Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Load balancing vs. FW state

To: "Belanger, Derek" <[email protected]>
Subject: Re: [FW1] Load balancing vs. FW state
From: Michael Batchelder <[email protected]>
Date: Mon, 11 Dec 2000 08:31:32 -0800
Cc: [email protected]
References: <[email protected]>
Sender: [email protected]

Derek;

Statefulness is a term gets abused, and causes confusion.  Statefulness,
defined in this context, is the TCP state of the connection between the
web client and web server, yes?  In that case, there's no issue with the
firewall.  Or to be more specific, whatever the load balancer will do to
continue/failover a client "session" will have to be TCP state-kosher
(set up w/3-way handshake, etc...) for the web server, server2, which
means that it'll be ok for the firewall.  In other words, if the
firewall were to reject it based on rules in the state table, it's
liable to be rejected by the web server TCP/IP stack as well.

The exception possibility is if you're doing weirdo state sharing trix
in a web server cluster, putting the same, virtual, IP address on
loopback i/f's...  That sort of thing.  Some software and/or
software/hardware setups do that.  I doubt you are, from the description
of the parts.

Michael

"Belanger, Derek" wrote:
> 
> The scenario is...I've got a load balancer (RadWare WSD) outside a firewall
> (CheckPoint 4.0 on NT) with redundant servers behind the firewall. My
> question is what happens to the statefullness of an established connection
> should it be redirected from one load balanced server to the other.
> 
> Example:
> 
> Client establishes a connection with RadWare and server1 is selected (load
> balanced) as the connection endpoint, the firewall accepts the connection
> and records the state (correct so far?).
> 
> Then server1 fails. The RadWare moves the connection to server2. (What
> happens now? Will the firewall reject the connection because the endpoint
> has changed there by violating the statefullness?)
> 
> Please help,
> Derek Belanger
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Load balancing vs. FW state
  - From: "Belanger, Derek" <[email protected]>

Prev by Date: RE: [FW1] FW-1 and Websense
Next by Date: [FW1] GUI Management Tools
Previous by thread: [FW1] Load balancing vs. FW state
Next by thread: [FW1] RL50 - Is it an IP330 (IP300) or something else...
Index(es):
- Date
- Thread