Firewall Load Balancing Solution

Source: Internet
Author: User
Tags firewall

Recent projects have encountered a firewall load balancing needs, take out and discuss with you.

Users in the project procurement of 4 domestic well-known brands of high-end firewall, originally intended to use the firewall itself cluster way to achieve the firewall load sharing and redundant deployment, but the firewall manufacturer's reply is if the cluster approach, the overall performance of 4 firewalls can only reach the equivalent of 1.5 firewall processing capacity! In other words, the performance of 2.5 firewalls is restricted and consumed by the cluster, and the linear performance increment cannot be realized completely. Then what? Firewall manufacturer's suggestion is, 4 firewall 22 compose a pair, each pair of firewall uses the main standby way deployment, realizes the session synchronization and the redundant switching, such two pair of firewalls may provide twice times to the single firewall processing ability. The solution seems to be better than the previously clustered solution! At least 4 firewalls have increased the load capacity. See here, someone might have thought of another question, how do these two pairs of firewalls allocate traffic? It is proposed to use the dynamic routing protocol to allocate traffic, some people propose to adopt the strategy route, according to different source address or destination address to allocate traffic, some people also propose to use load balance equipment distribution flow and so on.

For the dynamic routing protocol and the policy route to allocate the traffic of the firewall, its disadvantage is similar to the way we discuss the link load balance in the end, the dynamic routing protocol or the policy route allocation link traffic to put forward some views and views, here is no longer verbose. Because of the particularity of firewall equipment, we must also consider how to ensure that the same user's access to traffic through the same firewall, that is, the internal and external network between the return of the original path of the problem. The advantage of both solutions is that there is no need to add additional equipment.

Load balancing equipment to load the firewall to achieve the disadvantage is the need to deploy load balancing equipment both inside and outside the fire wall, which we often call "sandwich" deployment, the additional deployment of load-balancing equipment will increase the user's investment, this is the disadvantage of this solution. So let's see how we can minimize the impact of a disadvantage? Let's start with improving the efficiency of the firewall. First, the use of a firewall load balancing solution, we can break the firewall 22 redundant deployment mode, the 4 firewall as a stand-alone device to use, each firewall can carry traffic, so you can really play 4 firewall processing capacity, So that its processing capacity can achieve a linear increase! The firewall's performance will not be lost as a firewall cluster or 22 redundant HA deployments. In other words, without increasing the firewall device, the existing firewall's business load capacity can be increased 1 time times with this scheme! Savings in the future expansion of the firewall investment. Increased investment in load-balancing equipment, reduced investment in future firewall devices, an offset from the investment point of view, is not a cost-effective solution.

In addition to investment considerations, let's take a look at the benefits of using a firewall load-balancing scheme:

Improve the utilization of firewall equipment, simplify the management and configuration of firewall equipment, can play the maximum performance of each device;

Improve the firewall expansion capability, the existing firewall group load capacity is not enough, just need to increase the firewall in the group, not limited to the original firewall brand, model, processing capacity;

Back to the column page: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/

For each firewall can provide a variety of health detection mechanisms, in time to find and circumvent the use of firewall equipment, to achieve redundancy between the deployment of firewalls;

By returning the "Auto-last-hop" function through the original path of the load balancing device, it is easy to realize the need of the same path in and out of the firewall;

Through the session-keeping function of the load balancing equipment, the related transaction and information are ensured through the same firewall to ensure the integrity of the business;

It is advantageous for the external load balancing equipment to resist the DDoS attack from the outside, and the pressure of unloading the firewall;

The typical topology is shown in the following illustration:

The external pair of AX equipment uses the main standby redundancy deployment, carries on the firewall load sharing to the incoming traffic, and realizes the original path (firewall) to return to the flow response data stream;

The internal pair of AX equipment uses the main standby redundancy deployment, carries on the firewall load sharing to the outward flow, and realizes the original path (firewall) to return to the incoming traffic response data stream;

In the late combination of this project, and then to introduce some specific firewall load balancing configuration examples.

S.g

This article is from the "ADC Technology blog" blog, please be sure to keep this source http://virtualadc.blog.51cto.com/3027116/1094209

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.