fwsm and how to bypass its session inspections without causing them to drop

Unanswered Question
Oct 3rd, 2011

Hi all !

i have a question about fwsm and how to bypass its session inspections without causing them to drop .

scenario :

due to number of connections capacity limitations of our FWSM's, we have made a temporary solution utilizing few FWSMs and sharing the load between them using PBR [ tested on Cat6x in hardware ]

its not pretty but it would let us go through the winter

my question here is for firewall guys :

if im LB between the firewalls and like to make an adjustment in the traffic and move a certain range in the PBR from FW1 to FW2 ,

regularly the connection would be tore down and would need to be re-established . this means Downtime .

i would like to find any way i can cause FW2 to allow the "moved" connections to pass and continue on FW2 .

if it involves disabling a feature for x period of time and then re-enabling it  - ok , anything is good .

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Mon, 10/03/2011 - 10:03

Hi,

TCP state bypass would take care of TCP during transition, datagram based protocols (expect the ones going through inspection engines) should take care of themselves (provided they are allowed by ACL).

If the two FWSMs are in failover (A/A scenario) check out ASR groups.

Marcin

Actions

Login or Register to take actions

This Discussion

Posted October 3, 2011 at 8:04 AM
Stats:
Replies:1 Overall Rating:
Views:376 Votes:0
Shares:0

Related Content

 

Discussions Leaderboard

Rank Username Points
1
Jouni Forss
8,441
2
Julio Carvajal
6,228
3
Jon Marshall
3,370
4
Marvin Rhoads
2,523
5
Marius Gunnerud
1,721
Rank Username Points
Jon Marshall
60
Marius Gunnerud
48
Marvin Rhoads
29
Karsten Iwen
25
Andre Neethling
15