High Availability; Overview - D-Link NetDefend DFL-210 User Manual

Chapter 11. High Availability
This chapter describes the high availability fault-tolerance feature in D-Link Firewalls.
• Overview, page 229
• How rapid failover is accomplished, page 231
• High Availability Issues, page 233

11.1. Overview

High Availability (HA) is a fault-tolerant capability that is available on certain models of D-Link
Firewalls. Currently the firewalls that offer this feature are the DFL-1600 and DFL-2500 models. D-
Link offers an active-passive HA implementation.
D-Link High Availability works by adding a back-up D-Link Firewall to an existing firewall. The
back-up firewall has the same configuration as the primary firewall. It will stay inactive, monitoring
the primary firewall, until it deems that the primary firewall is no longer functioning, at which point
it will become active and assume the active role in the cluster. When the other firewall regains full
functionality, the backup will assume a passive role, monitoring the now active firewall.
The hardware of the back-up firewall does not need to exactly match the hardware of the primary
firewall. However, as role switches are not done unnecessarily, either firewall may stay active for an
extended time, regardless of which one was originally the primary firewall. It is therefore recom-
mended to use hardware of similar performance to avoid throughput degradation when a less-
capable unit assumes the active role.
Throughout this chapter, the phrases "master firewall" and "primary firewall" are used interchange-
ably, as are the phrases "slave firewall" and "back-up firewall".
What High Availability can do
D-Link High Availability will provide a redundant, state-synchronized firewall solution. This means
that the state of the active firewall, i.e. connection table and other vital information, is continuously
copied to the inactive firewall. When the cluster fails over to the inactive firewall, it knows which
connections are active, and communication traffic can continue to flow uninterrupted.
The failover time is typically about one second; well within the scope for the normal TCP retransmit
timeout, which is normally in excess of one minute. Clients connecting through the firewall will
merely experience the failover as a slight burst of packet loss. TCP will, as it does in such situations,
retransmit the lost packets within a second or two, and continue communication.
What High Availability can not do
Adding redundancy to D-Link Firewall installations will eliminate one of the single points of failure
in the communication path. However, it is not a panacea for all possible communication failures.
Typically, the firewall is far from the only single point of failure. Redundancy for routers, switches,
and Internet connections are also issues that need to be examined.
D-Link High Availability clusters will not create a load-sharing cluster. One firewall will be active,
and the other will be inactive. Multiple back-up firewalls cannot be used in a cluster. Only two fire-
walls, a "master" and a "slave", are supported. As is the case with all other firewalls supporting
stateful failover, D-Link High Availability will only work between two D-Link Firewalls. As the in-
ternal workings of different manufacturer's firewalls, and, indeed, different major versions of the
same firewall, can be radically different, there is no way of communicating "state" to something
which has a completely different comprehension of what "state" means.
229