CN104618148B - The backup method and equipment of a kind of firewall box - Google Patents
The backup method and equipment of a kind of firewall box Download PDFInfo
- Publication number
- CN104618148B CN104618148B CN201510007873.XA CN201510007873A CN104618148B CN 104618148 B CN104618148 B CN 104618148B CN 201510007873 A CN201510007873 A CN 201510007873A CN 104618148 B CN104618148 B CN 104618148B
- Authority
- CN
- China
- Prior art keywords
- firewall
- equipment
- backup
- backup group
- main
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000011084 recovery Methods 0.000 claims description 7
- 238000011144 upstream manufacturing Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 7
- 238000005538 encapsulation Methods 0.000 description 5
- 230000006855 networking Effects 0.000 description 5
- 208000033748 Device issues Diseases 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of backup method of firewall box and equipment, this method includes:Firewall box determines that this firewall box is main firewall box or backup firewall box;When the firewall box is main firewall box, the firewall box is issued the backup group IP address network segment by backup group upstream Interface and route, so that downlink data is sent to the master firewall equipment;The firewall box returns to arp response message when backup group downstream interface receives the ARP request message from NAT device, by backup group downstream interface, so that upstream data is sent to the master firewall equipment by the NAT device.In the embodiment of the present invention, the backup functionality of N number of firewall box is realized, and solves the problems, such as network Single Point of Faliure, and avoids the wasting of resources of public network IP address, effectively saves public network IP address resources.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a firewall device backup method and device.
Background
As shown in fig. 1, a schematic diagram of a networking application separately deployed for a NAT (Network Address translation) device and a firewall device. Because the NAT device needs to perform a large amount of conversions, the firewall device needs to issue a large amount of firewall policies, and in order to relieve the pressure of the NAT device and the firewall device, the NAT device and the firewall device need to be separately deployed. Based on this, traffic from the Internet first passes through the firewall device before reaching the NAT device. On the firewall device, attack flow and flow which does not meet the requirement can be discarded through a firewall strategy, only effective flow can reach the NAT device, and therefore processing pressure of the NAT device can be reduced, and the fact that flow attack from the Internet is not worried about is avoided.
In order to configure the VRRP group, assuming that the number of the firewall devices is N, N +2 public network IP addresses are commonly used in the existing networking, each firewall device needs one public network IP address, an uplink port of the NAT device needs one public network IP address, and the VRRP group needs one public network IP address as a Virtual IP address of the VRRP group.
Therefore, in the above manner, the VRRP group occupies a large number of public network addresses.
Disclosure of Invention
The embodiment of the invention provides a firewall device backup method, which is applied to a firewall backup group comprising a plurality of firewall devices, wherein a backup group IP address and a backup group media access control MAC address are configured in the firewall backup group, and the method comprises the following steps: the firewall equipment determines that the firewall equipment is main firewall equipment or backup firewall equipment in the firewall backup group; when the firewall equipment is main firewall equipment, the firewall equipment issues a backup group IP address network segment route through a backup group uplink interface so as to send downlink data to the main firewall equipment in the firewall backup group; when the firewall equipment receives an ARP request message from NAT equipment for network address translation at a downlink interface of a backup group, the firewall equipment returns an ARP response message through the downlink interface of the backup group, and the ARP response message carries the IP address of the backup group and the MAC address of the backup group, so that the NAT equipment sends uplink data to main firewall equipment in the firewall backup group; when the firewall equipment is backup firewall equipment, the firewall equipment prohibits issuing backup group IP address network segment routing through a backup group uplink interface; and when the firewall equipment receives the ARP request message from the NAT equipment at the downlink interface of the backup group, the firewall equipment prohibits the ARP response message from being returned through the downlink interface of the backup group.
The firewall device determines that the firewall device is the main firewall device or the backup firewall device in the firewall backup group, and the method comprises the following steps: the firewall equipment receives a first declaration Assert message encapsulated by two layers from other firewall equipment, wherein the first declaration Assert message carries the priority and the interface MAC address of the other firewall equipment; if the priority of the firewall equipment is higher than the priorities of all other firewall equipment, the firewall equipment determines that the firewall equipment is the main firewall equipment in the firewall backup group; if the priority of the firewall equipment is smaller than the priority of any other firewall equipment, the firewall equipment determines that the firewall equipment is backup firewall equipment in the firewall backup group; if the priority of the firewall equipment is the maximum priority and the priority of the firewall equipment is equal to the priorities of other firewall equipment, then: when the interface MAC address of the firewall equipment is larger than the interface MAC addresses of all other firewall equipment with the same priority as the firewall equipment, the firewall equipment determines that the firewall equipment is the main firewall equipment in the firewall backup group; when the interface MAC address of the firewall equipment is smaller than the interface MAC address of any other firewall equipment with the same priority as the firewall equipment, the firewall equipment determines that the firewall equipment is backup firewall equipment in the firewall backup group; or when the interface MAC address of the firewall equipment is larger than the interface MAC address of any other firewall equipment with the same priority as the firewall equipment, the firewall equipment determines that the firewall equipment is the backup firewall equipment in the firewall backup group; and when the interface MAC address of the firewall equipment is smaller than the interface MAC addresses of all other firewall equipment with the same priority as the firewall equipment, the firewall equipment determines that the firewall equipment is the main firewall equipment in the firewall backup group.
