High Availability (HA) firewall clusters are designed to minimize downtime for critical systems through the use of redundant systems. HA firewalls can maximize the availability of critical services using various clustering modes, such as active/active vs. active/passive. In the Active/Active mode multiple firewalls actively share the load across the cluster, while in the Active/Passive mode one firewall is a standby that becomes active when the primary firewall fails. In this article we discuss what an HA firewall is, the benefits of drawbacks of different clustering modes and how modern hyperscale network security technologies enable cloud-like elasticity and scalability for on-premises networks that require resilient systems.
The goal of a HA firewall deployment is to eliminate single points of failure within an organization’s network infrastructure. Instead of using a single firewall to protect the network, two or more firewalls are deployed in a group as a cluster.
These firewalls synchronize with one another using a heartbeat connection, which informs one firewall if the other has gone down. If this occurs, the redundant firewall can seamlessly failover existing connections, providing continuous protection without interruption.
HA firewalls can be deployed using various clustering node configurations. Some of the common configurations include:
Load balancing implies that all nodes in the system are active all of the time. Some HA node configurations perform load balancing, such as active/active configurations. However, some node configurations, such as active/passive are generally not load-balanced. At any time, at least one node in the system is not active, either because it is a backup node or a node has failed and another node has assumed its role.
In some cases, an organization may implement N+1 and similar configurations using load balancing. The redundant nodes that would usually be offline remain active and have traffic load balanced to them until a primary node goes offline. If this occurs, the “backup” node assumes its duties.
Most firewall vendors offer clustering solutions where the firewalls communicate together to form the cluster. Another option is to deploy multiple firewalls “sandwiched” between Server Load Balancers, also called Application Delivery Controllers (ADC). In this architecture, network traffic is load balanced to the group of firewalls, providing a more scalable and highly available security infrastructure.
The Server Load Balancers direct traffic equally across the firewall members of the cluster. In general load balancing provides numerous benefits, including:
Often, support for active/passive node configurations is built into a firewall solution. However, in order to implement configurations that are dependent on load balancing, an ADC must be deployed in front of and behind the firewall cluster. However, this can create additional firewall management challenges, such as asymmetric routing, managing encrypted traffic, and the scalability of the solution as the size of the cluster grows. Another challenge is the management of multiple products, i.e. the ADC and the firewalls.
Check Point offers multiple solutions for customers looking to deploy an HA firewall. If an organization wants to implement a simple HA firewall cluster with up to 5 nodes, this can be accomplished using the built-in HA and load sharing functionality described in Check Point’s firewall documentation.
Check Point Quantum Maestro is another Highly Available firewall option that is a scalable load balancing solution that does not require third party Server Load Balancers. With Maestro, multiple Next Generation Firewalls can act as a single, unified system. The entry level Maestro solution includes a Hyperscale Orchestrator plus two or three firewalls and additional firewalls can be added as needed to seamlessly scale security throughput.
One or more Maestro Hyperscale Orchestrators distribute internal and external network traffic equally across multiple firewalls managed as a single group with a common security feature set and policy, also called a Security Group.
Maestro HyperSync clustering technology provides full redundancy within a system. At the same time, traffic is balanced across all logical Security Group members, ensuring all hardware resources are fully utilized. Within a Security Group each connection is synchronized to two security group members, an Active and a Backup member, ensuring there is not a single point of failure. Maestro’s benefits include: