced world, your network needs to be stable, reliable, and, most importantly, it needs to stay UP! With employees connecting from around the globe, production-critical systems operating around the clock to meet your bottom line, and server backups running overnight, you don’t have time for downtime. It’s all about keeping your network highly available.
One of the most foundational forms of redundancy you can implement in your network is clustering your core firewalls. Different manufacturers and platforms have their own ways of achieving this, but today we’ll focus on the two main forms of high availability (HA) clustering on the FortiGate firewall platform: active-passive clustering and active-active clustering.
Firewall Clustering and Redundancy
Active-Passive Clustering
The days of having two wide-area network (WAN) links plugged into a single piece of firewall hardware are fading from our rearview mirror. Having two available WAN links is great for network redundancy and reliability, whether you employ a simple failover routing configuration or a more complex SD-WAN configuration. But what happens when you’re facing a hardware failure? Suddenly, the cost of maintaining two circuits is for nothing, because the network is entirely down without an operational firewall.
One solution to this problem is to have dual firewalls running in tandem in an Active-Passive (A-P) HA arrangement. In this case, one firewall takes the active role, processing all traffic and acting as the main router. The other firewall takes the standby role, syncing with the primary firewall and remaining ready to take over if needed. It’s a very simple arrangement that is highly customizable to your unique business needs.
For instance, you can dedicate your primary WAN link to Firewall 1 and your secondary WAN link to Firewall 2, and tell the firewalls to swap roles if the primary WAN is lost. Or you can move your WAN links to a switch so that they are both available to each firewall at all times. You control the conditions and the timing of when and how the failover happens. However, with any failover scenario, there can be some drawbacks to keep in mind.
Depending on the configuration of your A-P cluster, you may see a possible delay and subsequent service disruption during the failover process. More sensitive settings yield faster failovers and thereby minimize downtime, but depending on the conditions that you use for triggering your failover event (ex., lost pings on a WAN interface), you could accidentally create flapping if your WAN link becomes unstable – even though your firewall hardware is operating normally.
Put some careful thought into your failover design to ensure that your environment is working for your specific needs. Fortunately, within the FortiGate platform, you can opt to keep sessions alive between the two physical firewalls in order to minimize any disruptions for your end users.
Need assistance setting this up? Reach out to us!
Active-Active Clustering
With two physical firewalls in the mix, you also have the option to run them in an Active-Active (A-A) HA arrangement. This opens up some new possibilities for boosting performance on your network – on top of the added reliability that comes with redundant hardware.
When you run two firewalls in a mutually active arrangement, you can take advantage of load balancing the traffic between two pieces of hardware. This effectively doubles the processing capacity of your firewall, which can be particularly helpful (and cost effective!) for high-traffic networks. An A-A arrangement can provide more scalability than an A-P arrangement can, since twice as much hardware can take on more load as your network grows.
There are some caveats to be aware of here too. Running two firewalls in tandem can sometimes result in split-brain issues that must be remediated quickly to minimize downtime on the network. Very close monitoring of the firewall cluster will help identify and correct potential problems as fast as possible. There is also a possibility of uneven resource distribution between two load-balanced firewalls. Again, close monitoring of the system can give you real-time insights into the cluster’s performance so that you can act swiftly if the system shows any signs of imbalance.
In more complex networks with multiple virtual routing and forwarding (VRF) instances (known as Virtual Domains, or VDOMs, in the Fortinet world), you need to be aware that running two firewalls in an A-A arrangement will NOT allow you to load-balance sessions that pass through inter-VDOM links. Inter-VDOM routing is still possible with an A-A cluster, but an additional external router is necessary to handle routing between different VDOMs.
Costs vs. Benefits
We’ve already named many of the benefits that come with redundant firewall hardware clusters, and you should weigh their value against the costs associated with building a redundant environment. There are obviously higher equipment costs associated with having two pieces of hardware, licensing, and support contracts necessary to keep them functional.
You also need to consider the potential costs of network and device monitoring, since it’s paramount to keep a close watch over any clustered system with a failover arrangement. We also highly recommend automating your config backups, just in case! Ultimately, the value of implementing a robustly redundant system of firewalls will most likely outweigh the costs when your highest priority is network uptime.
Need assistance with keeping your network highly available? Want to increase redundancy with firewall clustering? Our experts can help. Please contact us by calling (502) 240-0404 or emailing info@mirazon.com