Answer» - Active/Passive:
- One firewall manages traffic actively, while the other is synced and ready to SWITCH to active mode if one fails. Both firewalls use identical configuration parameters in this mode, and one actively handles traffic until a path, CONNECTION, system, or network fails. When the active firewall fails, the passive firewall easily shifts to the active STATE and maintains network security by enforcing the same regulations. In virtual wire, Layer 2, and Layer 3 deployments, active/passive HA is supported.
- Active/Active:
- Both firewalls in the pair are active and processing traffic, and they manage session setup and ownership in a synchronised manner. Both firewalls keep their own session and routing tables and synchronise with one another. In virtual wire and Layer 3 deployments, active/active HA is supported.
- We should consider the following distinctions when selecting whether to employ active/passive or active/active mode:
- It is substantially easier to troubleshoot routing and traffic flow issues in active/passive mode due to its simplicity of design. Layer 2 deployment is supported in active/passive mode but not in active/active mode.
- Advanced design concepts are required for active/active mode, which might result in more COMPLICATED networks. Activating networking protocols on both firewalls, DUPLICATING NAT pools, and deploying floating IP addresses, depending on how you implement active/active HA, may necessitate additional settings. Because both firewalls are actively processing traffic, they execute Layer 7 content inspection using the notions of session owner and session setup. If each firewall requires its own routing instances and you need full, real-time redundancy from both firewalls all of the time, active/active mode is advised. Because both firewalls are actively processing traffic, active/active mode has a faster failover and can handle peak traffic flows better than active/passive mode.
|
