Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] load balancing and state tables

To: Lance Spitzner <[email protected]>
Subject: Re: [FW1] load balancing and state tables
From: Cedric Amand <[email protected]>
Date: Sun, 4 Feb 2001 11:27:27 +0100
Cc: [email protected]
In-reply-to: <[email protected]>
Organization: http://cedric.net
References: <[email protected]>
Reply-to: Cedric Amand <[email protected]>
Sender: [email protected]

Hello Lance,

LS> The purpose of load balancing is to distribute the
LS> load (packets) of a very large pipe over multiple
LS> systems.  However, does load balancing also distribute
LS> the state tables, or is that shared among the firewalls?

You choose. The usual set up is to have state table synchronisation
between each of your firewalls. So each firewall has a state table
that contains all connections (for the X firewalls)

LS> Lets say I have a large pipe distributed across 
LS> three firewalls.  Each firewall has 10,000 unique
LS> entries in the state table.  Are these unique entries
LS> then shared amongst the other firewalls?

Yes, in most cases.

LS> Does this
LS> mean that in reality each physical firewall will have
LS> 30,000 entries in its state table?

Yes.

LS> Or does load balancing mean that not only is the
LS> load distributed, but the state table is distributed,
LS> allowing each firewall to maintain its own unique
LS> state table?

You can just no synchronize them. In this case, connections
that have been established (SYN/SYNACK) by a firewall
are not known by the others. It means that if this firewall
fails, the connections it was hanling will all be broken.
With synchro, all connections would fail over any of the
remaining firewall, and would NOT be dropped even if they are
in ESTAB state, since all firewalls have heard abouyt this connection.

If you don't synchronize them, you have to be sure each packet
of a single session goes thru the same firewall. This is done
mostly by hardware load balancers like RadWARE Fireproof.

-- 
Best regards,
 Cedric                            mailto:[email protected]




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- RE: [FW1] load balancing and state tables
  - From: "Mark Decker" <[email protected]>

References:
- [FW1] load balancing and state tables
  - From: Lance Spitzner <[email protected]>

Prev by Date: RE: [FW1] Slow Performance after Changing IP address
Next by Date: Re: [FW1] Port Service Issue
Previous by thread: [FW1] load balancing and state tables
Next by thread: RE: [FW1] load balancing and state tables
Index(es):
- Date
- Thread