The method further comprises:
when the firewall equipment is main firewall equipment and detects that an uplink fails, the firewall equipment sends a second Assert message encapsulated in a second layer to other firewall equipment in the firewall backup group, wherein the state of the firewall equipment carried in the second Assert message is an unavailable state; when the firewall equipment is backup firewall equipment, when the firewall equipment receives a second Assert message encapsulated by a second layer from the main firewall equipment, if the state of the main firewall equipment is acquired from the second Assert message and is an unavailable state, the firewall equipment determines that the firewall equipment is the main firewall equipment or the backup firewall equipment in the firewall backup group again; if the firewall equipment determines that the firewall equipment is changed from backup firewall equipment to main firewall equipment, the firewall equipment issues backup group IP address network segment routing through a backup group uplink interface and sends an ARP update message through a backup group downlink interface, wherein the ARP update message carries the backup group IP address and the backup group MAC address; or,
when the firewall equipment is backup firewall equipment, if a second Assert message which is packaged by two layers and carries the main firewall equipment and has the available state and is from the main firewall equipment is not received within preset time, the firewall equipment determines that the main firewall equipment has a fault and/or a downlink of the main firewall equipment has a fault, and re-determines that the firewall equipment is the main firewall equipment or the backup firewall equipment in the firewall backup group; if the firewall equipment determines that the firewall equipment is changed from backup firewall equipment to main firewall equipment, the firewall equipment issues backup group IP address network segment routing through a backup group uplink interface and sends ARP update messages through a backup group downlink interface, wherein the ARP update messages carry the backup group IP address and the backup group MAC address.
When the firewall device is a backup firewall device, the firewall device re-determines that the firewall device is a main firewall device or a backup firewall device in the firewall backup group, and the method specifically includes:
after the firewall equipment obtains that the state of the main firewall equipment is an unavailable state, starting a fault timer for the main firewall equipment, wherein the overtime time of the fault timer is longer than the sending interval of a second Assert message; if the firewall equipment receives a second Assert message before the fault timer is overtime, and the state of the main firewall equipment carried in the second Assert message is an unavailable state, resetting the fault timer to zero by the firewall equipment; and if the firewall equipment does not receive the second Assert message before the fault timer is overtime, the firewall equipment determines that the firewall equipment is the main firewall equipment or the backup firewall equipment in the firewall backup group again.
The method further comprises:
when the firewall equipment is main firewall equipment, after the firewall equipment sends a second Assert message packaged by two layers to other firewall equipment, if fault recovery is detected, the firewall equipment determines that the firewall equipment is the main firewall equipment in the firewall backup group, and sends a third Assert message packaged by two layers to other firewall equipment in the firewall backup group, wherein the state of the firewall equipment carried in the third Assert message is an available state;
when the firewall device is a backup firewall device, after the firewall device determines that the firewall device is changed from the backup firewall device to a main firewall device, when the firewall device receives a third Assert message encapsulated by two layers from the main firewall device, if the state of the main firewall device is obtained from the third Assert message as an available state, the firewall device determines that the firewall device is a backup firewall device in the firewall backup group.
The embodiment of the invention provides firewall equipment, which is applied to a firewall backup group comprising a plurality of firewall equipment; wherein, a backup group IP address and a backup group MAC address are configured in the firewall backup group, and the firewall device specifically includes:
a determining module, configured to determine that the firewall device is a main firewall device or a backup firewall device in the firewall backup group;
the processing module is used for issuing a backup group IP address network segment route through a backup group uplink interface when the firewall equipment is main firewall equipment so as to send downlink data to the main firewall equipment in the firewall backup group; when a backup group downlink interface receives an ARP request message from NAT equipment for network address translation, an ARP response message is returned through the backup group downlink interface, and the ARP response message carries the backup group IP address and the backup group MAC address, so that the NAT equipment sends uplink data to main firewall equipment in the firewall backup group;
when the firewall equipment is backup firewall equipment, forbidding issuing backup group IP address network segment routing through a backup group uplink interface; and when the backup group downlink interface receives the ARP request message from the NAT equipment, forbidding to return an ARP response message through the backup group downlink interface.
The determining module is specifically configured to receive a first declaration Assert message encapsulated in two layers from other firewall devices, where the first declaration Assert message carries priorities and interface MAC addresses of the other firewall devices; if the priority of the firewall equipment is higher than the priorities of all other firewall equipment, determining that the firewall equipment is the main firewall equipment in the firewall backup group; if the priority of the firewall equipment is smaller than the priority of any other firewall equipment, determining that the firewall equipment is backup firewall equipment in the firewall backup group;
if the priority of the firewall equipment is the maximum priority and the priority of the firewall equipment is equal to the priorities of other firewall equipment, then: when the interface MAC address of the firewall equipment is larger than the interface MAC addresses of all other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as the main firewall equipment in the firewall backup group; when the interface MAC address of the firewall equipment is smaller than the interface MAC address of any other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as backup firewall equipment in the firewall backup group; or when the interface MAC address of the firewall equipment is larger than the interface MAC address of any other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as the backup firewall equipment in the firewall backup group; and when the interface MAC address of the firewall equipment is smaller than the interface MAC addresses of all other firewall equipment with the same priority as the firewall equipment, determining that the firewall equipment is the main firewall equipment in the firewall backup group.
