What is the purpose of having 2 Cisco ASA 5500-X Series Firewall in a Network?
I just came across a technical proposal for having a control room & server in new york and another control room & server room in Singapore. There will be 2x Cisco ASA 5500-X Series Firewall in a Network (in Singapore server room) with a DMZ. I am not an expert in networking and I couldn't get the idea of having 2x firewall in the same network. Is there any idea about this?
Also, I have seen a proposal where a network has 1x Cisco has a 5500-X series firewall and also a software subscription firewall in the same network. How does this work?
Whereas most of the network that I came across only has 1x Cisco firewall.
I appreciate if I could understand more about the setup that I mentioned above.
High Availability (most likely)
Cisco ASAs are commonly recommended in pairs for HA (High Availability) in Active/Standby. This is due to their typically critical nature in the network.
The decision for a single firewall is often the result of financial, design and risk considerations.
I concur with @BrandonXavier, this adds an additional layer of protection during upgrades. It also can also add a layer of protection in the event the ASA itself fails or a failure of an upstream or downstream device.
Active/Active configurations are less common as there are additional design and configuration requirements to mitigate asymmetric flows.
Unless a Cluster license is included in the quote, it is highly unlikely the ASAs are intended to be aggregated together into a cluster. Clusters require a high bar of prerequisites, difficult to work with and not very efficient.
The two firewalls could also have different purposes such as one for terminating Internet while the other terminates VPN connections, but it is impossible to know without knowing more design details.
Reference:Cisco ASA Configuration Guide - Failover for High Availability
Reference:Cisco ASA Configuration Guide - ASA Cluster