26
Cluster heartbeats
A firewall detects that its peer is no longer operational when it can no longer hear "cluster
heartbeats" from its peer.
Currently, a firewall will send five cluster heartbeats per second.
When a firewall has "missed" three heartbeats, i.e. after 0.6 seconds, it will be declared
inoperative.
Cluster heartbeats have the following characteristics:
•
The source IP is the interface address of the sending firewall
•
The destination IP is the shared IP address
•
The IP TTL is always 255. If a firewall receives a cluster heartbeat with any other
TTL, it is assumed that the packet has traversed a router, and hence cannot be
trusted at all.
•
It is an UDP packet, sent from port 999, to port 999.
•
The destination MAC address is the ethernet multicast address corresponding to
the shared hardware address, i.e. 11-00-00-C1-4A-nn. Link-level multicasts were
chosen over normal unicast packets for security reasons: using unicast packets
would have meant that a local attacker could fool switches to route the
heartbeats somewhere else, causing the peer firewall to never hear the
heartbeats.
The synchronization interface
Both firewalls are connected to each other by a separate synchronization connection; the
fourth port is dedicated solely for this purpose when the firewalls are configured as HA.
The active firewall continuously sends state update messages to its peer, informing it of
connections that are opened, connections that are closed, state and lifetime changes in
connections, etc. The configuration is also transferred between the nodes using the
synchronization connection.
When the active firewall ceases to function, for whatever reason and for even a short time,
the cluster heartbeat mechanism described above will cause the inactive firewall to go active.
Since it already knows about all open connections, communication can continue to flow
uninterrupted.