R3166-R3206-HP High-End Firewalls High Availability Configuration Guide-6PW101
34
Stateful failover configuration
NOTE:
The firewall supports stateful failover configuration only in the web interface.
Overview
Introduction to stateful failover
Some customers require the key entries or access points of their networks, such as the Internet access
point of an enterprise or a database server of a bank, to be highly reliable to ensure continuous data
transmission. Deploying only one firewall (even with high reliability) in such a network risks a single point
of failure and therefore cannot meet the requirement, as shown in Figure 16.
Figure 16 Network with one f
irewall deployed
The stateful failover feature was introduced to meet the requirement. In Figure 17, two firewalls
(supporting NAT, ALG, blacklist, DHCP server, and load balancing) enabled with stateful failover are
deployed in the network. On each firewall, specify an Ethernet interface as the failover interface. The two
firewalls exchange state negotiation messages periodically through the failover interfaces. After the two
firewalls go into the synchronization state, they back up the services of each other to ensure that the
services on them are consistent. If one firewall fails, the other firewall can take over the services by using
Virtual Router Redundancy Protocol (VRRP) or dynamic routing protocols, such as Open Shortest Path
First (OSPF). Because the other firewall has already backed up the services, user traffic can pass through
the other firewall, avoiding service interruption.
NOTE:
The failover link transmits only state negotiation messages and backup data.