Firewall pooling in a network flowswitch
First Claim
1. A method for providing firewall fault-tolerance in a network, the network including a plurality of firewalls, at least one server and at least one network flowswitch, the method comprising:
- detecting in the network flowswitch an occurrence of a failed firewall of the plurality of firewalls each having a different fixed media access control (MAC) address;
detecting in the network flowswitch a packet from the server directed to the failed firewall after the occurrence of a failed firewall is detected;
changing a MAC address of the packet to the fixed MAC address of a functional firewall of the plurality of firewalls when the packet is detected; and
relaying the packet to the functional firewall after the MAC address of the packet is changed.
19 Assignments
0 Petitions
Accused Products
Abstract
A firewall fault-tolerant network interface system includes a switch circuit configured to detect when a firewall fails in a multi-firewall local network. When a failed firewall is detected, the switch circuit waits for a time-out period to expire to allow convergence. The switch circuit then intervenes when traffic from a server to the failed firewall is detected. The switch circuit translates the MAC address of the failed firewall to the MAC address of a functional firewall. Traffic from a server originally directed to the failed firewall is then redirected to a functional firewall. In a further refinement, the switch circuit provides the MAC address of a functional firewall in response to an ARP request from a server to the failed firewall. Thus, traffic from this server will be directed to the functional firewall without further intervention, reducing the overhead of the switch circuit. In still a further refinement, if the failed firewall recovers, the switch circuit waits for a time-out period to expire to allow convergence of external firewalls and to allow the recovered firewall to learn routes to known clients. The switch circuit then ceases all intervention for the MAC address of the now-recovered firewall.
295 Citations
62 Claims
-
1. A method for providing firewall fault-tolerance in a network, the network including a plurality of firewalls, at least one server and at least one network flowswitch, the method comprising:
-
detecting in the network flowswitch an occurrence of a failed firewall of the plurality of firewalls each having a different fixed media access control (MAC) address; detecting in the network flowswitch a packet from the server directed to the failed firewall after the occurrence of a failed firewall is detected; changing a MAC address of the packet to the fixed MAC address of a functional firewall of the plurality of firewalls when the packet is detected; and relaying the packet to the functional firewall after the MAC address of the packet is changed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An apparatus for providing firewall fault-tolerance in a network, the network including a plurality of firewalls, at least one server and at least one network flowswitch, the apparatus comprising:
-
means for detecting an occurrence of a failed firewall in the plurality of firewalls each having a difference fixed media access control (MAC) address; means for detecting a packet from the server directed to the failed firewall after the failed firewall is detected; means for changing a MAC address of the packet to the fixed MAC address of a functional firewall of the plurality of firewalls when the packet is detected; and means for relaying the packet to the functional firewall after the MAC address of the packet is changed. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A network having firewall fault-tolerance, the network configured to be coupled to a network backbone, the network comprising:
-
a switch circuit; a first firewall coupled to said switch circuit and the network backbone, said first firewall having a fixed media access control (MAC) address; a second firewall coupled to said switch circuit and the network backbone, said second firewall having a fixed MAC address different from the fixed MAC address of the first firewall; and a server coupled to the switch circuit, wherein the switch circuit is configured to detect when the first firewall fails, the switch circuit being further configured to monitor packets sent by the server to the first firewall and to change in the packet the fixed MAC address of failed said first firewall to the fixed MAC address of functional said second firewall and relay the packet to the functional second firewall after changing the fixed MAC address of the first firewall to the fixed MAC address of the second firewall. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A method for providing fault-tolerance in a network, the network including a plurality of firewalls each having a different fixed media access control (MAC) address, the method comprising:
-
generating a request message on a first side of a first firewall in the plurality of firewalls; sending the request message through the first firewall to a second side of the first firewall; and processing an absence of a reply from the second side to the request message as a failure of the first firewall, including changing, in a detected packet, the fixed MAC address of failed said first firewall to the fixed MAC address of a functional second firewall of the plurality of firewalls, and relaying the packet to the functional second firewall after changing the MAC address in the packet. - View Dependent Claims (40, 41, 42, 43, 44, 45)
-
-
46. A network having fault-tolerance, the network comprising:
-
a first switch circuit; a second switch circuit; and a plurality of firewalls each having a different fixed media access control (MAC) address, the plurality of firewalls being coupled to each of the first switch circuit and the second switch circuit, each firewall being coupled to the first switch circuit by a first medium that is not shared with another firewall in the plurality of firewalls and each firewall being coupled to the second switch circuit by a second medium that is not shared with another firewall in the plurality of firewalls;
whereina switch circuit of the first and the second switch circuits responds to a first firewall of the plurality of firewalls being functional by sending a first packet that has the fixed MAC address of the first firewall and is received by said switch circuit to the first firewall, and responds to a failure of the first firewall by replacing in a second packet received by said switch circuit the fixed MAC address of the first firewall with the fixed MAC address of a functional second firewall of the plurality of firewalls and sending the second packet with the replaced MAC address to the second firewall. - View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55)
-
-
56. The method of providing fault-tolerance in a network, the network including a plurality of firewalls each having a different fixed media access control (MAC) address, the method comprising:
-
detecting a failure of a first firewall in the plurality of firewalls; changing, in a packet, the fixed MAC address of failed said first firewall to the fixed MAC address of a functional second firewall of the plurality of firewalls in response to the failure; and relaying the packet to the functional second firewall after changing the MAC address in the packet. - View Dependent Claims (57, 58, 59, 60, 61, 62)
-
Specification