Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Firewall load balancing

I was always wondering why most of the firewall products do not support load balancing (atleast to my knowledge) whereas many have hot standby solutions.

Is there any technical limitation in doing this (One reason I can think of is difficulties in handling features like TCP Intercept & PAT). Are there any other reasons behind it?

Is anyone aware of any product supporting load balancing rather than just a hotstandby solution?

  • Other Security Subjects
3 REPLIES
Cisco Employee

Re: Firewall load balancing

For the existing PIX Stateful Packet Inspection, it requires that all packets pass through the same PIX to build up the stateful information. If packet pass through multiple PIXes in parallel, no one PIX may build up stateful information and without proper stateful information packet will be dropped for security concern.

In order to make PIX to support Stateful Packet Inspection for network load balancing and failover, the stateful information need be synchronized among all participated PIX firewalls.

I'll check if we are offering anything on this yet or it should be on the roadmap.

Thanks,

yatin

New Member

Re: Firewall load balancing

Hi:

1. To achieve load-balancing of Firewalls, you need to sandwich them between two layers of Load-balancers. Please review the article in the link provided below:

http://www.f5.com/solutions/tech/security/firewall45.html

You can easily replace the F5s with any Cisco or non-Cisco load-balancers. The load-balancers are the 'bread's and the firewall is the 'patty' in the middle.

2. The point to be noted here is that : why will you want to load-balance? Back in those days, you might have needed to, because of the limiting processing capablilities of the (PIX) firewalls. But with such powerful boxes (the 535s) available, you may not have a need to! - unless you are talking about OC48+ range.

Please remember in the only-redundant solution, the 'Failover' PIX costs only a faction of the 'Unrestricted' license.

Hope this helps.

Best regards / Sampath.

Srengarajan@att.com

New Member

Re: Firewall load balancing

Firewalls are designed with security in mind. Even they do only very little routing functionalities. Even for security purpose, they have to do a lot of processing, like look into each and every packet before allowing it to pass through it. They do not have knowledge about the network topology like routers running routing protocols and therefore may not be a good choice for load balancing.

As someone replied, maintaining the states between the devices and keeping them synchronized will be an additional burden for the firewalls.

Therefore it is always better to leave the firewall to do its job of security stuff and use other devices like routers (running BGP ) for load balancing.

Have a Good Day,

Mohan

111
Views
0
Helpful
3
Replies
This widget could not be displayed.