High Availability (HA) Firewall

High Availability (HA) firewall clusters are designed to minimize downtime for critical systems through the use of redundant systems. HA firewalls can maximize the availability of critical services using various clustering modes, such as active/active vs. active/passive. In the Active/Active mode multiple firewalls actively share the load across the cluster, while in the Active/Passive mode one firewall is a standby that becomes active when the primary firewall fails. In this article we discuss what an HA firewall is, the benefits of drawbacks of different clustering modes and how modern hyperscale network security technologies enable cloud-like elasticity and scalability for on-premises networks that require resilient systems.

Request a Demo Download the Datacenter Buyer's Guide

What is a High Availability (HA) Firewall?

The goal of a HA firewall deployment is to eliminate single points of failure within an organization’s network infrastructure. Instead of using a single firewall to protect the network, two or more firewalls are deployed in a group as a cluster.

These firewalls synchronize with one another using a heartbeat connection, which informs one firewall if the other has gone down. If this occurs, the redundant firewall can seamlessly failover existing connections, providing continuous protection without interruption.

What is N+1 Redundancy for Firewalls?

HA firewalls can be deployed using various clustering node configurations. Some of the common configurations include:

  • Active/Passive: In an active/passive configuration, each active node has a redundant firewall that only comes online if the active node goes down.
  • Active/Active: An active/active configuration has multiple active nodes. If one node goes down, traffic intended for it is reassigned to another, online node.
  • N+1: An N+1 configuration has at least one backup node for a group of N active nodes. If any active node goes down, the backup node should be capable of assuming its duties.
  • N+M: An N+M configuration has more than one backup node, providing more redundancy than an N+1 setup.
  • N to N: N to N clusters load balance the duties of a failed node across the other nodes in the cluster similarly to an active/active configuration but without a 1:1 mapping.

HA vs Load Balancing

Load balancing implies that all nodes in the system are active all of the time. Some HA node configurations perform load balancing, such as active/active configurations. However, some node configurations, such as active/passive are generally not load-balanced. At any time, at least one node in the system is not active, either because it is a backup node or a node has failed and another node has assumed its role.

In some cases, an organization may implement N+1 and similar configurations using load balancing. The redundant nodes that would usually be offline remain active and have traffic load balanced to them until a primary node goes offline. If this occurs, the “backup” node assumes its duties.

Firewall Load Balancing

Most firewall vendors offer clustering solutions where the firewalls communicate together to form the cluster. Another option is to deploy multiple firewalls “sandwiched” between Server Load Balancers, also called Application Delivery Controllers (ADC). In this architecture, network traffic is load balanced to the group of firewalls, providing a more scalable and highly available security infrastructure.

The Server Load Balancers direct traffic equally across the firewall members of the cluster.  In general load balancing provides numerous benefits, including:

  • Availability: Load balancing used as part of an HA cluster helps to reduce or eliminate downtime caused by node failures.
  • Scalability: ADCs can distribute traffic across multiple nodes, allowing the cluster to process more traffic than any single appliance can handle.
  • Performance: Load balancing can improve performance by sending traffic to the best available node in the cluster.
  • Management: Load balancing can provide management benefits, such as zero-downtime maintenance.

Challenges of Configuring Highly Available Firewall Clusters

Often, support for active/passive node configurations is built into a firewall solution. However, in order to implement configurations that are dependent on load balancing, an ADC must be deployed in front of and behind the firewall cluster. However, this can create additional firewall management challenges, such as asymmetric routing, managing encrypted traffic, and the scalability of the solution as the size of the cluster grows. Another challenge is the management of multiple products, i.e. the ADC and the firewalls.

High Availability (HA) and Load Balancing Firewall system with Check Point

Check Point offers multiple solutions for customers looking to deploy an HA firewall. If an organization wants to implement a simple HA firewall cluster with up to 5 nodes, this can be accomplished using the built-in HA and load sharing functionality described in Check Point’s firewall documentation.

Check Point Quantum Maestro is another Highly Available firewall option that is a scalable load balancing solution that does not require third party Server Load Balancers. With Maestro, multiple Next Generation Firewalls can act as a single, unified system. The entry level Maestro solution includes a Hyperscale Orchestrator plus two or three firewalls and additional firewalls can be added as needed to seamlessly scale security throughput. 

One or more Maestro Hyperscale Orchestrators distribute internal and external network traffic equally across multiple firewalls managed as a single group with a common security feature set and policy, also called a Security Group. 

Maestro HyperSync clustering technology provides full redundancy within a system. At the same time, traffic is balanced across all logical Security Group members, ensuring all hardware resources are fully utilized. Within a Security Group each connection is synchronized to two security group members, an Active and a Backup member, ensuring there is not a single point of failure.   Maestro’s benefits include:

  • Efficient N+1 Clustering: Maestro distributes both internal and external network traffic across multiple Quantum Firewalls using Check Point HyperSync technology. HyperSync tracks the Active/Backup state of group members. 
  • Segmentation: Create logical Security Groups to enable logical segmentation of an organization’s network. Firewalls in a Security Group automatically have a common security configuration, policy, and feature set – making this architecture much easier to manage than traditional approaches.
  • Scalability: Maestro can be deployed with as few as two gateways, and additional nodes can be added to support up to 3 Tbps of firewall throughput or up to 1 Tbps of Layer 1 – 7 advanced threat prevention throughput.
  • Load Balancing: Maestro implements load balancing without the need for a third party Server Load Balancer. This simplifies management and decreases the Total Cost of Ownership (TCO) of a load-balanced firewall cluster.

To learn more about Check Point HA firewall solutions, schedule a demo or read our whitepaper.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK