What is Firewall Load Balancing (FWLB)?

Firewall Load Balancing is a deployment architecture where multiple firewall systems are placed behind Server Load Balancers.  Network traffic through the firewall systems is load balanced to the group of firewalls providing a scalable and highly available security infrastructure.

Security firewalls are mission critical for any network infrastructure.  A robust security infrastructure requires a reliable, highly-available and scalable firewall infrastructure.  Business activities are severely hindered or halted altogether when Internet connectivity fails.  Firewall infrastructures are crucial to ensure business continuity.

Best-in-class firewall architectures include some form of load balancing solution.  This article will describe a cluster of firewall systems load balanced behind Application Delivery Controller (ADC) network load balancing systems.

Firewall Load Balancing Solution

An array of firewall systems which are configured in a load balanced configuration are sandwiched between Server Load Balancing systems.  Traffic from the Internet is directed to one firewall within a group of firewalls.  Traffic from the organization’s internet work is distributed in a similar fashion.

Server Load Balancing systems track network sessions.  New network connections are load balanced to the least loaded firewall.  Traffic from established sessions are routed to the same firewall to maintain packet inspection and ongoing security analysis.

Firewall Load Balancing Benefits

Scalability

Firewalls are required to transfer ever increasing amounts of traffic between insecure networks.  Each packet passing through each firewall has to be inspected, analyzed, compared to network control policies and security rules and often modified.  Firewall systems are basically computer systems, and the complex processing requires compute resources for CPU, memory and network data transfers.  Firewalls have a limit on the amount of network traffic that can be supported.

Adding additional firewall systems is required.  In a load balanced configuration, additional firewalls can be added dynamically to increase capacity. Firewall capacity can be added live without affecting the existing firewall systems.

Reliability

Load balancing for application servers is common to provide highly-available application infrastructures.  This same technique works for firewall systems.  When multiple firewalls are load balanced, any single firewall failure does not cause serious outages.  User sessions which were served by the failed firewall are routed to other firewall systems and user sessions are re-established.

Manageability

Firewall maintenance is difficult in non-load balanced environments.  Changing security policies on live systems can easily cause unforeseen issues and outages. Systems behind an ADC load balancer can be removed from service without user disruption, and either upgraded, replaced or updated with new security policies.  These systems can be tested by operations before returning to an operational state.

Related terms


|

July 10, 2018

About Robert Keith

Robert has 30 years of experience in IT technology development and infrastructure management. He was the founder of several infrastructure ventures including Intellivence, MaxSP, Sentrik and most recently was the CTO of Iron Networks. As CTO of Iron Networks in San Jose, CA, he worked directly with many companies in the Silicon Valley to design and architect network, security, and cloud solutions. He worked directly with Microsoft engineering in the design of their cloud architectures including storage, Hyper-V, Systems Center and Virtual Networking. He also worked directly with Hortonworks to design a Hadoop deployment and management system using CentOS and many layered software packages. READ MORE