Good day Team,
Need some of your expert advise.
The original design for dual ISP with a Active / Passive was all good and using policy based forwarding and havin a switch is in place with the specified vlans.Where if the active firewall should fail the passive will take over and pass the traffic vice versa with the ISP
Diagram below , just imagine with the switch in the middle.
In a new enviroment the design has to change in the sense these two firewalls will now be in to different server rooms with individual isp connected to them running a L2 HA connectivity directly and failover should happen on an ISP level with policy based forwarding the different traffic.
Is this possible , even in a Active / Ative , below diagram without a swith involved. Your advise is highly appreciated.
With the split isp situation the only way to choose your route is by getting creative with floating ip addresses. PBF wont be an option
This is certainly possible, but failover will be a big mess since you'll have 2 different NAT policy sets (unless NAT is performed by the ISPs or if you have a big public subnet on the inside?)
Upon failover all sessions from the broken firewall will fail (NAT is not recalculated/reapplied after failover) and they will do so very slowly (sessions will timeout rather than being terminated). Even with aggressive aging on the firewall, the client will not be aware something happened in the middle and keep trying.
You could set up a load sharing situation