Firewall Failover

Firewall failover is the art of exchanging state information for stateful inspection gateways and NAT tables, at the least, for the purpose of taking over for an equivalent resource. Such a takeover also involves stateful IP Security (IPSec) failover concepts for IPSec tunnel termination and security associations. This usually requires a heartbeat protocol between the master and slave firewall(s) on a dedicated crossover link. Most of the failover devices run in hot-standby mode or in expensive commercial (per-flow) load-balancing clusters.

The OpenBSD packet filter team is already working on a stateful failover concept using the newly introduced pfsync pseudo-device and a crude multicast pfsyncd in context with the OpenBSD firewall (pf) and the shiny new redundancy protocol Common Address Redundancy Protocol (CARP). The first integrated release of OpenBSD with all these features available is 3.5. I am sorry that the discussion did not make it into this first edition.