Technical data

ServerIron FWLB Overview

active-standby partner, failover to the standby ServerIron occurs. At this point, the standby ServerIron remains

active only so long as the number of good paths meets or exceeds the minimums you have configured.

Only if the number of paths is less than the configured minimum and less than the number of available paths on

the other ServerIron does failover occur. If the number of paths remains equal on each ServerIron, even if some

paths are unavailable on each ServerIron, failover does not occur.

You configure the minimums for firewall paths and router paths separately. The default tolerances are equal to the

number of paths of each type you configure. For example, if a ServerIron has four paths through firewalls, the

default minimum number of firewall paths required is also four.

Router Paths

IronClad FWLB configurations require paths to the routers in addition to paths to the firewalls. The router paths are

required so the ServerIrons can ping the router links to assess their health.

In IronClad FWLB configurations, the standby ServerIrons block Layer 3 OSPF, IGRP, and RIP traffic on the

standby paths. This means that the ServerIrons block traffic between routers on different sides of the firewalls if

the traffic uses the standby paths. After a failover to a standby ServerIron, the traffic pattern changes. The active

ServerIrons allow Layer 3 traffic between routers to pass through the firewalls on the active paths, while blocking

the Layer 3 traffic on the standby paths.

NOTE: If you have configured a default route between the routers, the route will work only when the ServerIron

through which the route passes is active. If the ServerIron is in standby mode, the route is blocked.

Multizone FWLB Topology

Figure 3.4 shows an example of Multizone Basic FWLB.

Figure 3.4 Multizone Basic FWLB

Zone 3

SI-A

SI-C

Layer 3

Firewall-1

Layer 3

Firewall-2

External Router

Internal Router

SI-C

DMZ Router

Zone 1

Zone 2