The processing module is further configured to send a second Assert message encapsulated in a second layer to other firewall devices in the firewall backup group when the firewall device is a main firewall device and an uplink failure is detected, where the state of the firewall device carried in the second Assert message is an unavailable state; when the firewall equipment is backup firewall equipment, when a second Assert message encapsulated by a second layer from the main firewall equipment is received, if the state of the main firewall equipment is acquired from the second Assert message and is an unavailable state, the firewall equipment is determined to be the main firewall equipment or the backup firewall equipment in the firewall backup group again; if the firewall equipment is determined to be changed from backup firewall equipment to main firewall equipment, issuing backup group IP address network segment routing through a backup group uplink interface, and sending an ARP update message through a backup group downlink interface, wherein the ARP update message carries the backup group IP address and the backup group MAC address; or,
the processing module is further configured to, when the firewall device is a backup firewall device, determine that the main firewall device itself fails and/or a downlink of the main firewall device fails if a second Assert message, which is encapsulated by two layers from the main firewall device and carries the main firewall device and is in an available state, is not received within a preset time, and re-determine that the firewall device is the main firewall device or the backup firewall device in the firewall backup group; if the firewall equipment is determined to be changed from backup firewall equipment to main firewall equipment, a backup group IP address network segment route is issued through a backup group uplink interface, and an ARP update message is sent through a backup group downlink interface, wherein the ARP update message carries the backup group IP address and the backup group MAC address.
The processing module is further configured to, in a process of re-determining that the firewall device is a main firewall device or a backup firewall device in the firewall backup group, start a fault timer for the main firewall device after the state of the main firewall device is obtained as an unavailable state, where timeout time of the fault timer is longer than a sending interval of a second Assert message; if the firewall equipment receives a second Assert message before the fault timer is overtime, and the state of the main firewall equipment carried in the second Assert message is an unavailable state, resetting the fault timer to zero; and if the firewall equipment does not receive the second Assert message before the fault timer is overtime, the firewall equipment is determined to be the main firewall equipment or the backup firewall equipment in the firewall backup group again.
The processing module is further configured to, when the firewall device is a main firewall device, after sending a second Assert message encapsulated in two layers to other firewall devices, if a failure recovery is detected, determine that the firewall device is the main firewall device in the firewall backup group, and send a third Assert message encapsulated in two layers to other firewall devices in the firewall backup group, where a state of the firewall device carried in the third Assert message is an available state;
the processing module is further configured to, when the firewall device is a backup firewall device, after determining that the firewall device is changed from the backup firewall device to the main firewall device, when receiving a third Assert message encapsulated by two layers from the main firewall device, if the state of the main firewall device obtained from the third Assert message is an available state, determine that the firewall device is a backup firewall device in the firewall backup group.
Based on the technical scheme, in the embodiment of the invention, a plurality of firewall devices are configured to one firewall backup group, so that the backup function of N firewall devices is realized, and the problem of single point of network failure is solved. By configuring a backup group IP address for the firewall backup group, no matter the number of firewall equipment, only 2 public network IP addresses are required to be used, namely, the firewall backup group needs one public network IP address (namely, the backup group IP address), and an uplink port of the NAT equipment needs one public network IP address, so that the resource waste of the public network IP address is avoided, the public network IP address resource is effectively saved, the number of the public network IP addresses which can be used by the NAT equipment is not obviously reduced, and the NAT conversion efficiency is improved.
Drawings
Fig. 1 is a schematic diagram of a networking application in which a NAT device and a firewall device are separately deployed in the prior art;
fig. 2 is a schematic diagram of a networking application in which a NAT device and a firewall device are separately deployed according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a backup method of a firewall device according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a format of an Assert message according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a firewall device according to an embodiment of the present invention.
Detailed Description
To solve the problems in the prior art, embodiments of the present invention provide a firewall device backup method, which may be applied to a firewall backup group including a plurality of firewall devices. Referring to fig. 2, the method may be applied to a networking application in which the NAT device and the firewall device are separately deployed. In the embodiment of the invention, the firewall backup group consists of a plurality of firewall devices to form a virtual firewall device, and the firewall devices in the firewall backup group comprise a main firewall device and a backup firewall device. The number of the main firewall equipment can be one, and the main firewall equipment undertakes data forwarding work. The number of the backup firewall devices can be one or more, when the main firewall device breaks down, the backup firewall device takes over the work of the main firewall device, and the data forwarding work is continued. The method improves the reliability and effectively avoids the network interruption problem caused by the firewall equipment failure. The above Firewall Backup group technology may be referred to as FBGP (Firewall Backup group protocol).
In the embodiment of the invention, a backup group IP address, a backup group MAC (Media Access Control) address, a backup group uplink interface and a backup group downlink interface are configured in a firewall backup group. The backup group uplink interface is an Internet exit, and the backup group downlink interface is an interface for connecting a client network or NAT equipment. The backup group IP address is a public network IP address, works as a downlink interface address of the firewall device and is a gateway address for forwarding data uploaded by the NAT device. The backup group MAC address is a MAC address corresponding to the backup group IP address, and the generation method of the backup group MAC address includes, but is not limited to: 00-00-5e-00-00+ backup group ID, which is a unique identifier assigned to the firewall backup group, for example, the MAC address of the backup group corresponding to the firewall backup group 128 is 00-00-5 e-00-00-80.
As shown in fig. 3, the backup method of the firewall device may specifically include the following steps:
step 301, the firewall device determines that the firewall device is a main firewall device or a backup firewall device in the firewall backup group. Wherein, when the firewall device is the main firewall device, step 302 is executed; when the firewall device is a backup firewall device, step 303 is executed.
