05-27-2003 05:53 AM - edited 03-09-2019 03:25 AM
I was always wondering why most of the firewall products do not support load balancing (atleast to my knowledge) whereas many have hot standby solutions.
Is there any technical limitation in doing this (One reason I can think of is difficulties in handling features like TCP Intercept & PAT). Are there any other reasons behind it?
Is anyone aware of any product supporting load balancing rather than just a hotstandby solution?
05-27-2003 06:22 AM
For the existing PIX Stateful Packet Inspection, it requires that all packets pass through the same PIX to build up the stateful information. If packet pass through multiple PIXes in parallel, no one PIX may build up stateful information and without proper stateful information packet will be dropped for security concern.
In order to make PIX to support Stateful Packet Inspection for network load balancing and failover, the stateful information need be synchronized among all participated PIX firewalls.
I'll check if we are offering anything on this yet or it should be on the roadmap.
Thanks,
yatin
05-27-2003 06:46 AM
Hi:
1. To achieve load-balancing of Firewalls, you need to sandwich them between two layers of Load-balancers. Please review the article in the link provided below:
http://www.f5.com/solutions/tech/security/firewall45.html
You can easily replace the F5s with any Cisco or non-Cisco load-balancers. The load-balancers are the 'bread's and the firewall is the 'patty' in the middle.
2. The point to be noted here is that : why will you want to load-balance? Back in those days, you might have needed to, because of the limiting processing capablilities of the (PIX) firewalls. But with such powerful boxes (the 535s) available, you may not have a need to! - unless you are talking about OC48+ range.
Please remember in the only-redundant solution, the 'Failover' PIX costs only a faction of the 'Unrestricted' license.
Hope this helps.
Best regards / Sampath.
05-27-2003 07:11 PM
Firewalls are designed with security in mind. Even they do only very little routing functionalities. Even for security purpose, they have to do a lot of processing, like look into each and every packet before allowing it to pass through it. They do not have knowledge about the network topology like routers running routing protocols and therefore may not be a good choice for load balancing.
As someone replied, maintaining the states between the devices and keeping them synchronized will be an additional burden for the firewalls.
Therefore it is always better to leave the firewall to do its job of security stuff and use other devices like routers (running BGP ) for load balancing.
Have a Good Day,
Mohan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: