Optimizing state sharing between firewalls on multi-homed networks

摘要

In one embodiment, a security device monitors for outgoing re-transmission messages indicating that an endpoint located in a multi-homed network transmitted an unanswered initial connection request. Responsive to identifying one of the outgoing re-transmission messages, the security device identifies destination address information included in the identified re-transmission message. The security device then causes another security device associated with a different link of the same multi-homed network to update its internal state table according to the identified destination address information. As a result, a response to the outgoing re-transmission can be forwarded to the multi-homed network regardless of which security device receives the response.

主权项

1. An apparatus, comprising:
one or more processors; and a memory containing instructions, the processors when executing the instructions operable to: maintain an internal state table according to information extracted from traffic outgoing from a multi-homed network over a first multi-homed network link to determine whether to forward incoming traffic over the first multi-homed network link according to the maintained state table; detect a connection request from an endpoint located in the multi-homed network; determine that the connection request is for a destination not represented by the maintained internal state table, and forward the detected connection request without controlling updating of an internal state table of a security device that processes traffic associated with a second different multi-homed network link; detect a subsequent outgoing message indicating that the endpoint did not receive a response to the connection request; and responsive to detecting the outgoing message, communicate state table information to the security device that processes traffic associated with the second different multi-homed network link.