Hello,
I have what is hopefully a simple question. My org wants to set up a remote office with redundant firewalls and ISP's to keep connectivity if one firewall fails or one ISP goes down. A colleague of mine told me that at a previous company, they used sophos firewall in an HA design, but each ISP plugged directly into only one firewall. And if that ISP went down the firewall would fail over to the other one and use the second ISP. However a former colleague of mine who is a fairly senior network guy told me in his experience that's not correct, because the HA firewalls basically share a single configuration, and you can't have different WAN IP's configured for each of the firewalls. He said the proper design would be two DMZ switches, each breaking out the ISP to be fed to identical ports in each firewall.
So, I would like to know if it is possible to do what my colleague thinks is, and avoid the costs of the dmz switches. Is this design valid, even if it means unnecessarily failing over the firewall in the event that an ISP goes down? Or is my colleague perhaps remembering incorrectly.
Thank you
This thread was automatically locked due to age.
