Firewall Load Balancing Solution

In the recent project, I encountered a need for firewall load balancing. I 'd like to discuss it with you.

The user purchased four high-end firewalls of a well-known Chinese brand in the project. They originally planned to achieve load sharing and redundant deployment of firewalls through the firewall's own cluster, unfortunately, the firewall vendor's reply is that, in the cluster mode, the overall performance of the four firewalls can only reach the processing capability of 1.5 firewalls! That is to say, the performance of 2.5 firewalls is restricted and consumed by the cluster, and linear performance increase cannot be achieved completely. What should we do? The firewall vendor recommends that four firewalls form a pair of two. Each pair of firewalls is deployed in the active/standby mode to achieve session synchronization and redundancy switching, in this way, the two firewalls provide two times the processing capability of a single firewall. This solution seems better than the previous cluster solution! The carrying capacity of at least four firewalls has been improved. Someone may have come up with another question: How do the two firewalls allocate traffic? Someone suggested using dynamic routing protocol to distribute traffic, someone suggested using a policy route to distribute traffic based on different source addresses or destination addresses, and someone suggested using Server Load balancer devices to distribute traffic.

For dynamic routing protocols and Policy Routing methods to allocate firewall traffic, its disadvantages are similar to some of our views on whether to adopt Dynamic Routing Protocol or policy routing to allocate link traffic when we discuss link load balancing. Here we will not go over it again. Due to the particularity of the firewall equipment, we must also consider how to ensure that the inbound and outbound traffic of the same user passes through the same firewall, that is, the original path returned when the Intranet and Internet access to each other. The advantage of these two solutions is that you do not need to add additional devices.

The disadvantage of using Server Load balancer equipment to share the load of the firewall is that the Server Load balancer equipment must be deployed both inside and outside the firewall, that is, the "sandwich" method we often call for deployment, deploying additional Server Load balancer devices increases user investment, which is a disadvantage of this solution. So let's take a look at how we can minimize the impact of weaknesses? First, we start with improving the efficiency of the firewall. First, we adopted the firewall Load Balancing solution, and we can break the firewall's redundant deployment mode, using four firewalls as independent devices, each firewall can carry business traffic, so that the processing capabilities of the four firewalls can be realized, so that the processing capability can be linearly increased! The performance of the firewall will not be lost like the firewall cluster or the redundant HA deployment. That is to say, without adding firewall devices, the existing firewall's service carrying capacity can be doubled with this solution! This reduces investment in future firewall resizing. It increases the investment in Server Load balancer equipment and reduces the investment in firewall equipment in the future. From the perspective of investment, it is not a cost-effective solution.

In addition to investment considerations, let's look at the benefits of using the firewall Load Balancing solution:

• Improves the usage of firewall devices, simplifies the management and configuration of firewall devices, and maximizes the performance of each device;
• This improves the firewall's scalability. When the existing firewall group does not have sufficient carrying capacity, you only need to add a firewall in the group, instead of limiting the brand, model, and processing capability of the original firewall;
• Multiple health check mechanisms can be provided for each firewall to promptly discover and circumvent unavailable firewall devices, and implement redundant deployment between firewalls;
• By returning the "auto-last-hop" function from the original path of the Server Load balancer device, it is easy to implement the same path for incoming and outgoing firewalls;
• Through the session persistence function of the Server Load balancer device, the associated transactions and information are ensured through the same firewall to ensure business integrity;
• This helps the external Server Load balancer device resist external DDoS attacks and uninstall the firewall;

Shows the typical topology:

An external pair of AX devices are deployed in active/standby redundancy mode to share the firewall load of inbound traffic and return the original path (firewall) to the response data stream of outbound traffic;

An internal pair of AX devices are deployed in active/standby redundancy mode to share the firewall load of outbound traffic and return the original path (firewall) to the response data stream of inbound traffic;

Later, we will introduce some specific firewall server Load balancer configuration examples in combination with this project.