In the embodiment of the present invention, the process of determining, by the firewall device, that the firewall device is a main firewall device or a backup firewall device in the firewall backup group specifically includes, but is not limited to, the following manners: the firewall equipment receives a first Assert message of two-layer encapsulation from other firewall equipment, wherein the first Assert message at least carries the priority and the interface MAC address of the other firewall equipment. Further, if the priority of the firewall device is higher than the priorities of all other firewall devices, the firewall device is determined to be the main firewall device in the firewall backup group. And if the priority of the firewall equipment is smaller than the priority of any other firewall equipment, determining that the firewall equipment is the backup firewall equipment in the firewall backup group. If the priority of the firewall equipment is the maximum priority and the priority of the firewall equipment is equal to the priorities of other firewall equipment, then: when the interface MAC address of the firewall equipment is larger than the interface MAC addresses of all other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as main firewall equipment in a firewall backup group; when the interface MAC address of the firewall equipment is smaller than the interface MAC address of any other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as backup firewall equipment in a firewall backup group; or when the interface MAC address of the firewall equipment is larger than the interface MAC address of any other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as backup firewall equipment in a firewall backup group; and when the interface MAC address of the firewall equipment is smaller than the interface MAC addresses of all other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as the main firewall equipment in the firewall backup group.
As shown in fig. 4, it is a schematic diagram of the format of Assert message. In the Assert message, Version field indicates the Version of FBGP protocol. The Type field indicates the Type of Assert message of the FBGP protocol. The FBGP ID (identity) field represents the backup group ID of the firewall backup group, with a configurable range of 1 to 255. The Priority field indicates the Priority of the firewall device, and the value of the Priority field may be an integer, and the larger the value is, the higher the Priority of the firewall device is. The State field is the firewall State of the FBGP protocol and is divided into an available State and an unavailable State; when the value of the State field is 1, the available State is represented; when the value of the State field is 0, the unavailable State is indicated. The FBG IP Address field is the backup group IP Address. The MAC Address field is an interface MAC Address of the firewall equipment, the interface MAC addresses of the firewall equipment are different, and different firewall equipment is represented by the interface MAC Address in the firewall backup group. An Auth Type field represents an authentication mode, the authentication types in the same firewall backup group need to be the same, if the Auth Type field contents are different, the authentication is wrong, and the message is discarded; when the value of the Auth Type field is 0, the message does not need to be authenticated; when the value of the Auth Type field is 1, the message needs to be authenticated. And the CheckSum field is used for preventing the message from being modified in the transmission process, calculating a CheckSum value according to a CheckSum algorithm on the message content, and filling the CheckSum value into the CheckSum field.
Before the election of the main firewall equipment is not carried out, all the firewall equipment considers that the firewall equipment is the main firewall equipment, and sends an Assert message to other firewall equipment in a firewall backup group through a backup group downlink interface. After receiving the Assert message from other firewall devices through the backup group downlink interface, each firewall device elects the firewall device as a main firewall device or a backup firewall device by using the priority and interface MAC address of other firewall devices and the priority and interface MAC address of the firewall device. And if the firewall equipment is elected as the main firewall equipment, the main firewall equipment continues to periodically send the Assert message from the downlink interface of the backup group to other firewall equipment in the firewall backup group. If the firewall equipment is elected as backup firewall equipment, the backup firewall equipment does not send the Assert message from the backup group downlink interface any more, and only detects the Assert message sent by the main firewall equipment.
When the firewall device sends the Assert message, it may perform two-layer encapsulation on the Assert message, where the two-layer encapsulation type may be configured according to actual needs, for example, the two-layer encapsulation type may be 0x88 cd. Further, when the firewall device performs two-layer encapsulation on the Assert message, the destination MAC address of the Assert message is a backup group MAC address, and the source MAC address is an interface MAC address of the firewall device.
Step 302, the firewall device issues a backup group IP address network segment route through the backup group uplink interface, so that the downlink data is sent to the main firewall device in the firewall backup group. When the firewall device receives an Address Resolution Protocol (ARP) request message from the NAT device at the downstream interface of the backup group, the firewall device returns an ARP response message to the NAT device through the downstream interface of the backup group, so that the NAT device sends the upstream data to the main firewall device in the firewall backup group. The ARP response message may carry a backup group IP address and a backup group MAC address configured in the firewall backup group. In addition, the backup set IP address network segment route is composed of a backup set IP address and a mask.
Step 303, the firewall device prohibits issuing the backup group IP address network segment route through the backup group uplink interface. When the firewall equipment receives the ARP request message from the NAT equipment at the downstream interface of the backup group, the firewall equipment prohibits the ARP response message from being returned to the NAT equipment through the downstream interface of the backup group.
Based on this, the firewall device will not issue the backup group IP address network segment route through the backup group uplink interface, and will not return the ARP response message through the backup group downlink interface.
Based on the above processing, since the main firewall device issues the backup group IP address network segment route (i.e., issues the network segment route carrying the backup group IP address and the mask information) through the backup group uplink interface, and the backup firewall device does not issue the backup group IP address network segment route through the backup group uplink interface, the downlink data from the Internet is sent to the main firewall device in the firewall backup group. After receiving the downlink data, the main firewall device can discard the attack flow and the flow which does not meet the requirement through the firewall strategy, only the effective downlink data can be forwarded to the NAT device, the NAT device converts the downlink data, and the downlink data is sent to the user.
On NAT equipment, the designated gateway address of uplink data accessing an external network is a backup group IP address, and when the NAT equipment sends an ARP request message to the backup group IP address, the ARP request message is sent to the main firewall equipment and the backup firewall equipment. When the main firewall equipment receives the ARP request message at the backup group downlink interface, the ARP response message is returned to the NAT equipment through the backup group downlink interface. When the backup firewall device receives the ARP request message at the backup group downlink interface, the backup firewall device does not return an ARP response message to the NAT device through the backup group downlink interface. And after receiving the ARP response message from the main firewall equipment, the NAT equipment updates the ARP table entry. Through the above processing, when the NAT device sends the upstream data, the upstream data will be sent to the main firewall device in the firewall backup group, but will not be sent to the backup firewall device in the firewall backup group.
