Hi there,

My bad for creating confusion. Well, I have two separate firewalls managed by same management server and its plain BGP. On one of the firewall there are links connecting R3 and have servers behind there. I have 3 links going to R3 and have eBGP configured between them. FW1 has a ISP Connection and FW2 has as well a separate connection.

What I would like to achieve is if Internet at FW2 goes down I want traffic originated from 192.168.47.x range should take FW2 -> FW1 and then to Internet. Same with FW1.

That is if Internet link at FW1 fails - > Then traffic from 192.168.47.0 should go out from FW1 -> FW2 and then out. 

How do distribute Default gateway between FW1 and FW2 so that link redundancy can be achieve if link failover at either  location happens.

How is routing with ISP done now? Are you using BGP or static? In other words, how is default route configured now, is it being received via BGP from ISP or it is configured as a static route?

I see,

The subnet you have for 192.168.47.0/24 is connected to both firewalls - that will be a bit problematic, so for starters I would clean that up. Now, I dont know the reason for why you have done it like so. But I would consider removing the interface on fw1 (192.168.47.95) to start.

Then, since fw1 and fw2 has eBGP established the traffic between them - all internal traffic should be fine - at least you need to make sure it is fine before you move on.  (traffic flow from 192.168.47 to 172.16.9..etc etc)

Then I would make sure that FW1 redistributes its default route to FW2 (as64512 -> as64514), and for this I would use AS-prepend so that it wont kill of the allready excisting default route in FW2.  (are the two excisting default routes static, or are they bgp routes from isp?)

You will need to create a route map, lets say "rm-default-out" , make sure you do a match on "0.0.0.0/0 exact" Also, in the route map, make sure you set an action doing as-prepend "action aspath-prepend-count 5"  .. I usually use 5, 2 or 3 is fine too.

Attach this route map to your external remote-as , as an export/out-bound.

This should make sure that the default route you send to fw2 has its AS number added inn 5 times in the path - thus making it less valueable than the exsisting one. . in general ..something like this will work.

But yeah, the drawing tells me that the two fw's have a eBGP connection.. and is your excisting def route static or bgp ? 

Yeah - Thats right - Considering there is a L3 switch below firewall at 192.168.47.0/24 network the servers wont be connected directly to firewall. But yes thanks for the heads up about route-map and as-path prepend. I had no clue about sending default route update to other firewall with less value so that other firewall will be used in case of failure.

Just keep in mind, BGP route received from another firewall will work only if you are also receiving default route from ISP via BGP. If you have static route to ISP, you would have to use ip-reachability-detection to detect if ISP is available and automatically remove static route when ISP connection is lost. Otherwise, static route to failed ISP will take precedence over route received via BGP. But generally speaking, if you are already running BGP on the GW, it would be best to switch to BGP with ISP and remove static default.

One more thing to check is topology/anti spoofing. If interfaces between firewalls are defined as Internal, they may drop traffic from public IP addresses.

Ah - Thats a nice information and thanks for heads up.