> Date: Mon, 16 Jun 1997 09:45:40 +1000
> From: Aaron Everingham <aaron @
> Subject: Re: high availability
> At 12:13 PM 6/13/97 -0400, you wrote:
> >I'm curious to find out which vendors offer highly available firewall
> solutions. I've seen vendors such as Checkpoint and TIS who
> have third party integration (is that the right word?) of high available
> components for their product, but the question is, who else offers this?
> That is, who offers it as a part of the FW product, not as a third party
< Information on products snipped >
> Basically, an HA solution requires the use of two or more servers with a
> sharded HDD volume of file system. The HA software monitors and controllers
> the two systems. In the event of a HARDWARE failure, the HA software shifts
> all the system configs to the second server, things like IP addresses etc
> so that the failover system is the same as the primary server.
> As far as I can tell, the HA architecture allows you to run ANY application
> on top as long as the config info can be shared on the shared HDD array.
> IE, if a failover occurs, the application (firewall for example) is up nd
> running or is launched and takes on the config data of the same application
> that lives on the primary server.
This is correct. The general implementation of a Highly Available pair
- two systems of identical model, running identical software
- A shared, dual ported disk drive that is connected to both systems
- a private network connection between the two systems,
- public network connections.
One machine at any time operates as the primary. It services requests
the network for some service. The primary and the other machine
(secondary), constantly ping each other on the private net to make sure
that all is well. If the secondary misses a few expected pings from the
primary, it pings on the public net. If there is still no response, it
begins the process of assuming the role of the primary. This includes
advertising the primary's IP address, assigning the pirmary's MAC
addresses to it's network cards, assuming control of the dual-ported
disks, and starting any services described in it's configuration files.
> I can find no firewall application that specifically supports fail over in
> and of itself. I think the idea is that fail over or HA is a hardware issue.
> Until this becomes a common solution, integration is the right word! :-)
> >Is the high availability component written for the OS and the firewall s/w
> just takes advantage of it? Or, do the two components (FW and HA) have to
> be integrated together?
> YEah, I think so. I do not believe that the two have to be written for each
> other specifically. The HA issue is a hardware and OS issue. As long as
> your app runs on the system, it should be ale to fail over. Of course, you
> may have to boot the app to pick up the config info which may takes some
> time. Other apps that can be run hot and pick up the config being used by
> the primary server, may not need to boot at all and the fail over time
> might be on the order of seconds or less.
> >If someone could expound on the other issues involved with HA-firewalls
> that I'm missing, that would be appreciated.
> Ahhhh... an invitation to wax lyrical (I'll resist on this list but...)
> 1. Both HP and Sun's solutions monitor the hardware. Ok, fine but what
> about a problem developing with the application? They both have a
> developers kit that, as I understand it, you can use to receive errors
> messages from the application and initiate the fail over function.
This is often provided. My company (Veritas Software) prvides hooks to
allow programs that detect application failure to be integrated into the
failover service. This facility allows almost any application to be
monitored and failed over.
There are a number of other aspects of a good HA solution related to the
action to take when an application failure occurs, escalation of
We also provide the third party integration for Checkpoint's HA
functionality. If you have more HA questions, please feel free to ask
Veritas Software, Inc.