Redundant firewall, different ISP for each?

Hi,

while waiting for a more experienced forum person to reply you might like to review this thread on a similar subject with a number of KBAs included.

https://community.sophos.com/sophos-xg-firewall/f/discussions/138174/redundant-internet-for-ha-firewall

Ian

Thank you.  Yes I did see this one.  This is the type of design my former colleague is describing, with the two DMZ switches breaking out the ISP handoffs and sending each to both firewalls.  I am trying to figure out if the other way is possible as well.

If it's possible (you could configure both ISPs and only connect one to each device)... it's not a good solution.
Why not always 2 ISPs?

To save the costs of deploying two dmz switches to split out the ISP. Which gives only single handoff. Thank you. 

I don't understand why you don't just go with the proper HA and buy a cheap switch to share the connections.

It is how redundancy is supposed to work with XG, so it is fully tested and supported and you don't need anything sophisticated switch wise so you are talking pennies.

I understand, the DMZ switch way is probably the way we will do it. I am just looking for clarification so I can discuss with my colleague, which I could clarify is my manager. He may be mistaken in his recollection. Is there any configuration scenario you can think of where you would have each isp going directly into a different firewall?

The solution with the DMZ switch gives you more redundancy. Either XG can communicate with either ISP. One ISP through each XG doesn't give you the same level of protection.

I can't think of a way to achieve the other scenario running as an HA as opposed to two separate firewalls (which would also require you to license both XGs). If you force an HA failure when ISP1 went down, when the second XG took over it would fail that XG too (because ISP1 was down and they have to have the same config). Others may be able to think of a way of doing it but it doesn't get over the fact that it makes no sense to do it that way. I realise that may be difficult to suggest to your manager!

Thank you.  I am recalling that at my last place we had two Palo Alto firewalls configured in aws mainly for egress traffic. They were not clustered. Rather there was a solution that used different VRF and when one firewall failed (not the isp) a lambda function would have a subnet switch to the other VRF.  Not really analogous but I guess there could be a way to control the routing before you get to the firewall if they were not HA paired. 

How would you do it if you didn’t make them an HA pair?  

I have some ideas but I would need to test them in a lab scenario. However, while I don't mind taking the time to help out forum members, I'm not going to spend quite a bit of free time testing something out when you already have a much better solution available . No offense intended!