In the embodiment of the present invention, FBGP entries may also be configured on the main firewall device and the backup firewall device, and the content of the FBGP entries includes but is not limited to: the firewall device comprises an interface name, a backup group ID of a firewall backup group, the role of the firewall device (a main firewall device or a backup firewall device), the priority of the firewall device, the authentication mode of the firewall device, a backup group IP address of the firewall device, a backup group MAC address of the firewall device, an interface MAC address of the firewall device and network segment address information of the firewall device.
In the embodiment of the present invention, when the firewall device is a main firewall device, the main firewall device further needs to detect whether a failure occurs, for example, whether an uplink fails. If the main firewall device detects that the uplink fails, the main firewall device sends a second Assert message encapsulated by a second layer to other firewall devices (namely, backup firewall devices) in the firewall backup group, and the second Assert message carries the state of the main firewall device and is in an unavailable state.
In the embodiment of the present invention, when the firewall device is a backup firewall device, and the backup firewall device receives a second Assert message encapsulated by a second layer from the main firewall device, if the state of the main firewall device is obtained from the second Assert message and is an unavailable state, the backup firewall device re-determines that the firewall device is the main firewall device or the backup firewall device in the firewall backup group (specifically, the determination method is performed by using a priority and an interface MAC address, which has been described in the above description, and is not repeated herein); if the firewall equipment is determined to be changed from the backup firewall equipment to the main firewall equipment, the firewall equipment issues a backup group IP address network segment route through a backup group uplink interface and sends an ARP update message through a backup group downlink interface, wherein the ARP update message carries a backup group IP address and a backup group MAC address. So that the downstream data is sent to the current primary firewall device in the firewall backup group (i.e., the backup firewall device currently changing into the primary firewall device), and the NAT device sends the upstream data to the current primary firewall device in the firewall backup group (i.e., the backup firewall device currently changing into the primary firewall device). Further, the process of the backup firewall device to re-determine that the firewall device is the main firewall device or the backup firewall device in the firewall backup group specifically includes: after the backup firewall equipment obtains that the state of the main firewall equipment is an unavailable state, starting a fault timer for the main firewall equipment, wherein the overtime time of the fault timer is longer than the sending interval of the second Assert message; if the backup firewall equipment receives a second Assert message before the failure timer is overtime, and the state of the main firewall equipment carried in the second Assert message is an unavailable state, resetting the failure timer to zero by the backup firewall equipment; and if the backup firewall equipment does not receive the second Assert message before the failure timer times out, the backup firewall equipment determines that the firewall equipment is the main firewall equipment or the backup firewall equipment in the firewall backup group again.
The main firewall device may detect whether the uplink fails in an NQA (Network Quality Analyzer) mode or a BFD (Bidirectional Forwarding Detection) mode. If the uplink is detected to be in fault, the main firewall device is no longer used as the main firewall device in the firewall backup group and no longer undertakes data forwarding work, and sends a second Assert message to the backup firewall device, for example, periodically sends 3 second Assert messages, and the state of the main firewall device carried in the second Assert message is an unavailable state.
When receiving a second Assert message from the main firewall device, the backup firewall device starts a fault timer for the main firewall device if the state of the main firewall device obtained from the second Assert message is an unavailable state, and the timeout time of the fault timer is longer than the sending interval of the second Assert message, for example, 3 times of the sending interval of the second Assert message. If the backup firewall device does not receive the second Assert message before the failure timer times out, the backup firewall device re-determines that the firewall device is the main firewall device or the backup firewall device in the firewall backup group, and if the firewall device is determined to be the main firewall device in the firewall backup group, the backup firewall device takes the data forwarding work as the main firewall device in the firewall backup group. Such as: the backup firewall equipment issues a backup group IP address network segment route through a backup group uplink interface so as to send downlink data to the backup firewall equipment; the backup firewall equipment sends ARP update message to the NAT equipment through the backup group downlink interface, so that the NAT equipment sends uplink data to the backup firewall equipment.
In the embodiment of the invention, if the main firewall equipment does not have a fault and the downlink of the main firewall equipment does not have a fault, the main firewall equipment periodically sends the second Assert message carrying the main firewall equipment and taking the state as the available state. Based on this, when the firewall device is a backup firewall device, if the second Assert message which is encapsulated by the two layers and carries the main firewall device and has the available state is not received within the preset time, the firewall device determines that the main firewall device has a fault and/or the downlink of the main firewall device has a fault, and re-determines that the firewall device is the main firewall device or the backup firewall device in the firewall backup group. Further, if the firewall device determines that the firewall device is changed from the backup firewall device to the main firewall device, the firewall device issues a backup group IP address network segment route through a backup group uplink interface so that downlink data are sent to the backup firewall device; in addition, the firewall device sends an ARP update message through a backup group downlink interface, wherein the ARP update message carries a backup group IP address and a backup group MAC address, so that the NAT device sends uplink data to the backup firewall device.
In the embodiment of the invention, when the firewall device is a main firewall device, after the main firewall device sends a second Assert message encapsulated by two layers to a backup firewall device, if the main firewall device detects failure recovery, if the main firewall device detects uplink failure recovery, the main firewall device determines that the firewall device is the main firewall device in a firewall backup group, and sends a third Assert message encapsulated by two layers to other firewall devices (namely the backup firewall device) in the firewall backup group, wherein the state of the main firewall device carried in the third Assert message is an available state. Further, when the firewall device is a backup firewall device, after the backup firewall device determines that the firewall device is changed from the backup firewall device to the main firewall device, and when the backup firewall device receives a third Assert message encapsulated by two layers from the main firewall device, if the state of the main firewall device obtained from the third Assert message is an available state, the backup firewall device determines that the firewall device is changed to the backup firewall device in the firewall backup group. Through the above processing, the main firewall device is restored to the main firewall device, and the backup firewall device is restored to the backup firewall device.
When the failure of the main firewall equipment is recovered, the non-preemptive processing or the preemptive processing can be adopted. Furthermore, when the non-preemptive mode is adopted for processing, the main firewall equipment does not need to be recovered as the main firewall equipment, and the main firewall equipment continues to be used as backup firewall equipment in the firewall backup group; the backup firewall device need not be restored to the backup firewall device, it continues as the primary firewall device in the firewall backup group. When the preemption mode is adopted for processing, the main firewall equipment needs to be recovered as the main firewall equipment which is used as the main firewall equipment in the firewall backup group; the backup firewall device needs to be restored as the backup firewall device that will be the backup firewall device in the firewall backup group.
Based on the technical scheme, in the embodiment of the invention, a plurality of firewall devices are configured to one firewall backup group, so that the backup function of N firewall devices is realized, and the problem of single point of network failure is solved. By configuring a backup group IP address for the firewall backup group, no matter the number of firewall equipment, only 2 public network IP addresses are required to be used, namely, the firewall backup group needs one public network IP address (namely, the backup group IP address), and an uplink port of the NAT equipment needs one public network IP address, so that the resource waste of the public network IP address is avoided, the public network IP address resource is effectively saved, the number of the public network IP addresses which can be used by the NAT equipment is not obviously reduced, and the NAT conversion efficiency is improved.
Based on the same inventive concept as the method, the embodiment of the invention also provides firewall equipment which is applied to a firewall backup group comprising a plurality of firewall equipment; as shown in fig. 5, the firewall device specifically includes:
a determining module 11, configured to determine that the firewall device is a main firewall device or a backup firewall device in the firewall backup group;
the processing module 12 is configured to, when the firewall device is a main firewall device, issue a backup group IP address network segment route through a backup group uplink interface, so that downlink data is sent to the main firewall device in the firewall backup group; when a backup group downlink interface receives an ARP request message from NAT equipment for network address translation, an ARP response message is returned through the backup group downlink interface, and the ARP response message carries the backup group IP address and the backup group MAC address, so that the NAT equipment sends uplink data to main firewall equipment in the firewall backup group; when the firewall equipment is backup firewall equipment, forbidding issuing backup group IP address network segment routing through a backup group uplink interface; and when the backup group downlink interface receives the ARP request message from the NAT equipment, forbidding to return an ARP response message through the backup group downlink interface.
The determining module 11 is specifically configured to receive a first declaration Assert message encapsulated in two layers from other firewall devices, where the first declaration Assert message carries priorities and interface MAC addresses of the other firewall devices; if the priority of the firewall equipment is higher than the priorities of all other firewall equipment, determining that the firewall equipment is the main firewall equipment in the firewall backup group; if the priority of the firewall equipment is smaller than the priority of any other firewall equipment, determining that the firewall equipment is backup firewall equipment in the firewall backup group;
if the priority of the firewall equipment is the maximum priority and the priority of the firewall equipment is equal to the priorities of other firewall equipment, then: when the interface MAC address of the firewall equipment is larger than the interface MAC addresses of all other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as the main firewall equipment in the firewall backup group; when the interface MAC address of the firewall equipment is smaller than the interface MAC address of any other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as backup firewall equipment in the firewall backup group; or when the interface MAC address of the firewall equipment is larger than the interface MAC address of any other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as the backup firewall equipment in the firewall backup group; and when the interface MAC address of the firewall equipment is smaller than the interface MAC addresses of all other firewall equipment with the same priority as the firewall equipment, determining that the firewall equipment is the main firewall equipment in the firewall backup group.
The processing module 12 is further configured to send a second Assert message encapsulated in a second layer to other firewall devices in the firewall backup group when the firewall device is a main firewall device and an uplink failure is detected, where the state of the firewall device carried in the second Assert message is an unavailable state; when the firewall equipment is backup firewall equipment, when a second Assert message encapsulated by a second layer from the main firewall equipment is received, if the state of the main firewall equipment is acquired from the second Assert message and is an unavailable state, the firewall equipment is determined to be the main firewall equipment or the backup firewall equipment in the firewall backup group again; if the firewall equipment is determined to be changed from backup firewall equipment to main firewall equipment, issuing backup group IP address network segment routing through a backup group uplink interface, and sending an ARP update message through a backup group downlink interface, wherein the ARP update message carries the backup group IP address and the backup group MAC address; or,
the processing module 12 is further configured to, when the firewall device is a backup firewall device, determine that the main firewall device itself fails and/or a downlink of the main firewall device fails if a second Assert message, which is encapsulated by two layers from the main firewall device and carries the main firewall device and is in an available state, is not received within a preset time, and re-determine that the firewall device is the main firewall device or the backup firewall device in the firewall backup group; if the firewall equipment is determined to be changed from backup firewall equipment to main firewall equipment, a backup group IP address network segment route is issued through a backup group uplink interface, and an ARP update message is sent through a backup group downlink interface, wherein the ARP update message carries the backup group IP address and the backup group MAC address.
The processing module 12 is further configured to, in the process of re-determining that the firewall device is the main firewall device or the backup firewall device in the firewall backup group, start a failure timer for the main firewall device after the state of the main firewall device is obtained as the unavailable state, where an timeout time of the failure timer is greater than a sending interval of a second Assert message; if the firewall equipment receives a second Assert message before the fault timer is overtime, and the state of the main firewall equipment carried in the second Assert message is an unavailable state, resetting the fault timer to zero; and if the firewall equipment does not receive the second Assert message before the fault timer is overtime, the firewall equipment is determined to be the main firewall equipment or the backup firewall equipment in the firewall backup group again.
The processing module 12 is further configured to, when the firewall device is a main firewall device, after sending a second Assert message encapsulated in a second layer to another firewall device, if a failure recovery is detected, determine that the firewall device is the main firewall device in the firewall backup group, and send a third Assert message encapsulated in the second layer to another firewall device in the firewall backup group, where a state of the firewall device carried in the third Assert message is an available state;
the processing module 12 is further configured to, when the firewall device is a backup firewall device, after determining that the firewall device is changed from the backup firewall device to the main firewall device, and when receiving a third Assert message encapsulated by a second layer from the main firewall device, if the state of the main firewall device obtained from the third Assert message is an available state, determine that the firewall device is a backup firewall device in the firewall backup group.
The modules of the device can be integrated into a whole or can be separately deployed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention. Those skilled in the art will appreciate that the drawings are merely schematic representations of one preferred embodiment and that the blocks or flow diagrams in the drawings are not necessarily required to practice the present invention. Those skilled in the art will appreciate that the modules in the devices in the embodiments may be distributed in the devices in the embodiments according to the description of the embodiments, and may be correspondingly changed in one or more devices different from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules. The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments. The above disclosure is only for a few specific embodiments of the present invention, but the present invention is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present invention.
Claims (10)
1. A backup method of firewall equipment is characterized in that the method is applied to a firewall backup group comprising a plurality of firewall equipment, a backup group IP address and a backup group media access control MAC address are configured in the firewall backup group, and the method comprises the following steps:
the firewall equipment determines that the firewall equipment is main firewall equipment or backup firewall equipment in the firewall backup group;
when the firewall equipment is main firewall equipment, the firewall equipment issues a backup group IP address network segment route through a backup group uplink interface so as to send downlink data to the main firewall equipment in the firewall backup group; when the firewall equipment receives an ARP request message from NAT equipment for network address translation at a downlink interface of a backup group, the firewall equipment returns an ARP response message through the downlink interface of the backup group, and the ARP response message carries the IP address of the backup group and the MAC address of the backup group, so that the NAT equipment sends uplink data to main firewall equipment in the firewall backup group;
when the firewall equipment is backup firewall equipment, the firewall equipment prohibits issuing backup group IP address network segment routing through a backup group uplink interface; and when the firewall equipment receives the ARP request message from the NAT equipment at the downlink interface of the backup group, the firewall equipment prohibits the ARP response message from being returned through the downlink interface of the backup group.
2. The method of claim 1, wherein the determining, by the firewall device, that the firewall device is a primary firewall device or a backup firewall device in the firewall backup group comprises:
the firewall equipment receives a first Assert message encapsulated by two layers from other firewall equipment, wherein the first Assert message carries the priority and the interface MAC address of the other firewall equipment;
if the priority of the firewall equipment is higher than the priorities of all other firewall equipment, the firewall equipment determines that the firewall equipment is the main firewall equipment in the firewall backup group;
if the priority of the firewall equipment is smaller than the priority of any other firewall equipment, the firewall equipment determines that the firewall equipment is backup firewall equipment in the firewall backup group;
if the priority of the firewall equipment is the maximum priority and the priority of the firewall equipment is equal to the priorities of other firewall equipment, then: when the interface MAC address of the firewall equipment is larger than the interface MAC addresses of all other firewall equipment with the same priority as the firewall equipment, the firewall equipment determines that the firewall equipment is the main firewall equipment in the firewall backup group; when the interface MAC address of the firewall equipment is smaller than the interface MAC address of any other firewall equipment with the same priority as the firewall equipment, the firewall equipment determines that the firewall equipment is backup firewall equipment in the firewall backup group; or when the interface MAC address of the firewall equipment is larger than the interface MAC address of any other firewall equipment with the same priority as the firewall equipment, the firewall equipment determines that the firewall equipment is the backup firewall equipment in the firewall backup group; and when the interface MAC address of the firewall equipment is smaller than the interface MAC addresses of all other firewall equipment with the same priority as the firewall equipment, the firewall equipment determines that the firewall equipment is the main firewall equipment in the firewall backup group.
3. The method of claim 1, wherein the method further comprises:
when the firewall equipment is main firewall equipment and detects that an uplink fails, the firewall equipment sends a second Assert message encapsulated in a second layer to other firewall equipment in the firewall backup group, wherein the state of the firewall equipment carried in the second Assert message is an unavailable state; when the firewall equipment is backup firewall equipment, when the firewall equipment receives a second Assert message encapsulated by a second layer from the main firewall equipment, if the state of the main firewall equipment is acquired from the second Assert message and is an unavailable state, the firewall equipment determines that the firewall equipment is the main firewall equipment or the backup firewall equipment in the firewall backup group again; if the firewall equipment determines that the firewall equipment is changed from backup firewall equipment to main firewall equipment, the firewall equipment issues backup group IP address network segment routing through a backup group uplink interface and sends an ARP update message through a backup group downlink interface, wherein the ARP update message carries the backup group IP address and the backup group MAC address; or,
when the firewall equipment is backup firewall equipment, if a second Assert message which is packaged by two layers and carries the main firewall equipment and has the available state and is from the main firewall equipment is not received within preset time, the firewall equipment determines that the main firewall equipment has a fault and/or a downlink of the main firewall equipment has a fault, and re-determines that the firewall equipment is the main firewall equipment or the backup firewall equipment in the firewall backup group; if the firewall equipment determines that the firewall equipment is changed from backup firewall equipment to main firewall equipment, the firewall equipment issues backup group IP address network segment routing through a backup group uplink interface and sends ARP update messages through a backup group downlink interface, wherein the ARP update messages carry the backup group IP address and the backup group MAC address.
