firewall load balancing without layer 4 switch

Unanswered Question
Feb 4th, 2007

We want to firewall load balancing.

Firewall LB can be possible, without placing the layer4 switch the front of and the back of firewall?

If so, how can it be possible?

Probably, is that why two firewalls exchange nat table information (packet session information)through the direct synchronization link?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Sun, 02/04/2007 - 20:46

Hello Joong

Which firewalls are these ?? PIX or ASA?? V 6.3 or 7.x ?? with Version 7.x you have the multiple context licenses available to do active active on the firewalls.. it can still be called as load-sharing and not load-balancing... Do you want the traffic going to the firewalls, load balance to both the devices or is it something else?? if yes, then A/A firewalling is one solution !!!!

Hope this helps.. all the best.


joong-holee Tue, 02/06/2007 - 16:35


I would like to confirm the topology, active-active firewalling without LAYER 4 SWITCH.

PIX with version 7 enables active-active firewall loadsharing ? If so, what protocol is used for this load-sharing? VRRP or proprietary HA(High availability) protocol?

sachinraja Tue, 02/06/2007 - 16:53

Hello Joong,

The firewalls basically use the standard High availability protocol... You will basically allocate networks to multiple contexts and use the secondary unit also for some of the network traffic !!! you can on a whole, think this as M-HSRP feature on routers !!!!

For more info on Active/Active failover use the following resource:

There is also a very good training resource on this. see if you can access this:

Hope this helps.. all the best.. rate replies if found useful..


sachinraja Tue, 02/06/2007 - 15:47

Hello Joong,

Do you need any other assistance with this post ? Do let us know.



This Discussion