Thank you Joshua for the quick and detailed response.

I agree with everything you mentioned below, and this is why  we are considering it.

To your questions and comments below:

The requirement for state full traffic flow is given by the customer.
The logic behind it is to avoid unnecessary paging procedures for idle mobile devices.
It protects both signaling resources of the network and also battery life of devices. 
This was very relevant in the early 2000s, not sure if it’s relevant for today.
However it remains a customer requirement.

As for clients recovery from flow interruption - from incidents we had in the last few years and observing how fast connection ramp up on the alternate devices it seems that clients are recovering very quickly.

My main concern is that this customer has pretty traditional mind set and never like being the first deployment of any technology.

This is why I am looking for inputs on other deployments that use this technology.

Regards,

Amos 

Sent from my iPhone

On 3 Feb 2025, at 5:46, Joshua Miller <contemno@gmail.com> wrote:

External sender - pay attention
Hi Amos,

Assuming the network segments adjacent to these stateful devices use longest prefix match routing, NPTv6 is your best option.You'd assign a unique IPv6 prefix as the NPTv6 prefix to each firewall, ensuring the traffic returns to the correct firewall.

Keep in mind each stateful firewall is a single point of failure for the flows it handles. When it inevitably goes down ( maintenance or failure), all those flows will have to be re-established through other firewalls. Also, depending on how the clients are configured with connection timeouts, the users could experience a noticeable amount of service disruption.

It's possible to have firewalls in a cluster sharing state, but I consider them to be a single logical device with its own failure profile. In that scenario I would be inclined to deploy multiple redundant clusters; without knowing your budget I don't know how feasible this is. —"Shared state, shared fate."

I wouldn't use NAPT66 unless you need to do something really bespoke. Introducing port translation complicates end-to-end connectivity, and adds more latency and issues for applications like VoIP.

To dive a little deeper, I'd reevaluate the requirement for the firewalls to be stateful. Are there any specific threats or attack vectors you want to address with stateful flow tracking?


Best,
Josh
If you have received this e-mail in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the content of this information is strictly prohibited.