How will many firewalls serving as the default gateway affect the DMZ?

We are planning to have a network with a centralized DMZ that has multiple stateful firewalls protecting it. Would there be routing issues in the DMZ if several firewalls all serve as the default gateway?

Requires Free Membership to View

By submitting you agree to receive email communications from
TechTarget and its partners. Privacy Policy Terms of Use.

Yes. If you attempt to have multiple firewalls connected to the same network segment, all serving as the default gateway, routing problems will ensue. I suggest working with a network engineer to come up with a solution to the specific problem you're trying to solve.

You didn't say in your question why you'd like to have multiple firewalls, but the reason most enterprises choose to go this route is for fault tolerance; that is, the ability of a backup component or procedure to immediately replace and take over for a failed system In that case, you don't want to set up both firewalls as the default gateway. Instead, use a product that includes built-in fault-tolerance features.

One common way to address this issue is through the use of a virtual IP address, an IP address that receives incoming packets but is not connected to a specific computer. Consider a local network using the address range 192.168.1.0/24, which is protected by redundant firewalls. The two firewalls would each have interfaces on the local network (say 192.168.1.2 and 192.168.1.3). In this scenario, they could also share a virtual IP address (192.168.1.1) and be connected by a crossover cable that allows the firewalls to share status information with each other. All devices on the local network could then set their default gateways to the virtual IP address of 192.168.1.1.

In that example, only one firewall is "live" at any given point in time. The live firewall sends out a gratuitous address resolution protocol (ARP) message, informing devices on the network that it owns the 192.168.1.1 IP address (in addition to its assigned IP address of 192.168.1.2). The standby firewall continuously asks the live firewall for status updates. If the live firewall fails to respond to several consecutive status requests, the standby firewall assumes that it has failed and takes over control of the network. It then sends out gratuitous ARP messages informing the network that it now owns the 192.168.1.1 virtual IP address.

This gratuitous ARP methodology allows multiple firewalls to exist on the same network and provide fault tolerance without requiring changes in the default gateways of other devices on the network.

More information:

A reader asks Mike Chapple, "How should multiple firewall rules be managed?"

Learn more about firewall redundancy, including deployment scenarios and benefits.

Latest Headlines

Featured

E-Books

E-Zines

E-Handbooks

Topics

Hot Topics

Advice & Tutorials

Technology Dictionary

Tips

Answers

Ask a Question

Research Library

Product Demos

Resource Centers

Blogs

How will many firewalls serving as the default gateway affect the DMZ?

Requires Free Membership to View

More News and Tutorials

Articles

Related glossary terms

Join the conversationComment

Share

Comments

Results

Contribute to the conversation

More from Related TechTarget Sites