Page 26 / 139 Scroll up to view Page 21 - 25
26
Cluster heartbeats
A firewall detects that its peer is no longer operational when it can no longer hear "cluster
heartbeats" from its peer.
Currently, a firewall will send five cluster heartbeats per second.
When a firewall has "missed" three heartbeats, i.e. after 0.6 seconds, it will be declared
inoperative.
Cluster heartbeats have the following characteristics:
The source IP is the interface address of the sending firewall
The destination IP is the shared IP address
The IP TTL is always 255. If a firewall receives a cluster heartbeat with any other
TTL, it is assumed that the packet has traversed a router, and hence cannot be
trusted at all.
It is an UDP packet, sent from port 999, to port 999.
The destination MAC address is the ethernet multicast address corresponding to
the shared hardware address, i.e. 11-00-00-C1-4A-nn. Link-level multicasts were
chosen over normal unicast packets for security reasons: using unicast packets
would have meant that a local attacker could fool switches to route the
heartbeats somewhere else, causing the peer firewall to never hear the
heartbeats.
The synchronization interface
Both firewalls are connected to each other by a separate synchronization connection; the
fourth port is dedicated solely for this purpose when the firewalls are configured as HA.
The active firewall continuously sends state update messages to its peer, informing it of
connections that are opened, connections that are closed, state and lifetime changes in
connections, etc. The configuration is also transferred between the nodes using the
synchronization connection.
When the active firewall ceases to function, for whatever reason and for even a short time,
the cluster heartbeat mechanism described above will cause the inactive firewall to go active.
Since it already knows about all open connections, communication can continue to flow
uninterrupted.
Page 27 / 139
Setting up a High Availability cluster
First of all, the two DFL-1100 needs to be setup so far that you can manage them over the
web interface. In this example the two units are configured as follow, the master DFL-1100
will be configured with 192.168.1.2 on its internal interface, and the slave DFL-1100 with
192.168.1.3. Later when the setup of the HA is done, the virtual or shared IP will be
192.168.1.1 on the LAN, this is the IP that clients on that network will use as gateway.
When both units are configured with the two individual IP’s they should be connected with
a crossover cable between the fourth interfaces on each unit, this interface (ETH4) will no
longer be possible to use as an extra DMZ or LAN interface when running HA.
Login to the master firewall and click on
System
in the menu bar, and then click
HA
below
it; in this screen you will click on
Configure additional HA parameters
. This will show the
screen below; here you will fill in each Units own IP and the shared IP on each interface.
This
Unit
means the master firewall, the one you should be configuring at the moment.
Other Unit
is the slave firewall, the other DFL-1100.
You also need to configure the Cluster ID of the cluster, this have to be a number between
0 and 63, which must be the same on both firewalls in the cluster. This must be unique
on
your LAN if you are running more then one cluster.
When this is done you should click on
Apply
.
Page 28 / 139
28
Now login to the slave firewall and click on
System
in the menu bar, and then click
HA
below it; in this screen you will click on
Receive configuration from first unit
. This will show
the screen below; here you will fill in the cluster id configured on the first unit. When you click
Apply
the unit should transfer the configuration from the first unit and you HA cluster should
be operating.
Interface Monitoring
When HA is configured it’s possible to configure something called Interface Monitoring,
this is used to monitor up to 6 IP addresses on each segment (LAN/WAN or DMZ) of the DFL-
1100 cluster. If 50% of the listed addresses are unreachable for several seconds the active
node will failover and the other unit will become active.
Page 29 / 139
Logging
Click on
System
in the menu bar, and then click
Logging
below it.
Logging, the ability to audit decisions made by the firewall, is a vital part in all network
security products. The D-Link DFL-1100 provides several options for logging its activity. The
D-Link DFL-1100 logs its activities by sending the log data to one or two log receivers in the
network.
All logging is done to Syslog recipients. The log format used for syslog logging is suitable
for automated processing and searching.
The D-Link DFL-1100 specifies a number of events that can be logged. Some of those
events, for instance, startup and shutdown events, are mandatory, and will always generate
log entries. Others, for instance to log if when allowed connections are opened and closed, is
configurable. It’s also possible to have E-mail alerting for IDS/IDP events to up to three email
addresses.
Page 30 / 139
30
Enable Logging
Follow these steps to enable logging.
Step 1.
Enable syslog by checking the
Syslog
box.
Step 2.
Fill in your first syslog server as
Syslog server 1,
if you have two syslog servers
you have to fill in the second one as
Syslog server 2
.
You must fill in at least one syslog
server for logging to work.
Step 3.
Specify what facility to use by selecting the appropriate syslog facility. Local0 is
the default facility.
Click the
Apply
button below to apply the setting or click Cancel to discard changes.
Enable Audit Logging
To start auditing all traffic trough the firewall, follow the sets below and the firewall will start
logging all traffic trough the firewall, this is needed for running third party log analyzers on the
logs and to see how much traffic different connections use.
Follow these steps to enable auditing.
Step 1.
Enable syslog by checking the
Enable audit logging
box.
Click the
Apply
button below to apply the setting or click Cancel to discard changes.
Enable E-mail alerting for ISD/IDP events
Follow these steps to enable E-mail alerting.
Step 1.
Enable E-mail alerting by checking the
Enable E-mail alerting for IDS/IDP
events
checkbox.
Step 2.
Choose the sensitivity level. A higher sensitivity means that mails are sent more
often than on a lower level.
Step 3.
In the
SMPT Server
field, fill in the SMTP server to which the DFL-1100 should
send email.
Step 4.
Specify up to three valid email addresses to receive the email alerts.
Click the
Apply
button below to apply the setting or click Cancel to discard changes.

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top