Technical data
Firewall Load Balancing Guide
3 - 4 © 2012 Brocade Communications Systems, Inc. May 31, 2012
Hashing Mechanism
The ServerIrons use the path information along with the hash-mask value for each source-destination pair of IP
addresses in the user traffic to consistently send the same source-destination pairs through the same paths. For
FWLB, the hash mask must be set to all ones (255.255.255.255 255.255.255.255) to ensure that a given source-
destination pair always goes down the same path.
The ServerIron selects a firewall for forwarding a packet based on the packet’s hash value (the binary sum of the
source and destination addresses). Once the ServerIron assigns a hash value to a given source-destination pair,
the ServerIron associates that hash value with a path and always uses the same path for the source-destination
pair that has the assigned hash value.
Hashing Based on TCP/UDP Port
You can configure the ServerIron to also hash based on destination TCP or UDP ports. When the ServerIron uses
the TCP or UDP port number in addition to the source and destination IP address, traffic with the same source and
destination IP address can be load balanced across different paths, based on the destination TCP or UDP port
number.
In an IronClad FWLB configuration, you need to configure paths through each of the firewalls to each of the
ServerIrons on the other side of the firewalls. You also need to configure a path to the router. You do not configure
paths between the ServerIrons in an active-standby pair. These ServerIrons are joined by a dedicated Layer 2 link.
NOTE: The ports in the dedicated link between the active and standby ServerIrons in an IronClad configuration
must be in their own port-based VLAN. Add the ports as untagged ports. For added redundancy, configure
multiple ports as a trunk group for the dedicated link.
Firewall with Fewest Sessions
FWLB on ServerIron Chassis devices is always stateful. A ServerIron performs stateful FWLB by creating and
using session entries for source and destination traffic flows and associating each flow with a specific firewall.
NOTE: FWLB on the ServerIronXL and ServerIronXL/G is stateless by default and uses the hashing mechanism.
When a ServerIron receives a packet the needs to go through a firewall, the ServerIron checks to see whether it
has an existing session entry for the packet.
• If the ServerIron does not have a session entry with the packet’s source and destination addresses, the
ServerIron creates one. To create the session entry, the ServerIron selects the firewall that has the fewest
open sessions with the ServerIron and associates the source and destination addresses of the packet with
that firewall.
The ServerIron also sends the session information to the other ServerIron in the high-availability pair, so that
the other ServerIron does not need to create a new session for the same traffic flow.
• If the ServerIron already has a session entry for the packet, the ServerIron forwards the traffic to the firewall in
the session entry. All packets with the same source and destination addresses are forwarded to the same
firewall. Since the ServerIrons in a high-availability pair exchange session information, the same firewall is
used regardless of which ServerIron receives the traffic to be forwarded.
Health Checks
The ServerIron regularly checks the health of the firewall and router paths, and of the applications on the firewalls,
if you add applications to the firewall configurations.
Active ServerIrons on each side of a firewall exchange health information for the links in each path by exchanging
IP pings through the firewalls. When an active ServerIron on one side of a firewall receives a reply to a ping it
sends to the other active ServerIron, on the other side of the firewall, the ServerIron that sent the ping concludes
that its partner on the other side of the firewall is operating normally.