LOAD BALANCING AMONG A CLUSTER OF FIREWALL SECURITY DEVICES

US 20160359806A1
Filed: 08/09/2016
Published: 12/08/2016
Est. Priority Date: 02/16/2011
Status: Active Grant

First Claim

Patent Images

1. A method of gracefully handling an imminent shutdown of a first active cluster unit of a plurality of cluster units of a high availability (HA) cluster of firewall security devices associated with a private Internet Protocol (IP) network, the method comprising:

configuring, by a network switching device coupled to the HA cluster, a load balancing function implemented by the network switching device based on information received from a network administrator indicative of (i) a number of bits to be used as an input to the load balancing function and (ii) corresponding contiguous or non-contiguous bit positions within a header of a packet;

maintaining, by the network switching device, a load balancing table that forms associations between hash values or emulated hash values output by the load balancing function and corresponding ports of a plurality of ports of the network switching device to which the plurality of cluster units are coupled, wherein the first active cluster unit is coupled to a first port of the plurality of ports;

responsive to receiving, by the network switching device, an indication from the first active cluster unit regarding the imminent shutdown of the first active cluster unit;

selecting, by the network switching device, a second cluster unit of the plurality of cluster units, coupled to a second port of the plurality of ports, to perform security services on traffic sessions for which the security services are currently being performed by the first active cluster unit; and

updating, by the network security device, the load balancing table by replacing a reference to the first port with a reference to the second port for those of the associations between one or more of the hash values or emulated hash values and the first port;

receiving, by the network switching device, network traffic; and

directing, by the network switching device, the network traffic to appropriate cluster units of the plurality of cluster units by;

determining a hash value or an emulated hash value by applying the load balancing function to values associated with the bit positions of the number of bits within headers of packets of the network traffic;

identifying a port of the plurality of ports to which an appropriate cluster unit of the plurality of cluster units is coupled based on the determined hash value or the determined emulated hash value and the load balancing table; and

passing the network traffic to the appropriate cluster unit via the identified port, whereby security services for network traffic associated with the traffic sessions is performed by the second cluster unit.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for balancing load among firewall security devices (FSDs) is provided. According to one embodiment, imminent shutdown of a first cluster unit of an HA cluster of FSDs is gracefully handled by a switching device. A load balancing (LB) table, forming associations between hash values output by the LB function and corresponding ports of the switching device to which the cluster units are coupled, is maintained. The first cluster unit is coupled to a first port. Responsive to imminent shutdown of the first cluster unit: (i) a second cluster unit, coupled to a second port, is selected to perform security services on traffic sessions handled by the first cluster unit; and (ii) the LB table is updated by replacing reference(s) to the first port with reference(s) to the second port. Security services for subsequently received network traffic associated with the traffic sessions is performed by the second cluster unit.

58 Citations

View as Search Results

20 Claims

1. A method of gracefully handling an imminent shutdown of a first active cluster unit of a plurality of cluster units of a high availability (HA) cluster of firewall security devices associated with a private Internet Protocol (IP) network, the method comprising:
- configuring, by a network switching device coupled to the HA cluster, a load balancing function implemented by the network switching device based on information received from a network administrator indicative of (i) a number of bits to be used as an input to the load balancing function and (ii) corresponding contiguous or non-contiguous bit positions within a header of a packet;
  
  maintaining, by the network switching device, a load balancing table that forms associations between hash values or emulated hash values output by the load balancing function and corresponding ports of a plurality of ports of the network switching device to which the plurality of cluster units are coupled, wherein the first active cluster unit is coupled to a first port of the plurality of ports;
  
  responsive to receiving, by the network switching device, an indication from the first active cluster unit regarding the imminent shutdown of the first active cluster unit;
  
  selecting, by the network switching device, a second cluster unit of the plurality of cluster units, coupled to a second port of the plurality of ports, to perform security services on traffic sessions for which the security services are currently being performed by the first active cluster unit; and
  
