Decent IPv6 firewall with failover?

Henrik Lund Kramshøj hlk at kramse.org
Mon May 17 09:54:32 CEST 2010


On 17/05/2010, at 09.46, George Bonser wrote:

> 
> 
>> -----Original Message-----
>> From: Gert Doering [mailto:gert at space.net]
>> Sent: Monday, May 17, 2010 12:36 AM
>> To: George Bonser
>> Cc: ipv6-ops at lists.cluenet.de
>> Subject: Re: Decent IPv6 firewall with failover?
>> 
>> Hi,
>> 
>> On Sun, May 16, 2010 at 11:52:56PM -0700, George Bonser wrote:
>>> Does anyone have any recommendations for a medium sized firewall
> (say
>>> something in the ASA5550 class) that can do failover?
>> 
>> Juniper/Netscreen SSG with ScreenOS 6.2 and up will do IPv6 + NSRP
>> failover just perfectly - full session takeover, etc.
>> 
>> Gert Doering
>>        -- NetMaster
>> --
> 
> That is what I am leaning towards but I believe Juniper is trying to
> phase out the ScreenOS stuff, though I am more familiar with it than the
> JunOS.  I have some experience with ScreenOS and am more at home with
> its "quirks".
> 
> Judging from recent traffic on the NANOG list, the SSG is more stable
> than the SRX and stability is more of my concern than ease of
> administration.

The SRX series is a bit more adventurous, but not stability wise. I run quite a few of
them, various models from SRX210 and up. Some single devices, others clustered.

The thing is they have merged in the screenos features and are scrambling to
expand the featurelist. My problems have mostly been with a few features supported
on some models and then not on the next.

Things like
IPsec+GRE tunnel, fine works - ohh in a cluster, then don't
IPv6 on low end models, and then suddenly not on larger models
Fixed 100Mbit - full-duplex, fine with single device, with cluster - cannot specify on reth Gbit interface on SRX210H
etc.

But the things advertised as working ARE working, so when features become
available they are trustworthy.

I made the switch from ScreenOS and things are different, but mostly to the better :-)
so now I enjoy Junos very much.


Best regards

Henrik

--
Henrik Lund Kramshøj, Follower of the Great Way of Unix
hlk at kramse.dk hlk at security6.net, +45 2026 6000 cand.scient CISSP CEH
http://solidonetworks.com/ Network Security is a business enabler
http://www.security6.net - security, IPv6 and networks
http://www.portscan.dk - free portscan










More information about the ipv6-ops mailing list