26

Cluster heartbeats

A firewall detects that its peer is no longer operational when it can no longer hear "cluster

heartbeats" from its peer.

Currently, a firewall will send five cluster heartbeats per second.

When a firewall has "missed" three heartbeats, i.e. after 0.6 seconds, it will be declared

inoperative.

Cluster heartbeats have the following characteristics:

•

The source IP is the interface address of the sending firewall

•

The destination IP is the shared IP address

•

The IP TTL is always 255. If a firewall receives a cluster heartbeat with any other

TTL, it is assumed that the packet has traversed a router, and hence cannot be

trusted at all.

•

It is an UDP packet, sent from port 999, to port 999.

•

The destination MAC address is the ethernet multicast address corresponding to

the shared hardware address, i.e. 11-00-00-C1-4A-nn. Link-level multicasts were

chosen over normal unicast packets for security reasons: using unicast packets

would have meant that a local attacker could fool switches to route the

heartbeats somewhere else, causing the peer firewall to never hear the

heartbeats.

The synchronization interface

Both firewalls are connected to each other by a separate synchronization connection; the

fourth port is dedicated solely for this purpose when the firewalls are configured as HA.

The active firewall continuously sends state update messages to its peer, informing it of

connections that are opened, connections that are closed, state and lifetime changes in

connections, etc. The configuration is also transferred between the nodes using the

synchronization connection.

When the active firewall ceases to function, for whatever reason and for even a short time,

the cluster heartbeat mechanism described above will cause the inactive firewall to go active.

Since it already knows about all open connections, communication can continue to flow

uninterrupted.

Setting up a High Availability cluster

First of all, the two DFL-1100 needs to be setup so far that you can manage them over the

web interface. In this example the two units are configured as follow, the master DFL-1100

will be configured with 192.168.1.2 on its internal interface, and the slave DFL-1100 with

192.168.1.3. Later when the setup of the HA is done, the virtual or shared IP will be

192.168.1.1 on the LAN, this is the IP that clients on that network will use as gateway.

When both units are configured with the two individual IP’s they should be connected with

a crossover cable between the fourth interfaces on each unit, this interface (ETH4) will no

longer be possible to use as an extra DMZ or LAN interface when running HA.

Login to the master firewall and click on

System

in the menu bar, and then click

HA

below

it; in this screen you will click on

Configure additional HA parameters

. This will show the

screen below; here you will fill in each Units own IP and the shared IP on each interface.

This

Unit

means the master firewall, the one you should be configuring at the moment.

Other Unit

is the slave firewall, the other DFL-1100.

You also need to configure the Cluster ID of the cluster, this have to be a number between

0 and 63, which must be the same on both firewalls in the cluster. This must be unique

on

your LAN if you are running more then one cluster.

When this is done you should click on

Apply

.

28

Now login to the slave firewall and click on

System

in the menu bar, and then click

HA

below it; in this screen you will click on

Receive configuration from first unit

. This will show

the screen below; here you will fill in the cluster id configured on the first unit. When you click

Apply

the unit should transfer the configuration from the first unit and you HA cluster should

be operating.

Interface Monitoring

When HA is configured it’s possible to configure something called Interface Monitoring,

this is used to monitor up to 6 IP addresses on each segment (LAN/WAN or DMZ) of the DFL-

1100 cluster. If 50% of the listed addresses are unreachable for several seconds the active

node will failover and the other unit will become active.

Logging

Click on

System

in the menu bar, and then click

Logging

below it.

Logging, the ability to audit decisions made by the firewall, is a vital part in all network

security products. The D-Link DFL-1100 provides several options for logging its activity. The

D-Link DFL-1100 logs its activities by sending the log data to one or two log receivers in the

network.

All logging is done to Syslog recipients. The log format used for syslog logging is suitable

for automated processing and searching.

The D-Link DFL-1100 specifies a number of events that can be logged. Some of those

events, for instance, startup and shutdown events, are mandatory, and will always generate

log entries. Others, for instance to log if when allowed connections are opened and closed, is

configurable. It’s also possible to have E-mail alerting for IDS/IDP events to up to three email

addresses.

30

Enable Logging

Follow these steps to enable logging.

Step 1.

Enable syslog by checking the

Syslog

box.

Step 2.

Fill in your first syslog server as

Syslog server 1,

if you have two syslog servers

you have to fill in the second one as

Syslog server 2

.

You must fill in at least one syslog

server for logging to work.

Step 3.

Specify what facility to use by selecting the appropriate syslog facility. Local0 is

the default facility.

Click the

Apply

button below to apply the setting or click Cancel to discard changes.

Enable Audit Logging

To start auditing all traffic trough the firewall, follow the sets below and the firewall will start

logging all traffic trough the firewall, this is needed for running third party log analyzers on the

logs and to see how much traffic different connections use.

Follow these steps to enable auditing.

Step 1.

Enable syslog by checking the

Enable audit logging

box.

Click the

Apply

button below to apply the setting or click Cancel to discard changes.

Enable E-mail alerting for ISD/IDP events

Follow these steps to enable E-mail alerting.

Step 1.

Enable E-mail alerting by checking the

Enable E-mail alerting for IDS/IDP

events

checkbox.

Step 2.

Choose the sensitivity level. A higher sensitivity means that mails are sent more

often than on a lower level.

Step 3.

In the

SMPT Server

field, fill in the SMTP server to which the DFL-1100 should

send email.

Step 4.

Specify up to three valid email addresses to receive the email alerts.

Click the

Apply

button below to apply the setting or click Cancel to discard changes.