TIMING MANAGEMENT IN A LARGE FIREWALL CLUSTER
First Claim
1. A non-transitory computer readable medium comprising computer executable instructions stored thereon that when executed cause one or more processing units to:
- initialize a firewall cluster comprising a plurality of nodes, each node operable to selectively permit or block traffic flowing between the firewall cluster and an external network;
receive a report from a first node of the firewall cluster that the first node is ineligible to be a primary node;
receive a report from a second node of the firewall cluster that the second node is eligible to be a primary node;
designate the second node as a primary node; and
notify the remaining nodes of the firewall cluster that the second node is the primary node for the firewall cluster.
10 Assignments
0 Petitions
Accused Products
Abstract
A firewall cluster comprises three or more firewall processing nodes, which report primary node status based on the reporting node'"'"'s membership in a preexisting cluster. A controller uses the reported status to assign a primary node in the distributed firewall cluster. Reported primary node status includes reported primary node eligibility if the node is a member of a preexisting cluster, reported primary node status comprising reporting primary node ineligibility if the node is not a member of a preexisting cluster, reported primary node status if the node is a primary node in a preexisting cluster, and reported primary node eligibility in a node that has timed out.
-
Citations
20 Claims
-
1. A non-transitory computer readable medium comprising computer executable instructions stored thereon that when executed cause one or more processing units to:
-
initialize a firewall cluster comprising a plurality of nodes, each node operable to selectively permit or block traffic flowing between the firewall cluster and an external network; receive a report from a first node of the firewall cluster that the first node is ineligible to be a primary node; receive a report from a second node of the firewall cluster that the second node is eligible to be a primary node; designate the second node as a primary node; and notify the remaining nodes of the firewall cluster that the second node is the primary node for the firewall cluster. - View Dependent Claims (2, 3)
-
-
4. A firewall system, comprising:
-
a plurality of firewall processing nodes interconnected by a network, each processing node comprising a hardware network device operable to execute rules to selectively filter traffic between the firewall processing nodes and an external network; and a controller operable to execute instructions that when executed cause the controller to; receive a report from a first node of the plurality of firewall processing nodes that the first node is ineligible for designation as a primary node; receive a report from a second node of the plurality of firewall processing nodes that the second node is eligible for designation as a primary node; designate the second node as a primary node; and notify the remaining nodes of the plurality of firewall processing nodes that the second node is the primary node for the firewall system. - View Dependent Claims (5, 6, 7)
-
-
8. A system comprising:
-
a plurality of nodes interconnected by a network, each node comprising a computer system adapted to share processing of at least one of a firewall application and an intrusion protection application; and a hardware controller operable to monitor nodes available to the system, the controller adapted to execute instructions that when executed cause the controller to; initialize a firewall cluster, the firewall cluster comprising one or more nodes that comprise members of a previous firewall cluster and a new node; assign the new node as a primary node; receive a report from the assigned primary node that the assigned primary node is ineligible to be a primary node to prevent formation of a split firewall cluster; receive a report from a second node that is a member of the previous firewall cluster that the node that was a member of the previous firewall cluster is eligible to be a primary node; designate the second node as the primary node; designate the assigned primary node as a secondary node; and designate any remaining nodes that are members of the previous firewall cluster as secondary nodes and notify all secondary nodes about the primary node to form the firewall cluster. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A method comprising:
-
monitoring, by a hardware control node, one or more nodes that comprise members of a previous firewall cluster and a new node, each node comprising a computer system adapted to share processing of at least a firewall application; assigning, by the control node, the new node as a primary node; receiving a report from the assigned primary node that the assigned primary node is ineligible to be a primary node; receiving a report from a second node comprising a member of the previous firewall cluster that the second node is eligible to be a primary node; designating the second node as the primary node; designating the assigned primary node as a secondary node; and designating any remaining nodes of the previous firewall cluster as secondary nodes and notifying all secondary nodes about the primary node to form a new firewall cluster. - View Dependent Claims (17, 18, 19, 20)
-
Specification