Load Balancing Firewalls

mamoss · ‎10-04-2001

I have a customer who wants to know if load balancing 2 Checkpoint firewalls can be acheived by using local directors.

Would this require a local director inside and outside of both firewalls?

How would a conversation that passes through a local director in one direction, be aware on the other side that it has to pass back via a certain firewall?

thanks, Mark.

gbbromley · ‎10-16-2001

I wouldn't recommend it. It would be a similar build to a 'Fully Clad' F5 networks impletmentation of load balancers inside and outside, with session stickiness.

You would be much better off using the CSS switches, as they have a number of features to assist in this, as well as examples.

dominick-marino · ‎10-18-2001

use the CSS. I did it for an ISP across the US. Works fine.

mamoss · ‎10-18-2001

Thanks for both replies, I'll reccommend the CSS.

Does this mean its not possible to have a "sticky" connection using Local Directors either side of a firewall?

marcbutler · ‎04-24-2002

Well, the LocalDirectors can have sticky sessions, but I have to agree with the other posts here. It is not designed for firewall loadbalancing, more for small scale Webservers and stuff like that. The CSS series is far better equipped to do this.

larryw · ‎10-25-2001

You should use the CSS's for load balancing firewalls. I don't believe you can use the localdir's for that purpose anyway. The stateful inspection of the FW would prevent alot of the traffic. The CSS's have a way of directing the session through the same firewall it is already established through.

pbullen · ‎10-25-2001

not sure what the cisco solution is but the Alteon webswitch will handle this

wukunpeng · ‎11-21-2001

I suggest you use two css switch to load balance checkpoint firewall,better than local director.