Hi Everyone,
I would like to know how to set up two firewalls mirroring, I have as primary firewall a FortiGate 60e and it has to mirror a Cisco ASA 5506-X. Please if anyone has any information related this let me know.
Thanks Mario
-
Setting Up Two firewalls mirroring
-
I have a 60E. I can port mirror with another 60E. You can do HA Active / Passive.
You could place a Cisco router in front of it. WAN port facing out. Two interfaces using Cisco load balancing going to the WAN ports on the firewalls. Your next hop on your firewalls would be the Cisco router. Cisco has many router options for fail over configurations.
I am not sure I would want to different firewalls in it. I would want the same firmware and configuration on both for security.
I have two WAN circuits at home . The 60E link balances them outbound. Inbound I use VIPs. I have a WordPress server on each WAN port. Godaddy have the Outside IP for each web site to direct them in.
What is your purpose to need that level of HA?
-
Hi Michael,
Our purpose to do this is to have a backup in the case of the primary firewall outage. That's why we have to setup both firewalls with high availability in order to avoid this.
Do I have to use the same WAN IP for both firewalls when I'm doing the High availability set up.
-
I would have to think about it.
Let's see.
Could you get creative with layer 2.
I like a Cisco router out front. I do ACL lists to block all traffic to ports 1433, 1434, 587, etc. Login in ports, SQL, etc.
You could get creative doing it layer 2. Use a layer 3 switch. Get a /27 block for each ISP WAN port.
You do VLANs
VLAN 10 (WAN1)
3 ports: One coming from the router for WAN inbound. Two ports using /27 connected to WAN 1 on each firewall.VLAN 20 (WAN2)
3 ports: One coming from the router for WAN inbound. Two ports using /27 connected to WAN 1 on each firewall.It would keep the traffic basically as layer 2.
You would need active passive for the two firewalls. Otherwise you will have loop issues going outbound. You need to keep SSO traffic on same path. I do it at work by policy based routes on each VLAN on the layer 3 switches. Each VLAN on the access switches next hop is the VLAN address on the firewall. The issue would be setting up redundant paths for the second firewall.
Doing HA with the same firewall will do much of it for you.
-
I don't think you can do this with the Cisco ASA, here's why:
from (https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-failover.html)Hardware Requirements
The two units in a Failover configuration must:-
Be the same model.
-
Have the same number and types of interfaces.
-
Have the same modules installed (if any).
-
Have the same RAM installed.
Software Requirements
The two units in a Failover configuration must:
-
Be in the same context mode (single or multiple).
-
For single mode: Be in the same firewall mode (routed or transparent).
-
In multiple context mode, the firewall mode is set at the context-level, and you can use mixed modes.
-
Have the same major (first number) and minor (second number) software version. However, you can temporarily use different versions of the software during an upgrade process; for example, you can upgrade one unit from Version 8.3(1) to Version 8.3(2) and have failover remain active. We recommend upgrading both units to the same version to ensure long-term compatibility.
-
Have the same AnyConnect images.
Cordially,
Ronnie Wong
Edutainer Manager, ACI Learning [ITPRO]
*if the post has answered the question, mark as solved.
**All "answers" and responses are offered "as is" and my opinion. There is no implied service, support, or guarantee by ITProTV. -
-
@Ronnie-Wong Thank you so much for the info
-
@Michael-McKenney You right Michael and also I found the failover just works with two identical devices.
