The Synchronization Interface; Setting Up A High Availability Cluster - D-Link DFL-1600 User Manual

306
It is an UDP packet, sent from port 999, to port 999.
The destination MAC address is the ethernet multicast address
corresponding to the shared hardware address, i.e.
11-00-00-C1-4A-nn. Link-level multicasts were chosen over normal
unicast packets for security reasons: using unicast packets would have
meant that a local attacker could fool switches to route the heartbeats
somewhere else, causing the peer firewall to never hear the heartbeats.
29.2.3

The synchronization interface

Both firewalls are connected to each other by a separate synchronization
connection; normal network cards are used, although they are dedicated
solely for this purpose.
The active firewall continuously sends state update messages to its peer,
informing it of connections that are opened, connections that are closed,
state and life time changes in connections, etc.
When the active firewall ceases to function, for whatever reason and for
even a short time, the cluster heartbeat mechanism described above will
cause the inactive firewall to go active. Since it already knows about all
open connections, communication can continue to flow uninterrupted.
29.3

Setting up a High Availability Cluster

This section includes the following topics:
Planning the High Availability cluster
Creating a High Availability cluster
This section describes the process of installing a High Availability cluster.
For a successful installation, it is highly recommended that the previous
sections, High Availability Basics and How rapid failover is accomplished,
have been read.
A cluster can be created by either installing a pair of new firewalls, or by
converting already installed firewalls to cluster members.
The firewall with the highest version number of its configuration will always
make sure that the configuration is transferred to the other cluster member.
D-Link Firewalls User's Guide
Chapter 29. High Availability