Home Page


Email & Spam

Security Terminology

Security Topics

VPN & Cryptography




Which Network Firewall

Which Home Firewall

Network Firewall Buyers Guide


Firewall Terminology

Application Control

Application Layer Filtering

Firewall Authentication

High Availability, Failover, RAID, Clustering, & Redundancy

IPS & IDS Systems

Load Balancing & Link Balancing


Network Firewall Buyers Guide

Next-Gen vs UTM

Packet Filtering

Parental Control

Perimeter Network or DMZ

Personal or Hardware Firewall?

Ports Protocols and IP Addresses


Stateful Packet Filtering



What is a Firewall?

Which home Firewall?

Which Network Firewall?

Zero Day Protection


Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?


What is Guide

What is a Firewall?

What is a Virus?

What is Spam?


Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security



Top 8 Internet Security Tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?





Network Hardware Firewalls Buyers Guide

Fault Tolerance and Resilience


Page 1 | Page 2 | Page 3 | Page 4 | Page 5


Page 4

Today it is vital that a firewall can cope with unexpected problems. You may encounter issues with the hardware itself such as an interface issue, power supply failure, etc. Below are a few things to think about when looking for a firewall with the ability to provide good stability and fault tolerance.


Do you require redundant hardware, extra power supplies, and fans? Does the firewall hardware provide hardware redundancy?

In particular the high end firewalls targeted at larger companies come with redundant hot swapping hardware such as a spare fan, spare power supply, NIC card, hard drive, etc. This will help reduce down time if a fan or a power supply failed within your appliance. You can then have the failed part replaced while using the backup hardware. With parts usually being hot swappable you wouldn't need to shut the firewall down when replacing the failed part.


Does the firewall support High Availability? Do you require Firewall redundancy and failover?

High availability would eliminate single point of failure by adding redundancy to the network. By configuring two firewalls with high availability, if your primary server fails the secondary server will take over and become active. This would ensure if you did experience a complete firewall failure your secondary firewall will take over eliminating any down time. This type of setup is known as active/passive mode as your primary firewall is active and processing traffic while the secondary firewall is in passive mode. When the secondary firewall is in passive mode it will not be processing any traffic and will only become active when a failover occurs and the primary firewall fails.

Firewalls today also support Active/Active mode where both firewalls process traffic and if one firewall fails the other firewall will process all traffic. So it’s a mixture of high availability, failover, redundancy and load balancing all in one.


Do you require redundant physical connections to different internet service providers?

By supporting two different ISP’s connected to two separate interfaces on a firewall you are providing redundancy if the primary ISP fails, then the second one will become active and your firewall traffic will filter through the second interface. Here you are looking for dual or multi WAN support. Some firewall vendors support multi WAN load balancing where both connections are utilised at the same time and if when fails then all traffic is processed by the remaining connection.


Do you need VPN redundancy?

If you have two or more WAN connections then you may be able to setup redundant VPN connections as well.

This functionality is also known as route based VPN where you can setup VPN routes. So your VPN will use a high priority route and if that route fails it will take another route.

With two or more WAN connections physically connected to two separate interfaces on your firewall route based VPN will provide VPN redundancy. If one of your ISP’s fails, then the second interface will become active and your VPN will be processed by the second interface.


Do you require alternative transport options?

You may need alternative transport options such as; ADSL, T1, ISDN, Serial, 3G, etc, so you would need to investigate how and if your firewall will support these types of WAN connections.


Page 1 | Page 2 | Page 3 | Page 4 | Page 5

For further reading, there's some excellent electronic ebooks available for download from eBooks.com