Firewalls on High Availability(HA) : Benefits and Challenges

Customers usually choose to go for two firewalls in high availability (HA) mode for several reasons, including:

• Redundancy: The primary reason for configuring two firewalls in high availability mode is to ensure redundancy. If one firewall fails, the other firewall takes over seamlessly, ensuring continuous protection for the network.
• Business continuity: High-availability firewalls are essential for businesses that require uninterrupted access to their applications and data. By having two firewalls in high availability mode, businesses can ensure that their network is always protected and that they can continue to operate even if one of the firewalls fails.
• Load balancing: Some customers also use two firewalls in high availability mode to balance the traffic load between them. This can be useful in situations where one firewall may be under heavy load due to a large amount of traffic, ensuring that the network is not overwhelmed.
• Security: High availability firewalls can also enhance the overall security posture of an organization. By having two firewalls, customers can implement different security policies on each firewall and ensure that their network is protected from various threats.
• Compliance: Certain regulatory requirements, such as those set forth by the Payment Card Industry Data Security Standard (PCI DSS), mandate the use of high-availability firewalls as a security control to protect cardholder data. Customers may choose to implement high-availability firewalls to comply with such requirements.

Configuring firewalls for high availability (HA) involves setting up redundant firewall devices to ensure continuous protection and access control in the event of a failure. Here are some steps, in general, to configure firewalls for high availability:

• Choose the appropriate firewall devices: Select two or more identical firewall devices that support high availability configuration.
• Configure basic settings: Configure the basic settings on each firewall device, including hostname, IP address, and network interfaces. Ensure that each firewall device is connected to the same LAN segment.
• Configure HA settings: Configure HA settings such as heartbeat interfaces, failover settings, and synchronization settings. The heartbeat interface is used to detect the health status of the other firewall device. Failover settings determine how the devices switch roles in the event of a failure, and synchronization settings ensure that the configuration data is identical on both devices.
• Test the failover process: Test the failover process by simulating a failure on the active firewall device. Verify that the standby firewall device takes over the role of the active firewall device.
• Configure the firewall rules: Configure the firewall rules on both devices to allow the desired traffic to pass through. Ensure that the rules are synchronized between both devices.
• Monitor the devices: Monitor the firewall devices and ensure that both devices are functioning correctly.

However, the above steps may vary depending on the firewall devices & the makes being used, and the configuration requirements. It is always best to consult the manufacturer’s documentation for detailed instructions on configuring firewalls for high availability.  But Before configuring firewalls for high availability (HA), it is crucial to ensure that certain prerequisites as mentioned below are in place.

• Hardware requirements: Check the hardware requirements of the firewall devices to ensure they are suitable for high availability configuration. The hardware should be able to handle the expected traffic load and have the necessary interfaces and storage for the configuration and log data.
• Network infrastructure: Ensure that the network infrastructure is configured correctly to support high availability. The firewall devices should be connected to the same LAN segment and have a dedicated heartbeat interface for the failover mechanism.
• Firewall software: Check that the firmware or software on the firewall devices is compatible with the high availability configuration. Upgrade the firmware or software if necessary.
• IP addressing: Ensure that each firewall device has a unique IP address and that the IP addresses of the interfaces on each device are on the same subnet. It is also important to ensure that the default gateway is correctly set up.
• Firewall rules: Ensure that the firewall rules are configured correctly and tested before configuring high availability. This helps to ensure that the firewall rules will be synchronized correctly between the devices.
• Documentation: Ensure that you have the necessary documentation, such as the manufacturer’s guide, to guide you through the process of configuring high availability for your specific firewall devices.

It’s highly recommended that you have 2 Switches also while we configure 2 Firewall alliances on HA in order to prevent a single point of failure scenario since if one switch fails, the other switch can continue to provide connectivity to the firewall devices which ensures that there is no disruption to network traffic and that the firewall devices can continue to function even if one switch fails.

Here are a few steps to follow but it’s also important to consult the manufacturer’s documentation for specific instructions on configuring high availability for your particular switch model.

• Two switches: Two switches are required for redundancy, and they should be identical in model and configuration to ensure seamless failover.
• Power supply units (PSUs): Each switch should have dual power supplies for redundancy, and each power supply should be connected to an independent power source.
• Network cables: You will need Ethernet cables to connect the switches to the firewall devices and other network devices.
• Spanning Tree Protocol (STP): STP is a protocol used to prevent loops in network topology, and it should be enabled on both switches.
• Link aggregation (LAG): LAG, also known as port-channeling or NIC teaming, is used to combine multiple physical links into a single logical link to increase bandwidth and provide redundancy. LAG should be configured between the two switches to ensure redundancy.
• IP addressing: Each switch should be assigned a unique IP address on the management network, and the switches should be configured to communicate with each other using the same management network.
• Management Software: The management software for the switches should be installed and configured for high availability.
• Testing plan: A testing plan should be developed to verify the failover mechanism and ensure that the redundancy configuration is working as intended.

Now let’s look at two commonly used modes of HA:-  “Active-Active” and “Active-Passive”, the differences between the two scenarios are as mentioned below:

• Active-Active HA: In an active/active HA configuration, both firewalls are actively processing traffic at the same time. Traffic is distributed between the firewalls in a load-balancing fashion, and both firewalls are processing traffic simultaneously. This mode can help increase network throughput and improve performance, especially in scenarios where one firewall may be overwhelmed with traffic.
• Active-Passive HA: In an active/passive HA configuration, one firewall is active, processing traffic and handling network requests, while the other firewall is in standby mode, ready to take over if the active firewall fails. This mode provides a higher level of redundancy, as there is always a backup device ready to take over in case of a failure.

In summary, active-/active HA allows both firewalls to actively process traffic simultaneously, while active-passive HA provides redundancy with one active firewall processing traffic and the other standby in case of failure. The configuration of both modes is quite different and it is essential to ensure that the configuration is done correctly to avoid issues such as traffic imbalance or failover failures. Firewall vendors often provide guidance and documentation on how to set up high availability for their devices, and it is recommended to follow these guidelines closely.

Implementing high availability (HA) for firewalls can provide significant benefits in terms of network uptime, reliability, and redundancy. However, there are also several challenges that organizations may face when implementing HA for their firewall infrastructure. Some of these challenges include:

• Increased Complexity: Implementing HA for firewalls can add complexity to the network infrastructure. This is because HA typically involves the configuration of multiple devices and protocols, and may require changes to network topology, addressing, and routing.
• Cost: HA typically requires the purchase of additional hardware and licenses, which can add to the overall cost of the firewall infrastructure.
• Configuration Management: Maintaining consistent configurations across multiple firewall devices can be challenging. Changes made to one firewall must be replicated to all other devices to ensure consistency, and this can be time-consuming and error-prone.
• Testing and Maintenance: HA requires regular testing and maintenance to ensure that failover and other processes are functioning correctly. This can be time-consuming and may require additional resources to manage.
• Risk of Configuration Errors: If not configured correctly, HA can introduce new points of failure into the network infrastructure. Configuration errors can cause traffic imbalances, failover failures, and other issues that can impact network uptime and performance.
• Impact on Performance: HA can impact network performance, especially in active/active mode. The load-balancing process can introduce latency and slow down traffic, especially in scenarios where one firewall is overwhelmed with traffic.

Therefore Organizations should carefully consider the costs and complexity of HA, and ensure that they have the resources and expertise to manage and maintain the HA configuration properly. Additionally, regular testing and maintenance should be performed to identify and resolve any issues that may arise.