Chapter 5 Configuring Firewall Load Balancing

Overview of FWLB

Overview of FWLB

FWLB enables you to configure a maximum of 15 firewalls per CSS. Configuring multiple firewalls can overcome performance limitations and remove the single point of failure when all traffic is forced through a single firewall. The FWLB feature ensures that the CSS will forward all packets with the same source and destination IP addresses through the same firewall. The CSS accomplishes this task by performing an XOR on the source and destination IP address.

Because the CSS can exist on either side of a firewall, it can balance traffic over multiple firewalls simultaneously. Each firewall is active and available in the load balancing firewall algorithm. The CSS uses the source and destination IP addresses in the algorithm to calculate which firewall to use for each flow.

A CSS monitors the health of a firewall by sending a custom ICMP keepalive request every second to the remote CSS on the other side of the firewall. If the CSS does not receive a keepalive request from the remote CSS for 3 to 16 seconds (configurable timeout), the CSS declares the firewall path unusable. Each CSS does not reply to the sending CSS, but transmits its own keepalive requests every second totally independent of the other CSS. For details about configuring the keepalive timeout, see the “Configuring a Keepalive Timeout for a Firewall” section.

FWLB acts as a Layer 3 device. Each connection to the firewall is a separate IP subnet. All flows between a pair of IP addresses, in either direction, traverse the same firewall. FWLB performs routing functions; it does not apply content rules to FWLB decisions.

Note Firewalls cannot perform Network Address Translation (NAT). If your configuration requires NATing, you must configure a content rule or source group on the CSS to provide this function.

To configure FWLB, you must define the following parameters for each path through the firewalls on both local and remote CSSs:

Firewall index (identifies the physical firewall), local firewall IP address, remote firewall IP address, and CSS VLAN IP address

Static route that the CSS will use for each firewall

See the sections that follow for information on configuring FWLB.

 

Cisco Content Services Switch Security Configuration Guide

5-2

OL-5650-02

Page 99 Page 101
Page 100
Image 100
Cisco Systems OL-5650-02 manual Overview of Fwlb
Page 99 Page 101
Top Page Image Contents