Abstract: A method for balancing load among firewall security devices (FSDs) is provided. According to one embodiment, a switching device performs adaptive load balancing among cluster units of an HA cluster of firewall security devices. A load balancing (LB) function implemented by the switching device is configured based on information received from a network administrator. A LB table is maintained that forms associations between hash values output by the LB function and corresponding ports of the switching device to which the cluster units are coupled. Network traffic received by the switching device is directed to appropriate cluster units based on the LB function and the LB table. A traffic load on each of the cluster units is monitored. Responsive to a deviation from a predefined ideal traffic distribution, an attempt is made to improve performance of the HA cluster by dynamically adjusting the LB balancing table to address the deviation.

Abstract: A method for balancing load among firewall security devices (FSDs) is provided. According to one embodiment, a switching device performs adaptive load balancing among cluster units of an HA cluster of firewall security devices. A load balancing (LB) function implemented by the switching device is configured based on information received from a network administrator. A LB table is maintained that forms associations between hash values output by the LB function and corresponding ports of the switching device to which the cluster units are coupled. Network traffic received by the switching device is directed to appropriate cluster units based on the LB function and the LB table. A traffic load on each of the cluster units is monitored. Responsive to a deviation from a predefined ideal traffic distribution, an attempt is made to improve performance of the HA cluster by dynamically adjusting the LB balancing table to address the deviation.

Abstract: A method for balancing load among firewall security devices (FSDs) is provided. According to one embodiment, imminent shutdown of a first cluster unit of an HA cluster of FSDs is gracefully handled by a switching device. A load balancing (LB) table, forming associations between hash values output by the LB function and corresponding ports of the switching device to which the cluster units are coupled, is maintained. The first cluster unit is coupled to a first port. Responsive to imminent shutdown of the first cluster unit: (i) a second cluster unit, coupled to a second port, is selected to perform security services on traffic sessions handled by the first cluster unit; and (ii) the LB table is updated by replacing reference(s) to the first port with reference(s) to the second port. Security services for subsequently received network traffic associated with the traffic sessions is performed by the second cluster unit.

Abstract: A method for balancing load among firewall security devices (FSDs) is provided. According to one embodiment, a switching device performs adaptive load balancing among cluster units of an HA cluster of firewall security devices. A load balancing (LB) function implemented by the switching device is configured based on information received from a network administrator. A LB table is maintained that forms associations between hash values output by the LB function and corresponding ports of the switching device to which the cluster units are coupled. Network traffic received by the switching device is directed to appropriate cluster units based on the LB function and the LB table. A traffic load on each of the cluster units is monitored. Responsive to a deviation from a predefined ideal traffic distribution, an attempt is made to improve performance of the HA cluster by dynamically adjusting the LB balancing table to address the deviation.

Abstract: A method for balancing load among firewall security devices (FSDs) is provided. According to one embodiment, a switching device performs adaptive load balancing among cluster units of an HA cluster of firewall security devices. A load balancing (LB) function implemented by the switching device is configured based on information received from a network administrator. A LB table is maintained that forms associations between hash values output by the LB function and corresponding ports of the switching device to which the cluster units are coupled. Network traffic received by the switching device is directed to appropriate cluster units based on the LB function and the LB table. A traffic load on each of the cluster units is monitored. Responsive to a deviation from a predefined ideal traffic distribution, an attempt is made to improve performance of the HA cluster by dynamically adjusting the LB balancing table to address the deviation.

Abstract: A method for balancing load among firewall security devices (FSDs) is provided. According to one embodiment, imminent shutdown of a first cluster unit of an HA cluster of FSDs is gracefully handled by a switching device. A load balancing (LB) table, forming associations between hash values output by the LB function and corresponding ports of the switching device to which the cluster units are coupled, is maintained. The first cluster unit is coupled to a first port. Responsive to imminent shutdown of the first cluster unit: (i) a second cluster unit, coupled to a second port, is selected to perform security services on traffic sessions handled by the first cluster unit; and (ii) the LB table is updated by replacing reference(s) to the first port with reference(s) to the second port. Security services for subsequently received network traffic associated with the traffic sessions is performed by the second cluster unit.