  updating, by the network security device, the load balancing table by replacing a reference to the first port with a reference to the second port for those of the associations between one or more of the hash values or emulated hash values and the first port;
  
  receiving, by the network switching device, network traffic; and
  
  directing, by the network switching device, the network traffic to appropriate cluster units of the plurality of cluster units by;
  
  determining a hash value or an emulated hash value by applying the load balancing function to values associated with the bit positions of the number of bits within headers of packets of the network traffic;
  
  identifying a port of the plurality of ports to which an appropriate cluster unit of the plurality of cluster units is coupled based on the determined hash value or the determined emulated hash value and the load balancing table; and
  
  passing the network traffic to the appropriate cluster unit via the identified port, whereby security services for network traffic associated with the traffic sessions is performed by the second cluster unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the security services include one or more of firewalling, virtual private networking (VPN), intrusion prevention system (IPS) scanning, virus scanning, web filtering and spam filtering.
  - 3. The method of claim 1, wherein said selecting, by the network switching device, a second active cluster unit of the plurality of cluster units is based on a current traffic volume being handled by the first active cluster unit and a current traffic volume being handled by the second cluster unit.
  - 4. The method of claim 1, wherein the HA cluster is operating in an active-passive HA mode, wherein the first active cluster unit represents a primary cluster unit of the HA cluster, wherein the second cluster unit represents a subordinate cluster unit of the HA cluster.
  - 5. The method of claim 1, wherein the HA cluster is operating in an active-active HA mode, wherein the first active cluster unit represents a primary cluster unit of the HA cluster and wherein the second cluster unit represents a subordinate cluster unit of the HA cluster.
  - 6. The method of claim 1, further comprising causing, by the network switching device, session information associated with the traffic sessions to be copied from the first active cluster unit to the second cluster unit by performing targeted session synchronization between the first active cluster unit and the second cluster unit.
  - 7. The method of claim 1, wherein the load balancing function is based on a portion, but not an entirety, of an IP or media access control (MAC) destination address specified within the headers of the packets.
  - 8. The method of claim 7, wherein the load balancing function is expressed in a form substantially as follows:
    - f(x)=D_N*2^N+D_N-1*2^N-1+ . . . +D₂*2²+D₁*2¹+D₀*2⁰;
      
      where D_Nrepresents a value of a particular bit position of the IP destination address; and
      
      where N represents the number of bits minus 1.
  - 9. The method of claim 1, wherein the packets comprise IP version 4 packets and wherein the corresponding contiguous or non-contiguous bit positions are within one or more of a type of service field, a protocol field, a source port field, a destination port field, a source address field and a destination address field of the headers.
  - 10. The method of claim 1, wherein the load balancing table is implemented within a content addressable memory (CAM) and wherein said identifying a port of the plurality of ports comprises providing the determined hash value or the determined emulated hash value to the CAM as an input and receiving from the CAM responsive thereto a port number.
  - 11. The method of claim 1, wherein the load balancing table is implemented within a random access memory (RAM) and wherein said identifying a port of the plurality of ports comprises searching the load balancing table for a table entry having a hash value or an emulated hash value matching the determined hash value or the determined emulated hash value and extracting therefrom a port number.

12. A non-transitory computer-readable storage medium readable by one or more processors of a network switching device coupled to a high availability (HA) cluster of firewall security devices associated with a private Internet Protocol (IP) network, the computer-readable storage medium embodying a set of instructions executable by the one or more processors to perform a method of gracefully handling an imminent shutdown of a first active cluster unit of the plurality of cluster units, the method comprising:
- configuring a load balancing function implemented by the network switching device based on information received from a network administrator indicative of (i) a number of bits to be used as an input to the load balancing function and (ii) corresponding contiguous or non-contiguous bit positions within a header of a packet;
  
  maintaining a load balancing table that forms associations between hash values or emulated hash values output by the load balancing function and corresponding ports of a plurality of ports of the network switching device to which the plurality of cluster units are coupled, wherein the first active cluster unit is coupled to a first port of the plurality of ports;
  
