Timing management in a large firewall cluster
First Claim
1. A non-transitory computer readable medium comprising computer executable instructions stored thereon that when executed cause one or more processing units to:
- initialize a firewall cluster comprising three or more firewall processing nodes, each node comprising a hardware network device operable to selectively permit or block traffic flowing between the firewall cluster and an external network;
receive a report from each node of the firewall cluster that the node is ineligible to be a primary node;
receive a report from one or more nodes of the firewall cluster that the node is eligible to be a primary node after a predetermined time period;
prevent formation of a split cluster by designating one of the eligible nodes as a primary node; and
notify the remaining nodes of the firewall cluster about the designated primary node.
10 Assignments
0 Petitions
Accused Products
Abstract
A firewall cluster comprises three or more firewall processing nodes, which report primary node status based on the reporting node'"'"'s membership in a preexisting cluster. A controller uses the reported status to assign a primary node in the distributed firewall cluster. Reported primary node status includes reported primary node eligibility if the node is a member of a preexisting cluster, reported primary node status comprising reporting primary node ineligibility if the node is not a member of a preexisting cluster, reported primary node status if the node is a primary node in a preexisting cluster, and reported primary node eligibility in a node that has timed out.
-
Citations
25 Claims
-
1. A non-transitory computer readable medium comprising computer executable instructions stored thereon that when executed cause one or more processing units to:
-
initialize a firewall cluster comprising three or more firewall processing nodes, each node comprising a hardware network device operable to selectively permit or block traffic flowing between the firewall cluster and an external network; receive a report from each node of the firewall cluster that the node is ineligible to be a primary node; receive a report from one or more nodes of the firewall cluster that the node is eligible to be a primary node after a predetermined time period; prevent formation of a split cluster by designating one of the eligible nodes as a primary node; and notify the remaining nodes of the firewall cluster about the designated primary node. - View Dependent Claims (2, 3)
-
-
4. A firewall system, comprising:
-
three or more firewall processing nodes interconnected by a network, each processing node comprising a hardware network device operable to execute rules to selectively filter traffic between the firewall processing nodes and an external network; and a hardware controller operable to execute instructions that when executed cause the hardware controller to; receive a report from each node of the firewall processing nodes that the node is ineligible for designation as a primary node; receive a report from each node of the firewall processing nodes that the node is eligible for primary node designation before expiration of a predetermined time period; prevent formation of a split firewall cluster by assigning one of the eligible nodes as a primary node before expiration of the predetermined time period; receive a report from each remaining node of the firewall processing nodes that the node is eligible for primary node designation upon expiration of the predetermined time period; and notify the remaining nodes of the firewall processing nodes about the assigned primary node to form a firewall cluster. - View Dependent Claims (5, 6, 7)
-
-
8. A distributed firewall cluster comprising:
three or more firewall processing nodes interconnected by a network and connected to an external network, each firewall processing node comprising; a network device operable to selectively filter traffic between the firewall processing node and the external network and to send primary node eligibility information; and a hardware controller operable to monitor available firewall processing nodes, the hardware controller adapted to execute instructions that when executed cause the hardware controller to; initialize a firewall cluster, the firewall cluster comprising three or more firewall processing nodes; receive an ineligibility notification from each firewall processing node that the node is ineligible for designation as a primary node; receive an eligibility notification from a plurality of firewall processing nodes that the node is eligible for primary node designation, the eligibility notification received after a predetermined time period; prevent formation of a split firewall cluster by designating an eligible node as a primary node; and notify the remaining nodes of the firewall processing nodes about the designation of the primary node to form the firewall cluster. - View Dependent Claims (9, 10, 11, 12)
-
13. A system comprising:
-
three or more nodes interconnected by a network, each node comprising a computer system adapted to share processing of at least one of a firewall application and an intrusion protection application; and a hardware controller operable to monitor nodes available to the system, the hardware controller adapted to execute instructions that when executed cause the hardware controller to; initialize a firewall cluster, the firewall cluster comprising one or more nodes that comprise members of a previous firewall cluster and a new node; assign the new node as a primary node; receive a report from the assigned primary node that the assigned primary node is ineligible to be a primary node to prevent formation of a split firewall cluster; receive a report from each node comprising a member of the previous firewall cluster that the node that was a member of the previous firewall cluster is eligible to be a primary node; designate one of the eligible nodes as the primary node; designate the assigned primary node as a secondary node; and designate any remaining nodes comprising a member of the previous firewall cluster as a secondary node and notify all secondary nodes about the primary node to form the firewall cluster. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A method comprising:
-
monitoring, by a hardware control node, one or more nodes that comprise members of a previous firewall cluster and a new node, each node comprising a computer system adapted to share processing of at least a firewall application; assigning, by the control node, the new node as a primary node; receiving a report from the assigned primary node that the assigned primary node is ineligible to be a primary node; receiving a report from one or more nodes comprising a member of the previous firewall cluster that the node is eligible to be a primary node; designating one of the eligible nodes as the primary node; designating the assigned primary node as a secondary node; and designating any remaining nodes of the previous firewall cluster as a secondary node and notifying all secondary nodes about the primary node to form a new firewall cluster. - View Dependent Claims (22, 23, 24, 25)
-
Specification