[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] load balancing and state tables
Hello Lance, LS> The purpose of load balancing is to distribute the LS> load (packets) of a very large pipe over multiple LS> systems. However, does load balancing also distribute LS> the state tables, or is that shared among the firewalls? You choose. The usual set up is to have state table synchronisation between each of your firewalls. So each firewall has a state table that contains all connections (for the X firewalls) LS> Lets say I have a large pipe distributed across LS> three firewalls. Each firewall has 10,000 unique LS> entries in the state table. Are these unique entries LS> then shared amongst the other firewalls? Yes, in most cases. LS> Does this LS> mean that in reality each physical firewall will have LS> 30,000 entries in its state table? Yes. LS> Or does load balancing mean that not only is the LS> load distributed, but the state table is distributed, LS> allowing each firewall to maintain its own unique LS> state table? You can just no synchronize them. In this case, connections that have been established (SYN/SYNACK) by a firewall are not known by the others. It means that if this firewall fails, the connections it was hanling will all be broken. With synchro, all connections would fail over any of the remaining firewall, and would NOT be dropped even if they are in ESTAB state, since all firewalls have heard abouyt this connection. If you don't synchronize them, you have to be sure each packet of a single session goes thru the same firewall. This is done mostly by hardware load balancers like RadWARE Fireproof. -- Best regards, Cedric mailto:[email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|