Maestro experience Dual Site

Kolafer · ‎2023-07-28

Hi Community,

I would like to ask you about your expirience and recommendation.

We have 5 firewalls clusters in the the datacenter and only run firewall blade and IA (PEP).

We would like to use Maestro Dual Site and there are actually two/three options, what i have in my mind.

What would you recommend or what is the better approach.

Option 1.

- Dual Site in Active/Standby with 5 Gateway per Site.
- 5 Security Groups,

Option 2.

- Dual Site in Active/Standby with 5 Gateway per Site.
- 1 Security Group in VSX Mode and VSLS
- 5 VS's

I would like the option 2, because than we can use both site's as "Active/Active"

Option 3.
- Dual Site in Active/Standby with 5 Gateway per Site.
- 1 dedicated Security Group for firewall with bigger utilisation over the day (1-2 gatewaysper site)
- 1 Security Group in VSX Mode and VSLS with 2-3 VS's, for firewalls with not that big utilisation over the day (3-4 gateway per site)

Maybe you can also share some general expirience with Measto, about scalability, performance and utilisation stabilty.
Also would be interesting about Maestro running the TP blades like IPS, or the other ones. (limitaion ??)

Thanks

best regards

Bob_Zimmerman · ‎2023-07-28

From an availability design perspective, dual-site is a really, really, really bad idea unless literally every other team in your organization has perfect availability design. I would not use it for a new deployment, and I would move any existing deployment away from it as quickly as possible. The reason relates to why option 2 is also a bad idea: failure domains.

For a long time, I had a datacenter with a single VSX cluster as its core. It was built in 2011 when R67 was new, so that's what it was built with. That cluster handled all inter-network traffic both within the datacenter and between the datacenter and any Internet or WAN links, so the failure domain was the whole datacenter. Risky changes needed the approval of every team which had something there. The various teams couldn't agree on a window, so as a result, I just never got to do any maintenance on that cluster. It was running R67 until 2022 when the datacenter was shut down.

Now imagine both of your datacenters depending on a single cluster of devices which have to be upgraded together. There's no guarantee of isolation: a problem in one potentially affects the other, too. With a separate orchestrator cluster at each site, most potential failures are limited to that site. You can upgrade only one site to R81.20 and wait a month to see if you run into new issues.

Separately, dual-site deployments imply VLANs spanned between the two sites. This is also a bad idea for new deployments, but for a different reason: it leads to performance pathologies which can be extremely hard to debug. A lot of software expects sub-millisecond latency talking to other things on the same network block.

Kolafer · ‎2023-07-29

We already have the two datacenter design, where everything is in high availability deployment.
Currently we have the active gateway in DC1 and the standby gateway in DC2.
Between the datacenter we use fiber direct so all vlans are on both datacenter.

And I would not plan to use the Maestro for the perimeter zone or dmz zone, only the for the internal security zone.

Because of the high traffic we use already 5 cluster active/standby only in the ISZ.

This is ehy I thinking that on this point the Maestro is an option for the isz,

Single Site Maestro is not an option, it should be Dual Site