Using HSB to Improve Firewall Reliability
An enterprise usually deploys a firewall between the enterprise network and Internet to improve security. If the firewall fails, communication between the enterprise and Internet is interrupted. Therefore, reliability of the firewall is key to network availability.
A traditional backup solution deploys multiple devices on an access node and uses VRRP or dynamic routing to trigger link switching. In this solution, routers must be deployed on the access node because they must look up the forwarding table for each packet to ensure non-stop forwarding after link switching. If stateful firewalls are deployed on the access node, link switching will cause service interruption. A stateful firewall forwards packets based on connection status. When a user initiates a session, the stateful firewall checks only the first packet. If the first packet is valid, the firewall creates a session entry. Subsequent packets (including return packets) can pass through the firewall if they match the session entry. After link switching, services will be interrupted because the firewall cannot find the matching session entry.
HSB can implement redundancy between stateful firewalls while ensuring uninterrupted service transmission. The HSB service can synchronize session entries between two firewalls. Before link switching, the backup firewall synchronizes session information from the master firewall. When the master firewall fails, service traffic is processed by the backup firewall. Link switching does not interrupt sessions of users, improving connection availability.
As shown in Figure 5-5, HSB is deployed between FWA and FWB. FWA is the master firewall and FWB is the backup firewall. Session entries are synchronized from the master firewall to the backup firewall.
An HSB group needs to be bound to a VRRP group. The two devices determine their master/backup states according to the VRRP states and retain the same states in the HSB group. Therefore, VRRP must be configured on FWA and FWB.