ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

SSG5 with dual ISP failover

‎09-22-2011 08:54 PM

We have 2 SSG5 with extended license. 2 ISP will be used. However we do not have layer 2 switches on the untrust side for connecting the 2 ISP. So we have to hook 1 ISP to each SSG5.

I found this setup can be implemented on 5GT which supports NSRP-lite dual ISP. However this seems not working well on SSG5 since I always got config out of sync.

I was thinking to configure both ISP IP address information on both SSG5, but only plug in ISP-A to SSG-A and ISP-B to SSG-B, leaving ISP-B interface on SSG-A and ISP-A interface on SSG-B unpluged. Is this a working setup?

 

4 REPLIES 4
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG5 with dual ISP failover

‎09-23-2011 12:08 AM
Hi,
I would go with an Active/Passive NSRP cluster and connect each ISP to a physical box. You can then use NSRP whole-box-monitoring to track a specific group of IP's via ISPA. When ISPA goes down, then your cluster will failover and ISP2 will be active. Outside of the NSRP config, you will need two default routes. ISPA with a metric of 1, and ISPB with a metric of 2.
I hope this helps.
John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG5 with dual ISP failover

‎09-23-2011 02:11 AM

Hi,

 

Map two interfaces to Untrust zone, let's say eth0/0 and eth0/1. Connect eth0/0 to ISPA on the primary box and eth0/1 to ISPB on the secondary box. This solves the problem with different IP addressing on the ISP side.

Kind regards,
Edouard
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG5 with dual ISP failover

‎10-12-2011 09:51 PM

Hi John

 

by using NSRP we can get device failover. we coulnot get any ISP failover.

 

if use failover then  some  extrat configure on Routing

 

Thanks
Maung Tan
data edge limited
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG5 with dual ISP failover

‎10-14-2011 01:02 AM

Hi,

 

In this case a NSRP failover is equivalent to the ISP failover.

What I forgot to mention is IP-tracking on the primary box. Configure one or more ISPA's pingable IPs for tracking: NSRP -> Monitor -> Track IP. Also enable preempt and change priority to a number below 100 on the primary box. Under the normal conditions the default gateway on the primary FW is that from the ISPA. Any routes through eth0/1 are inactive as this interface is always in the status "Down". It is not cabled at all. If IP tracking fails NSRP starts a failover. The backup FW has an active default route to the ISPB. It's eth0/0 is in the status "Down" and not cabled.

 

As soon as tracked IPs became reachable from the primary Box, preempt option switches back to the Master, after the hold-down time has elapsed. I usually configure a couple of minutes as the hold-down interval to avoid flapping.

There is no need to configure any monitoring features on the backup FW.

Kind regards,
Edouard