N2H2 Filtering Failover/failback

Unanswered Question
Feb 23rd, 2009

Hello,

Is there a way to have preempt primary N2H2 filtering server. I am trying ot have primary and secondary, but need to have primary in preempt mode so filtering fails back to primary once it is restored.

Thanks,

Paresh.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 02/23/2009 - 12:36

Hello Paresh,

firewalls and routers point to the N2H2 using an URL

N2H2 IFP (Server) Requirement

To enable this feature, you must have at least one N2H2 server; however, two or more N2H2 servers are preferred. Although there is no limit to the number of N2H2 servers you may have, and you can configure as many servers as you wish, only one server will be active at any given time-the primary server. URL lookup requests will be sent only to the primary server.

so the question becomes who can control the URL to ip address resolution and the healthy of the real servers

But looking at configuration for routers we see

ip urlfilter server vendor {websense | n2h2} ip-address [port port-number] [timeout seconds] [retransmit number]

I don't see a priority option that could imply the possibility to configure multiple entries.

if multiple commands could be given (may be the order of preference is the first in configuration)

the router/FW itself can test the availability of primary and secondary server.

see

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_fwall_n2h2_supp_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1027171

But probably you have already tested these options

Hope to help

Giuseppe

pkpatel Mon, 02/23/2009 - 13:05

Thanks, Guiseppe!

Unfortunately, preempt option or preference/priority is not available in any IOS at this time. If primary fails and secondary takes over, it will continue to provide filtering even after primary comes back. The only option right now is to manually remove secondary, this will force original primary to take over, and then add secondary again.

Paresh.

Actions

This Discussion