Case Studies
This section explores the failover features available on PIX Firewall in greater detail (the discussion is based on information from the New Product Introduction training by PIX marketing team with modification to be able to easily comprehend).
The resiliency of the connections through the PIX firewall can be achieved with failover, which means that if one PIX failed, the other PIX still would be available to process the packets. Starting from PIX Version 7.0, PIX can be configured in one of the following two failover modes:
Active/Standby Model
In this model, one PIX acts as the active PIX that processes the traffic at the time, and the other unit acts as standby. In the event of failure of the active unit, the standby unit becomes active and starts processing packets. If stateful failover is configured, the transition of connections from active to standby is very smooth. The new features added to Version 7.0 are as follows:
-
Stateful failover for VPN traffic This release introduces stateful failover for VPN connections. All security association (SA) state information and key material is synchronized automatically between the failover pair members, and this provides a highly resilient VPN solution.
-
Non-Stop Online Software Upgrades This version allows you to perform software upgrades of failover pairs without affecting network uptime or connections flowing through the units. This is because of the ability being introduced in this version to perform inter-version state sharing between PIX failover pairs. This allows you to perform software upgrades to maintenance releases (for example, 7.0(1) upgrading to 7.0(2)) without affecting traffic flowing through the pair. There is no impact in both active/standby failover environments and active/active environments.