  responsive to receiving an indication from the first active cluster unit regarding the imminent shutdown of the first active cluster unit;
  
  selecting a second cluster unit of the plurality of cluster units, coupled to a second port of the plurality of ports, to perform security services on traffic sessions for which the security services are currently being performed by the first active cluster unit; and
  
  updating the load balancing table by replacing a reference to the first port with a reference to the second port for those of the associations between one or more of the hash values or emulated hash values and the first port;
  
  receiving network traffic; and
  
  directing the network traffic to appropriate cluster units of the plurality of cluster units by;
  
  determining a hash value or an emulated hash value by applying the load balancing function to values associated with the bit positions of the number of bits within headers of packets of the network traffic;
  
  identifying a port of the plurality of ports to which an appropriate cluster unit of the plurality of cluster units is coupled based on the determined hash value or the determined emulated hash value and the load balancing table; and
  
  passing the network traffic to the appropriate cluster unit via the identified port, whereby security services for network traffic associated with the traffic sessions is performed by the second cluster unit.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The non-transitory computer-readable storage medium of claim 12, wherein the security services include one or more of firewalling, virtual private networking (VPN), intrusion prevention system (IPS) scanning, virus scanning, web filtering and spam filtering.
  - 14. The non-transitory computer-readable storage medium of claim 12, wherein said selecting a second active cluster unit of the plurality of cluster units is based on a current traffic volume being handled by the first active cluster unit and a current traffic volume being handled by the second cluster unit.
  - 15. The non-transitory computer-readable storage medium of claim 12, wherein the HA cluster is operating in an active-passive HA mode, wherein the first active cluster unit represents a primary cluster unit of the HA cluster, wherein the second cluster unit represents a subordinate cluster unit of the HA cluster.
  - 16. The non-transitory computer-readable storage medium of claim 12, wherein the HA cluster is operating in an active-active HA mode, wherein the first active cluster unit represents a primary cluster unit of the HA cluster and wherein the second cluster unit represents a subordinate cluster unit of the HA cluster.
  - 17. The non-transitory computer-readable storage medium of claim 12, wherein the method further comprises causing session information associated with the traffic sessions to be copied from the first active cluster unit to the second cluster unit by performing targeted session synchronization between the first active cluster unit and the second cluster unit.
  - 18. The non-transitory computer-readable storage medium of claim 12, wherein the load balancing function is based on a portion, but not an entirety, of an IP or media access control (MAC) destination address specified within the headers of the packets.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the load balancing function is expressed in a form substantially as follows:
    - f(x)=D_N*2^N+D_N-1*2^N-1+ . . . +D₂*2²+D₁*2¹+D₀*2⁰;
      
      where D_Nrepresents a value of a particular bit position of the IP destination address; and
      
      where N represents the number of bits minus 1.
  - 20. The non-transitory computer-readable storage medium of claim 12, wherein the packets comprise IP version 4 packets and wherein the corresponding contiguous or non-contiguous bit positions are within one or more of a type of service field, a protocol field, a source port field, a destination port field, a source address field and a destination address field of the headers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Lopez, Edward, Mihelich, Joe, Hepburn, Matthew F.

Granted Patent

US 9,853,942 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/282   Hierarchical databases, e.g...

G06F 16/9017   using directory or table lo...

H04L 45/74   Address processing for routing

H04L 47/125   by balancing the load, e.g....

H04L 47/196   Integration of transport la...

H04L 47/726   Reserving resources in mult...

H04L 49/354   for supporting virtual loca...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

H04L 67/1001   for accessing one among a p...

H04L 67/1004   Server selection for load b...

H04L 67/1027   Persistence of sessions dur...

H04L 67/142   Managing session states for...

LOAD BALANCING AMONG A CLUSTER OF FIREWALL SECURITY DEVICES

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

LOAD BALANCING AMONG A CLUSTER OF FIREWALL SECURITY DEVICES

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links