I am a true Cisco ASA-guy. I eat, live and sh…. ASA:s. I have been working with Cisco gear since forever and the first Cisco Firewall I configured was a Cisco 520 with floppy.
Nevertheless, I also know some stuff about other firewalls. I have been working with iptables, Watchguards, Symantec/Raptor/whatever and installed a few Checkpoints. Actually I am certified CCSA and CCSE for checkpoint firewall. Still I try to avoid them. The reason is simple. They are complex, there is only 24h available per day and there are people that know checkpoint better than I do.
Whatever firewall I run into I compare them to ASA:s. I cant avoid it because it is ASA:s that I know by heart. And I have for a while tried to understand the complexity of load-distribution of Checkpoint clusters. Then I run into this incredible blog post by Greg Ferro at etherealmind.com. And There Was Light.
Instead of trying to explain it again half as good as the original I simply suggest anyone interrested in Checkpoint or other firewalls technology of load sharing to read the blog post above. It is great!
ASA:s doesnt do load balancing(*). A “cluster” can contain only two members and it is always(*) a active/passive solution where the passive member is a hot-standby. It is not as near as sophisticated as the Cluster XL-solution from Checkpoint. But it it simple. And rock solid. If you want to “keep it simple, stupid” the ASA failover-solution is your setup if you ask me.
It would be interresting to do a cost analysis and compare the cost of purchasing equal setups of ASA:s and Checkpoint-wirewalls for a specific thruput/size. I am already quite sure that it way cheaper to buy one ASA that is big enogh to handle the thruput needed, and one hot-spare, than buying 2 Checkpoint-units with the same performance.
(*) Yes, there is an active/active-solution from Cisco. But it requires multi context. And unless you have need for multiple virtual firewalls you cant make both hardware units in the cluster processing traffic at the same time.
Thanks for the most informative blog post this year, Greg Ferro!
I guess we’re in the same boat -working on different make/models..
Though I can’t get over the NAT in ASA’s… do you’ve a simple doco explaining it showing the different options in a very simple and straight manner…
I heard -starting from 8.3- the global command was removed! how valid is tis
Except that that author your referring to doesn’t really comprehend multicast or proper design or any depth in managing a linux box. As evident by the Naughty Multicast section. He just knows how to type Cisco commands.
Hi admin, i must say you have very interesting content here.
Your page can go viral. You need initial traffic boost only.
How to get it? Search for: Mertiso’s tips go viral