D-Link DFL-1100 Product Manual - Page 27
Cluster heartbeats, The synchronization interface
UPC - 790069270239
View all D-Link DFL-1100 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 27 highlights
Cluster heartbeats A firewall detects that its peer is no longer operational when it can no longer hear "cluster heartbeats" from its peer. Currently, a firewall will send five cluster heartbeats per second. When a firewall has "missed" three heartbeats, i.e. after 0.6 seconds, it will be declared inoperative. Cluster heartbeats have the following characteristics: • The source IP is the interface address of the sending firewall • The destination IP is the shared IP address • The IP TTL is always 255. If a firewall receives a cluster heartbeat with any other TTL, it is assumed that the packet has traversed a router, and hence cannot be trusted at all. • It is an UDP packet, sent from port 999, to port 999. • The destination MAC address is the Ethernet multicast address corresponding to the shared hardware address, i.e. 11-00-00-C1-4A-nn. Link-level multicasts were chosen over normal unicast packets for security reasons: using unicast packets would have meant that a local attacker could fool switches to route the heartbeats somewhere else, causing the peer firewall to never hear the heartbeats. The synchronization interface Both firewalls are connected to each other by a separate synchronization connection; the fourth port is dedicated solely for this purpose when the firewalls are configured as HA. The active firewall continuously sends state update messages to its peer, informing it of connections that are opened, connections that are closed, state and lifetime changes in connections, etc. The configuration is also transferred between the nodes using the synchronization connection. When the active firewall ceases to function, for whatever reason and for even a short time, the cluster heartbeat mechanism described above will cause the inactive firewall to go active. Since it already knows about all open connections, communication can continue to flow uninterrupted.