Cisco Systems OL-5650-02 Configuring a Keepalive Timeout for a Firewall

Chapter5 Configurin g Firewall Load Balancing

Configuring FWLB

5-4

Cisco Content Services Switch Security Configuration Guide

OL-5650-02

You must define firewall parameters for each path through the firewalls on both

local and remote CSSs. Use the ip firewall command to define firewall

parameters.

The syntax for this global configuration mode command is:

ip firewall index local_firewall_address remote_firewall_address

remote_switch_address

The variables are:

Note Enter all IP addresses in dotted-decimal notation (for example, 192.168.11.1).

•index - The index number to identify the firewall. Enter a number from 1 to

254.

•local_firewall_IP address - The IP address of the firewall on a subnet

connected to the CSS.

•remote_firewall_IP address - The IP address of the firewall on the remote

subnet that connects to the remote CSS.

•remote_switch_IP address - The IP address of the remote CSS.

For example:

(config)# ip firewall 1 192.168.27.1 192.168.28.1 192.168.28.3

To delete a firewall index, enter:

(config)# no ip firewall 1

Caution When you delete a firewall index, all routes associated with that index are also

deleted.

Configuring a Keepalive Timeout for a Firewall

A CSS sends a custom ICMP keepalive request to the remote CSS on the other

side of the firewall every second. The two CSS switches at the endpoints of the

firewall configuration must use the same firewall keepalive timeout value.

Otherwise, routes on one CSS may not failover simultaneously with those on the

other CSS, which could result in asymmetric routing across the firewalls.