| Home Prev |  cOS Core 14.00.17 Administration Guide
|
Next |
|---|
Overview
cOS Core provides the ability to create an active-active setup where a set of Clavister firewalls provide connection both load-sharing and redundancy. Consider the illustration below which shows connections between an internal client and the Internet.Here, there are 4 different Clavister firewalls. The firewalls LB1 and LB2 balance the internal and external connection load between the firewalls A and B using route load balancing. In addition, route failover ensures that A and B provide redundancy for each other should one of them fail.
Summary of Setup Steps
The following is a summary of the setup steps for the different firewalls. It is assumed that all 4 are identical hardware platforms and they all have three Ethernet interfaces called if1, if2 and if3.1. Setup for firewall LB1
LB1 will load balance connections to the Internet from the client between the firewalls A and B. Connections coming from the other direction, originating from the Internet, will be treated normally.The IP addresses along with the interface names for LB1 are shown in the diagram below.
In the address book, create IP address objects for the connecting interfaces on firewalls A and B. Assume that these are called if1_ip_A and if1_ip_B.
Create a route in the main routing table with all-nets as the network, if2 as the interface and if1_ip_A as the gateway address. This is the route to firewall A.
Configuring routes is described in Section 4.2.2, Configuring Static Routes.
Enable the Monitor property for this new route, as well as the properties Monitor Interface Link Status and Monitor Gateway Using ARP properties. This ensures that the route will be disabled should firewall A become unresponsive.
Route monitoring is described further in Section 4.2.3, Route Failover.
Create another route in the main routing table with all-nets as the network, if3 as the interface and if1_ip_B as the gateway address. This is the route to firewall B.
Ensure that the Monitor property for this second route is also enabled along with the properties Monitor Interface Link Status and Monitor Gateway Using ARP. This ensures that the route will be disabled should firewall B become unresponsive.
Create a Route Balancing Instance for the main routing table, choosing the appropriate distribution method. This method will be either Round Robin or Destination. The Destination method ensures that client connections to the same destination IP address are routed through the same interface (and therefore the same choice from firewall A or B).
Configuring route balancing instances is described further in Section 4.4, Route Load Balancing.
It is usually good practice to also create 2 routes that route the address if1_ip_A on the interface if2 and the address if1_ip_B on the interface if3. Using ICMP to ping the firewalls will require this. Without these routes, route load balancing will be applied to all connections to firewalls A and B.
All the routes created for LB1 are summarized in the table below:
| Network | Interface | Gateway |
|---|---|---|
| all-nets | if2 | if1_A_ip |
| all-nets | if3 | if1_B_ip |
| if1_A_ip | if2 | |
| if1_B_ip | if3 |
2. Setup for firewall LB2
LB2 will load balance connections from the Internet to the client between the firewalls A and B. Connections coming from the other direction, originating from the client, will be treated normally.The setup steps will be the same as for LB1 but in the reverse direction.
3. Setup for firewalls A and B
A and B will be set up like normal configurations and will have the IP rule sets and other processing policies for the traffic. They will duplicate each other except for the IP addresses of Ethernet interfaces.![[Note]](images/note.png) |
Note: Increasing fault-tolerance using HA clusters |
|---|---|
| In the above example, the firewalls LB1 and LB2 represent a potential single point of failure in this setup. However, either or both could become an HA cluster to eliminate this using redundancy. |
