Hey,
I'm currently reviewing a vendor's design which includes single Fortigate firewalls clustered across multiple datacenters. Experience has taught me that this is a bad idea. In my engineering days, I saw entire stacks break due to:
- DDOS filling up synced session tables
- Software bugs and failed in-service software updates
- Cut heartbeat connection resulting in split brain
- Human error - an engineer shutting down a cluster by accident thinking it was a lab.
In my eyes, clustering of single firewalls no longer fulfils my requirement for redundancy since there is only 1 logical firewall across our data centers.
I've always thought this to be against best practice and I know the vendor will be asking for evidence of this. Does anyone have references to any vendor best practice, handbooks, whitepapers etc that covers this topic? Googling has brought up many forum discussions around this but nothing "official".
Thanks
No comments:
Post a Comment