Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
300
Views
0
Helpful
3
Replies

Firewall load balancing

vramanaiah
Level 1
Level 1

‎05-27-2003 05:53 AM - edited ‎03-09-2019 03:25 AM

I was always wondering why most of the firewall products do not support load balancing (atleast to my knowledge) whereas many have hot standby solutions.

Is there any technical limitation in doing this (One reason I can think of is difficulties in handling features like TCP Intercept & PAT). Are there any other reasons behind it?

Is anyone aware of any product supporting load balancing rather than just a hotstandby solution?

Labels:
0 Helpful
3 Replies 3

ywadhavk
Cisco Employee
Cisco Employee

‎05-27-2003 06:22 AM

For the existing PIX Stateful Packet Inspection, it requires that all packets pass through the same PIX to build up the stateful information. If packet pass through multiple PIXes in parallel, no one PIX may build up stateful information and without proper stateful information packet will be dropped for security concern.

In order to make PIX to support Stateful Packet Inspection for network load balancing and failover, the stateful information need be synchronized among all participated PIX firewalls.

I'll check if we are offering anything on this yet or it should be on the roadmap.

Thanks,

yatin

0 Helpful

sampathsr
Level 1
Level 1
In response to ywadhavk

‎05-27-2003 06:46 AM

Hi:

1. To achieve load-balancing of Firewalls, you need to sandwich them between two layers of Load-balancers. Please review the article in the link provided below:

http://www.f5.com/solutions/tech/security/firewall45.html

You can easily replace the F5s with any Cisco or non-Cisco load-balancers. The load-balancers are the 'bread's and the firewall is the 'patty' in the middle.

2. The point to be noted here is that : why will you want to load-balance? Back in those days, you might have needed to, because of the limiting processing capablilities of the (PIX) firewalls. But with such powerful boxes (the 535s) available, you may not have a need to! - unless you are talking about OC48+ range.

Please remember in the only-redundant solution, the 'Failover' PIX costs only a faction of the 'Unrestricted' license.

Hope this helps.

Best regards / Sampath.

Srengarajan@att.com

0 Helpful

m.mohanasundaram
Level 1
Level 1

‎05-27-2003 07:11 PM

Firewalls are designed with security in mind. Even they do only very little routing functionalities. Even for security purpose, they have to do a lot of processing, like look into each and every packet before allowing it to pass through it. They do not have knowledge about the network topology like routers running routing protocols and therefore may not be a good choice for load balancing.

As someone replied, maintaining the states between the devices and keeping them synchronized will be an additional burden for the firewalls.

Therefore it is always better to leave the firewall to do its job of security stuff and use other devices like routers (running BGP ) for load balancing.

Have a Good Day,

Mohan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents