This section includes the following topics:
Amaranten High Availability works by adding a back-up firewall to your existing firewall. The back-up firewall has the same configuration as the primary firewall. It will stay inactive, monitoring the primary firewall, until it deems that the primary firewall is no longer functioning, at which point it will go active and assume the active role in the cluster. When the other firewall comes back up, it will assume a passive role, monitoring the now active firewall.
The hardware of the back-up firewall does not need to match the hardware of the primary firewall precisely. However, as role switches are not done unnecessarily, either firewall may stay active for an extended time, regardless of which one was originally the primary firewall. We recommend using hardware of similar performance to avoid throughput degradation when a lesser-capable machine assumes the active role.
Throughout this chapter, the phrases "master firewall" and "primary firewall" are used interchangeably, as are the phrases "slave firewall" and "back-up firewall".
Amaranten High Availability will provide a redundant, state-synchronized firewalling solution. This means that the state of the active firewall, i.e. connection table and other vital information, is continuously copied to the inactive firewall. When the cluster fails over to the inactive firewall, it knows which connections are active, and communication may continue to flow uninterrupted.
The failover time is typically about one second; well in the scope for the normal TCP retransmit timeout, which is normally over one minute. Clients connecting through the firewall will merely experience the failover procedure as a slight burst of packet loss, and, as TCP always does in such situations, retransmit the lost packets within a second or two, and go on communicating.
Adding redundancy to your firewall setup will eliminate one of the single points of failure in your communication path. However, it is not a panacea for all possible communication failures.
Typically, your firewall is far from the only single point of failure. Redundancy for your routers, switches, and your Internet connection are also issues that need to be addressed.
Amaranten High Availability clusters will not create a load-sharing cluster. One firewall will be active, and the other will be inactive.
Multiple back-up firewalls cannot be used in a cluster. Only two firewalls, a "master" and a "slave", is supported.
As is the case with all other firewalls supporting stateful failover, the Amaranten High Availability will only work between two Amaranten Firewalls. As the internal workings of different firewalls, and, indeed, different major versions of the same firewall, can be radically different, there is no way of communicating "state" to something which has a completely different comprehension of what "state" means.
Broken interfaces will not be detected by the current implementation of the HA High Availability, unless they are broken to the point where the firewall cannot continue to run. This means that failover will not occur if the active firewall can communicate ?eing alive?to the inactive firewall through any of its interfaces, even though one or more interfaces may be inoperative.
All the interfaces of the primary firewall need to be present on the back-up firewall, and connected to the same networks. As previously mentioned, failover is not done unnecessarily, so either firewall may maintain the active role of the cluster for an extended period of time. Hence, connecting some equipment to only the "master" or only the "slave" firewall is bound to produce unwanted results.
As you can see in this illustration, both firewalls are connected to the internal as well as the external network. If there are more networks, for instance one or more demilitarized zones, or internal network segments, both firewalls will also have to be connected to such networks; just connecting the "master" to a network will most likely lead to loss of connectivity for extended periods of time.