Abstract: Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, service group and VLAN associations are stored within a switching device for each front panel port and for each fabric slot of the switching device. Each of multiple FSDs providing security services for a protected network are coupled with a fabric slot. When a packet is received, the switching device: (i) tags the packet based on a VLAN ID corresponding to the VLAN to which front panel port on which it was received is assigned; (ii) identifies the service group based on the VLAN ID; (iii) selects a slot within the identified service group and thereby selects an FSD to associate with the forward traffic session and a corresponding reverse traffic session by performing a load balancing function on the packet; and (iv) causes the packet to be processed by the selected FSD.

Abstract: Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, session data, including session entries representing previously observed traffic sessions from a particular source to a particular destination and forming an association between the previously observed session and a particular FSD, is maintained by a switching device. When a TCP SYN packet is received, the switching device: (i) reduces its vulnerability to a TCP SYN flooding attack by foregoing installation of a forward session entry for the forward traffic session within the session data until a processed TCP SYN-ACK packet associated with the corresponding reverse traffic session is received; (ii) selects an FSD to associate with the forward traffic session and a corresponding reverse traffic session by performing a load balancing function on the TCP SYN packet; and (iii) causes the TCP SYN packet to be processed by the selected FSD.

Abstract: A method for balancing load among firewall security devices in a network is disclosed. According to one embodiment, a switch causes firewall security devices (FSDs) of a cluster to enter into a load balancing mode. Responsive to receiving a heartbeat signal from an FSD, information regarding the FSD and the port on which the heartbeat signal was received are added to a table maintained by the switch that maps outputs of a load balancing function to ports of the switch. A received packet is forwarded to an FSD of the cluster by: (i) extracting a configurable number of bit values from a configurable set of bit positions within the packet; (ii) determining the output of the load balancing function; (iii) identifying the port to which the FSD is coupled based on the output and the table; and (iv) transmitting the packet to the FSD via the identified port.

Abstract: A method for balancing load among firewall security devices in a network is disclosed. According to one embodiment, a switch causes firewall security devices (FSDs) of a cluster to enter into a load balancing mode. Responsive to receiving a heartbeat signal from an FSD, information regarding the FSD and the port on which the heartbeat signal was received are added to a table maintained by the switch that maps outputs of a load balancing function to ports of the switch. A received packet is forwarded to an FSD of the cluster by: (i) extracting a configurable number of bit values from a configurable set of bit positions within the packet; (ii) determining the output of the load balancing function; (iii) identifying the port to which the FSD is coupled based on the output and the table; and (iv) transmitting the packet to the FSD via the identified port.

Abstract: Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, session data, including session entries representing previously observed traffic sessions from a particular source to a particular destination and forming an association between the previously observed session and a particular FSD, is maintained by a switching device. When a TCP SYN packet is received, the switching device: (i) reduces its vulnerability to a TCP SYN flooding attack by foregoing installation of a forward session entry for the forward traffic session within the session data until a processed TCP SYN-ACK packet associated with the corresponding reverse traffic session is received; (ii) selects an FSD to associate with the forward traffic session and a corresponding reverse traffic session by performing a load balancing function on the TCP SYN packet; and (iii) causes the TCP SYN packet to be processed by the selected FSD.

Abstract: A method for balancing load among firewall security devices in a network is disclosed. According to one embodiment, a switch causes firewall security devices (FSDs) of a cluster to enter into a load balancing mode. Responsive to receiving a heartbeat signal from an FSD, information regarding the FSD and the port on which the heartbeat signal was received are added to a table maintained by the switch that maps outputs of a load balancing function to ports of the switch. A received packet is forwarded to an FSD of the cluster by: (i) extracting a configurable number of bit values from a configurable set of bit positions within the packet; (ii) determining the output of the load balancing function; (iii) identifying the port to which the FSD is coupled based on the output and the table; and (iv) transmitting the packet to the FSD via the identified port.

Abstract: A method for balancing load among firewall security devices in a network is disclosed. According to one embodiment, a switch causes firewall security devices (FSDs) of a cluster to enter into a load balancing mode. Responsive to receiving a heartbeat signal from an FSD, information regarding the FSD and the port on which the heartbeat signal was received are added to a table maintained by the switch that maps outputs of a load balancing function to ports of the switch. A received packet is forwarded to an FSD of the cluster by: (i) extracting a configurable number of bit values from a configurable set of bit positions within the packet; (ii) determining the output of the load balancing function; (iii) identifying the port to which the FSD is coupled based on the output and the table; and (iv) transmitting the packet to the FSD via the identified port.

