High Availability; What High Availability Will Do For You; What High Availability Will Not Do For You - D-Link DFL-1100 User Manual

High Availability

D-Link High Availability works by adding a back-up firewall to your existing firewall. The back-
up firewall has the same configuration as the primary firewall. It will stay inactive, monitoring
the primary firewall, until it deems that the primary firewall is no longer functioning, at which
point it will go active and assume the active role in the cluster. When the other firewall comes
back up, it will assume a passive role, monitoring the now active firewall.

What High Availability will do for you

D-Link High Availability will provide a redundant, state-synchronized firewalling solution. This
means that the state of the active firewall, i.e., the connection table and other vital information,
is continuously copied to the inactive firewall. When the cluster fails over to the inactive
firewall, it knows which connections are active, and communication may continue to flow
uninterrupted.
The failover time is typically about one second; well in the scope for the normal TCP
retransmit timeout, which is normally over one minute. Clients connecting through the firewall
will merely experience the failover procedure as a slight burst of packet loss, and, as TCP
always does in such situations, retransmit the lost packets within a second or two, and go on
communicating.

What High Availability will NOT do for you

Adding redundancy to your firewall setup will eliminate one of the single points of failure in
your communication path. However, it is not a panacea for all possible communication failures.
Typically, your firewall is far from the only single point of failure. Redundancy for your routers,
switches, and your Internet connection are also issues that need to be addressed.
D-Link High Availability clusters will not create a load-sharing cluster. One firewall will be
active, and the other will be inactive.
Multiple back-up firewalls cannot be used in a cluster. Only two firewalls, a "master" and a
"slave", are supported.
As is the case with all other firewalls supporting stateful failover, the D-Link High Availability
will only work between two D-Link DFL-1100 Firewalls. As the internal workings of different
firewalls, and, indeed, different major versions of the same firewall, can be radically different,
there is no way of communicating "state" to something which has a completely different
comprehension of what "state" means.