[c-nsp] Campus Network - Deployment mode of Perimeter Firewalls

[Yham]

Hello Gentlemen,

We are redesigning the core network where we have
- Edge routers peering BGP with internet providers and partners
- Perimeter firewalls to secure north-south traffic
- High-end core switches where all distribution switches connect.

logical diagram: Internet providers/partners -> Edge routers -> Firewalls
-> Core switches -> Distribution/Access switches

We plan to use BGP(with bfd) from distribution all the way up to Edge
routers and core network has to be highly available.

I wanted to ask if there are the best practices when deploying the
perimeter firewalls?
Is Active/Active is better than Active/Standby HA model?
Is a pair of Firewalls in Routed mode performs better than in
Transparent/Layer2 mode?

My thoughts
On a pair of firewalls in Active/Active mode, 1) both uplinks/downlinks can
be utilized with ECMP but I don't understand why its consider an advantage
because regardless of having both links active, you can't oversubscribe
because you want to make sure there is no impact when one of the firewalls
goes down.
2) In fact, I could be wrong but i think A/A creates asymmetric flows that
are difficult to troubleshoot.
3) however with A/A, I think the convergence can be faster depending on the
underlying routing

Regarding Firewalls mode, I know you can't use some firewall features (such
as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls,
you can make certain pair of interfaces transparent to your upstream and
downstream and another pair of interfaces in layer3 mode for VPN, NAT etc.

Any comments, please?
If you know of any good document on this very topic, please share it with
me.

Thanks
Yham