|
|
|
In This Section: |
A failure of a firewall results in an immediate loss of active connections in and out of the organization. Many of these connections, such as financial transactions, may be mission critical, and losing them will result in the loss of critical data. ClusterXL supplies an infrastructure that ensures that no data is lost in case of a failure, by making sure each cluster member is aware of the connections going through the other members. Passing information about connections and other Security Gateway states between the cluster members is called State Synchronization.
Every IP based service (including TCP and UDP) recognized by the Security Gateway is synchronized.
State Synchronization is used both by ClusterXL and by third-party OPSEC-certified clustering products.
Members in a ClusterXL Load Sharing configuration must be synchronized. Members in a ClusterXL High Availability configuration do not have to be synchronized, though if they are not, connections will be lost upon failover.
The Synchronization Network is used to transfer synchronization information about connections and other Security Gateway states between cluster members.
Since the synchronization network carries the most sensitive Security Policy information in the organization, it is critical that you protect it against both malicious and unintentional threats. We recommend that you secure the synchronization interfaces using one of the following strategies:
|
Note -You can synchronize members across a WAN. To do this, do the steps in Synchronizing Clusters on a WAN. |
These recommendations make the synchronization network more secure because no other networks carry synchronization information.
In ClusterXL, the synchronization network is supported on the lowest VLAN tag of a VLAN interface. For example, if three VLANs with tags 10, 20 and 30 are configured on interface eth1, interface eth1.10 may be used for synchronization.
Synchronization works in two modes:
Full sync is used for initial transfers of state information, for many thousands of connections. If a cluster member is brought up after being down, it will perform full sync. After all members are synchronized, only updates are transferred via delta sync. Delta sync is quicker than full sync.
State Synchronization traffic typically makes up around 90% of all Cluster Control Protocol (CCP) traffic. State Synchronization packets are distinguished from the rest of CCP traffic via an opcode in the UDP data header.
|
Note - The source MAC address for CCP packets can be changed. |
In a cluster, all connections on all cluster members are normally synchronized across the cluster. Not all services that go through a cluster must be synchronized.
You can have a synchronized service and a non-synchronized definition of a service, and use them selectively in the Rule Base.
Synchronization incurs a performance cost. You may choose not to synchronize a service if these conditions are true:
Some TCP services (for example, HTTP) are characterized by connections with a very short duration. There is no point in synchronizing these connections because every synchronized connection consumes Security Gateway resources, and the connection is likely to have finished by the time a failover occurs.
For all TCP services, whose Protocol Type (that is defined in the SmartDashboard) is HTTP or None, you can use this feature to delay telling the cluster members about a connection, so that the connection will only be synchronized if it still exists X seconds after the connection is initiated. This feature requires SecureXL to be enabled on all cluster members.
Note - The Delayed Notification setting in the service object is ignored if Connection Templates are not offloaded from the Firewall to SecureXL. For additional information, see the SecureXL documentation.
