[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Load balancing vs. FW state
Derek; Statefulness is a term gets abused, and causes confusion. Statefulness, defined in this context, is the TCP state of the connection between the web client and web server, yes? In that case, there's no issue with the firewall. Or to be more specific, whatever the load balancer will do to continue/failover a client "session" will have to be TCP state-kosher (set up w/3-way handshake, etc...) for the web server, server2, which means that it'll be ok for the firewall. In other words, if the firewall were to reject it based on rules in the state table, it's liable to be rejected by the web server TCP/IP stack as well. The exception possibility is if you're doing weirdo state sharing trix in a web server cluster, putting the same, virtual, IP address on loopback i/f's... That sort of thing. Some software and/or software/hardware setups do that. I doubt you are, from the description of the parts. Michael "Belanger, Derek" wrote: > > The scenario is...I've got a load balancer (RadWare WSD) outside a firewall > (CheckPoint 4.0 on NT) with redundant servers behind the firewall. My > question is what happens to the statefullness of an established connection > should it be redirected from one load balanced server to the other. > > Example: > > Client establishes a connection with RadWare and server1 is selected (load > balanced) as the connection endpoint, the firewall accepts the connection > and records the state (correct so far?). > > Then server1 fails. The RadWare moves the connection to server2. (What > happens now? Will the firewall reject the connection because the endpoint > has changed there by violating the statefullness?) > > Please help, > Derek Belanger > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|