Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
11121314151617181920
Firewall Load Balancing Guide
3 - 6 © 2012 Brocade Communications Systems, Inc. May 31, 2012
TCP or UDP health check to the firewall.
Layer 4 health checks are enabled by default. However, you can disable the Layer 4 health checks globally or on
individual application on individual firewalls.
The ServerIron performs the Layer 4 TCP and UDP health checks as follows:
TCP health check – The ServerIron checks the TCP port’s health based on a TCP three-way handshake:
The ServerIron sends a TCP SYN packet to the port on the firewall.
The ServerIron expects the firewall to respond with a SYN ACK.
If the ServerIron receives the SYN ACK, the ServerIron sends a TCP RESET, satisfied that the TCP port
is alive.
UDP health check – The ServerIron sends a UDP packet with garbage (meaningless) data to the UDP port:
If the firewall responds with an ICMP “Port Unreachable” message, the ServerIron concludes that the
port is not alive.
If the server does not respond at all, the ServerIron assumes that the port is alive and received the
garbage data. Since UDP is a connectionless protocol, the ServerIron and other clients do not expect
replies to data sent to a UDP port. Thus, lack of a response indicates a healthy port.
NOTE: To configure a Layer 4 or Layer 7 application health check, use the procedures in the "Configuring Health
Checks" section of the "Configuring Port and Health Check Parameters" chapter in the Foundry ServerIron
Installation and Configuration Guide. The command syntax and behavior of Layer 4 and Layer 7 health checks is
the same regardless of whether you are configuring them for SLB, TCS, or FWLB.
Basic FWLB Topology
You can configure basic FWLB by deploying one ServerIron on the enterprise side of the firewalls and another
ServerIron on the Internet side of the firewalls.
A basic FWLB topology uses two ServerIrons to load balance traffic across Layer 3 firewalls. The firewalls can be
synchronous or asynchronous.
In the basic configuration, one ServerIron connects to all the firewalls on the private network side. The other
ServerIron connects to all the firewalls on the Internet side. The ServerIron(s) balances firewall traffic flows across
the firewalls.
Figure 3.2 shows an example of a basic FWLB topology.