Hi,
I've read the install guide and actually installed something like this but I'm not clear on how this is actually supposed to work. For example a pair of Firewalls have behind them an inline/proxy pair of SWGs. The SWGs physically interrupt the cable between the LAN switch and the perimeter Firewalls. For an inline gateway the SWGs need to be able to "see" the IP address, but as different FW vendors implement HA differently can the SWG be implemented without generating errors and without adding extra hardware or pushing the WAN cable through a switch? My two FW vendors for this are Check Point and Cisco. Check Point operates a 2 physical address and one virtual address model where the virtual address swaps between the two Firewalls (active/passive). If the SWG on the passive link has the virtual address configured as the inline gateway next hop then it generates an error (unable to see inline gateway etc) and continues to do so until that Firewall becomes active, and then the previously active SWG generates errors. For Cisco you have the same problem but as the ASAs swap IP addresses on failover it's a slightly different behaviour.
The solution I'm thinking of would be to put a switch inbetween the SWG WAN interface and the Firewall (could use a pair of switches for resiliency) but it seems overkill. That way both SWGs would always be able to see their inline gateway regardless of Firewall state.
What works in practice?
Thx