Filter
Top Products
5-3
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
Chapter 5 Configuring Firewall Load Balancing
Configuring FWLB
Firewall Synchronization
Firewall solutions providing Stateful Inspection, such as Check Point
™
FireWall-1
®
, create and maintain virtual state for all connections through their
devices, even for stateless protocols such as UDP and RPC. This state
information, including details on Network Address Translation (NAT), is updated
according to the data transferred. Different firewall modules running on different
machines, such as those in a FWLB environment, can then share this information
by mutually updating each other on the different state information of their
connections.
Firewall synchronization (as shown in Figure 5-1) provides a significant benefit
whereby each firewall device is aware of all connections in a firewall load
balanced environment, making recovery of a failed firewall immediate and
transparent to its users.
Note For details on configuring firewall synchronization, refer to your specific firewall
documentation. In the case of a FireWall-1 device, you can find detailed
configuration information in the Check Point Software FireWall-1 Architecture
and Administration guide, in the chapter Active Network Management.
Configuring FWLB
A CSS must exist on each side of the firewall to control which firewall is selected
for each flow. Within the firewall configuration, you must configure both the
local and remote CSSs with the same firewall index number.
To avoid dropping packets, the CSS directs all packets between a pair of IP
addresses across the same firewall. This applies to packets flowing in either
direction. If a failure occurs on one path, all traffic will use the remaining path or
balance traffic on the remaining paths.
Note You must define the firewall index before you define the firewall route or the CSS
will return an error message. To configure the route, see the ip route... firewall
command.