General Questions about PIX Failover

[TheStressFactor]

Hello all,

In an effort to make my network a little more reduntant I was curious as to see how you all felt about having the PIX failover in place.

Do any of you have this in place and if so has it ever proven useful? How easy or difficult is it to configure?


Any feedback would be greatly appreciated.

Patrick

 

[haknwak]

Answer to both is a resounding YES!!! from my end.

It has saved me both in the event of an actual network/hardware failure inside and when I need to do maintenance.

You can just work on one at a time by temporarily diabling failover, upgrading, making the upgraded one active, doing a quick test of the config and then running upgrade on the second unit.

I have done a fairly large upgrade - OS version, NIC addition, conversion conduit to access-list and addition of DMZ all at one sitting with less than a few minutes downtime on my network. "If you lived here, you'd be home by now!"

George Carlin

 

[tbissett]

I echo haknwak's sentiments. The failover option has proved to be invaluable. Our site has a number of PIXes, and I've done countless upgrades during working hours because of the failover capability. Things we used to have to do on weekends can now be done on my schedule, rather than the other way around.

Oh yeah, it works great when a piece of hardware fails too... which I find is rare with Cisco, but it has happened. In my opinion, failover is one of the best features of the PIX.

 

[baddos]

It's definately a no-brainer to install a FO pix if you require a high uptime. It helps with OS upgrades, etc like tbissett and haknwak said, but the true beauty lies with the new TCP connection failover with version 6.2.

Definately a cool thing since it now allows TCP connection to be maintained when the Firewall fails over. This requires that you use the failover lan option, but it is definately worth the added NIC card.

-Bad Dos