Abstract: Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, session data, including session entries representing previously established traffic sessions from a particular source to a particular destination and forming an association between the previously established session and a particular FSD, is maintained for each port of a session-aware switching device. When a TCP SYN packet is received, the switching device: (i) reduces its vulnerability to a DoS attack by foregoing installation of a forward session entry for the forward traffic session within the session data until a processed TCP SYN/ACK packet associated with the corresponding reverse traffic session is received; (ii) selects an FSD to associate with the forward traffic session and a corresponding reverse traffic session by performing a load balancing function on the TCP SYN packet; and (iii) causes the TCP SYN packet to be processed by the selected FSD.

Abstract: A method for balancing load among firewall security devices in a network is disclosed. According to one embodiment, a switch causes firewall security devices (FSDs) of a cluster to enter into a load balancing mode. Responsive to receiving a heartbeat signal from an FSD, information regarding the FSD and the port on which the heartbeat signal was received are added to a table maintained by the switch that maps outputs of a load balancing function to ports of the switch. A received packet is forwarded to an FSD of the cluster by: (i) extracting a configurable number of bit values from a configurable set of bit positions within the packet; (ii) determining the output of the load balancing function; (iii) identifying the port to which the FSD is coupled based on the output and the table; and (iv) transmitting the packet to the FSD via the identified port.

Abstract: Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, session data, including session entries representing previously established traffic sessions from a particular source to a particular destination and forming an association between the previously established session and a particular FSD, is maintained for each port of a session-aware switching device. When a TCP SYN packet is received, the switching device: (i) reduces its vulnerability to a DoS attack by foregoing installation of a forward session entry for the forward traffic session within the session data until a processed TCP SYN/ACK packet associated with the corresponding reverse traffic session is received; (ii) selects an FSD to associate with the forward traffic session and a corresponding reverse traffic session by performing a load balancing function on the TCP SYN packet; and (iii) causes the TCP SYN packet to be processed by the selected FSD.

Abstract: A method for balancing load among firewall security devices in a network is disclosed. Firewall security devices are arranged in multiple clusters. A switching device is configured with the firewall security devices by communicating control messages and heartbeat signals. Information regarding the configured firewall security devices is then included in a load balancing table. A load balancing function is configured for enabling the distribution of data traffic received by the switching device. A received data packet by the switching device is forwarded to one of the firewall security devices in a cluster based on the load balancing function, the load balancing table and the address contained in the data packet.

Abstract: Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, a switch maintains session data the session entries of which represent established traffic sessions between a source and a destination and form an association between the traffic session and a particular FSD. A data packet of a traffic session from a client device directed to a target device is received at the switch. When none of the session entries are determined to correspond to the data packet, an FSD is selected to associate with the first traffic session by performing a load balancing function on at least a portion of the data packet. When a matching session entry exists, an FSD identified by the matching session entry is selected to process the data packet. The data packet is then caused to be processed by the selected firewall security device.

Abstract: A method for balancing load among firewall security devices in a network is disclosed. According to one embodiment, a switch causes firewall security devices (FSDs) of a cluster to enter into a load balancing mode. Responsive to receiving a heartbeat signal from an FSD, information regarding the FSD and the port on which the heartbeat signal was received are added to a table maintained by the switch that maps outputs of a load balancing function to ports of the switch. A received packet is forwarded to an FSD of the cluster by: (i) extracting a configurable number of bit values from a configurable set of bit positions within the packet; (ii) determining the output of the load balancing function; (iii) identifying the port to which the FSD is coupled based on the output and the table; and (iv) transmitting the packet to the FSD via the identified port.

Abstract: Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, a switch maintains session data the session entries of which represent established traffic sessions between a source and a destination and form an association between the traffic session and a particular FSD. A data packet of a traffic session from a client device directed to a target device is received at the switch. When none of the session entries are determined to correspond to the data packet, an FSD is selected to associate with the first traffic session by performing a load balancing function on at least a portion of the data packet. When a matching session entry exists, an FSD identified by the matching session entry is selected to process the data packet. The data packet is then caused to be processed by the selected firewall security device.