1. Home
  2. Networking
  3. Integrated cisco and unix network architectures

Firewall Failover

Firewall failover is the art of exchanging state information for stateful inspection gateways and NAT tables, at the least, for the purpose of taking over for an equivalent resource. Such a takeover also involves stateful IP Security (IPSec) failover concepts for IPSec tunnel termination and security associations. This usually requires a heartbeat protocol between the master and slave firewall(s) on a dedicated crossover link. Most of the failover devices run in hot-standby mode or in expensive commercial (per-flow) load-balancing clusters.

The OpenBSD packet filter team is already working on a stateful failover concept using the newly introduced pfsync pseudo-device and a crude multicast pfsyncd in context with the OpenBSD firewall (pf) and the shiny new redundancy protocol Common Address Redundancy Protocol (CARP). The first integrated release of OpenBSD with all these features available is 3.5. I am sorry that the discussion did not make it into this first edition.



    		Command Syntax Conventions
    		Chapter 1. Operating System Issues and Features-The Big Picture
    		Chapter 2. User-Space Routing Software
    		Chapter 3. Kernel Requirements for a Full-Featured Lab
    		Chapter 4. Gateway WAN/Metro Interfaces
    		Chapter 5. Ethernet and VLANs
    		Chapter 6. The Analyzer Toolbox, DHCP, and CDP
    		Chapter 7. The UNIX Routing and ARP Tables
    		Chapter 8. Static Routing Concepts
    		Chapter 9. Dynamic Routing Protocols-Interior Gateway Protocols
    		Chapter 10. ISP Connectivity with BGPv4-An Exterior Gateway Path-Vector Routing Protocol for Interdomain Routing
    		Chapter 11. VPN Technologies, Tunnel Interfaces, and Architectures
    		Chapter 12. Designing for High Availability
    		Increasing Availability
    		Withstanding a (D)DoS Attack
    		Network HA Approaches
    		Simple but Effective Approaches to Server HA
    		DNS Shuffle Records and Round-Robin (DNS RR)
    		Dynamic Routing Protocols
    		Firewall Failover
    		Clustering and Distributed Architectures
    		The Service Routing Redundancy Daemon (SRRD)
    		IPv4/IPv6 Anycast
    		A Few Words About Content Caches and Proxies
    		Load Balancing
    		Cisco HA and Load-Balancing Approaches
    		VRRP
    		OpenBSD CARP
    		IRDP
    		Summary
    		Recommended Reading
    		Endnotes
    		Chapter 13. Policy Routing, Bandwidth Management, and QoS
    		Chapter 14. Multicast Architectures
    		Chapter 15. Network Address Translation
    		Appendix A. UNIX Kernel Configuration Files
    		Appendix B. The FreeBSD Netgraph Facility