4. The method according to claim 3, wherein when the firewall device is a backup firewall device, the process of the firewall device re-determining that the firewall device is a main firewall device or a backup firewall device in the firewall backup group includes:
after the firewall equipment obtains that the state of the main firewall equipment is an unavailable state, starting a fault timer for the main firewall equipment, wherein the overtime time of the fault timer is longer than the sending interval of a second Assert message; if the firewall equipment receives a second Assert message before the fault timer is overtime, and the state of the main firewall equipment carried in the second Assert message is an unavailable state, resetting the fault timer to zero by the firewall equipment; and if the firewall equipment does not receive the second Assert message before the fault timer is overtime, the firewall equipment determines that the firewall equipment is the main firewall equipment or the backup firewall equipment in the firewall backup group again.
5. The method of claim 3 or 4, wherein the method further comprises:
when the firewall equipment is main firewall equipment, after the firewall equipment sends a second Assert message packaged by two layers to other firewall equipment, if fault recovery is detected, the firewall equipment determines that the firewall equipment is the main firewall equipment in the firewall backup group, and sends a third Assert message packaged by two layers to other firewall equipment in the firewall backup group, wherein the state of the firewall equipment carried in the third Assert message is an available state;
when the firewall device is a backup firewall device, after the firewall device determines that the firewall device is changed from the backup firewall device to a main firewall device, when the firewall device receives a third Assert message encapsulated by two layers from the main firewall device, if the state of the main firewall device is obtained from the third Assert message as an available state, the firewall device determines that the firewall device is a backup firewall device in the firewall backup group.
6. The firewall equipment is applied to a firewall backup group comprising a plurality of firewall equipment; wherein, a backup group IP address and a backup group MAC address are configured in the firewall backup group, and the firewall device specifically includes:
a determining module, configured to determine that the firewall device is a main firewall device or a backup firewall device in the firewall backup group;
the processing module is used for issuing a backup group IP address network segment route through a backup group uplink interface when the firewall equipment is main firewall equipment so as to send downlink data to the main firewall equipment in the firewall backup group; when a backup group downlink interface receives an ARP request message from NAT equipment for network address translation, an ARP response message is returned through the backup group downlink interface, and the ARP response message carries the backup group IP address and the backup group MAC address, so that the NAT equipment sends uplink data to main firewall equipment in the firewall backup group;
when the firewall equipment is backup firewall equipment, forbidding issuing backup group IP address network segment routing through a backup group uplink interface; and when the backup group downlink interface receives the ARP request message from the NAT equipment, forbidding to return an ARP response message through the backup group downlink interface.
7. The firewall device of claim 6,
the determining module is specifically configured to receive a first Assert message encapsulated by two layers from other firewall devices, where the first Assert message carries priorities and interface MAC addresses of the other firewall devices; if the priority of the firewall equipment is higher than the priorities of all other firewall equipment, determining that the firewall equipment is the main firewall equipment in the firewall backup group; if the priority of the firewall equipment is smaller than the priority of any other firewall equipment, determining that the firewall equipment is backup firewall equipment in the firewall backup group;
if the priority of the firewall equipment is the maximum priority and the priority of the firewall equipment is equal to the priorities of other firewall equipment, then: when the interface MAC address of the firewall equipment is larger than the interface MAC addresses of all other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as the main firewall equipment in the firewall backup group; when the interface MAC address of the firewall equipment is smaller than the interface MAC address of any other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as backup firewall equipment in the firewall backup group; or when the interface MAC address of the firewall equipment is larger than the interface MAC address of any other firewall equipment with the same priority as the firewall equipment, determining the firewall equipment as the backup firewall equipment in the firewall backup group; and when the interface MAC address of the firewall equipment is smaller than the interface MAC addresses of all other firewall equipment with the same priority as the firewall equipment, determining that the firewall equipment is the main firewall equipment in the firewall backup group.
8. The firewall device of claim 6,
the processing module is further configured to send a second Assert message encapsulated in a second layer to other firewall devices in the firewall backup group when the firewall device is a main firewall device and an uplink failure is detected, where the state of the firewall device carried in the second Assert message is an unavailable state; when the firewall equipment is backup firewall equipment, when a second Assert message encapsulated by a second layer from the main firewall equipment is received, if the state of the main firewall equipment is acquired from the second Assert message and is an unavailable state, the firewall equipment is determined to be the main firewall equipment or the backup firewall equipment in the firewall backup group again; if the firewall equipment is determined to be changed from backup firewall equipment to main firewall equipment, issuing backup group IP address network segment routing through a backup group uplink interface, and sending an ARP update message through a backup group downlink interface, wherein the ARP update message carries the backup group IP address and the backup group MAC address; or,
the processing module is further configured to, when the firewall device is a backup firewall device, determine that the main firewall device itself fails and/or a downlink of the main firewall device fails if a second Assert message, which is encapsulated by two layers from the main firewall device and carries the main firewall device and is in an available state, is not received within a preset time, and re-determine that the firewall device is the main firewall device or the backup firewall device in the firewall backup group; if the firewall equipment is determined to be changed from backup firewall equipment to main firewall equipment, a backup group IP address network segment route is issued through a backup group uplink interface, and an ARP update message is sent through a backup group downlink interface, wherein the ARP update message carries the backup group IP address and the backup group MAC address.
9. The firewall device of claim 8,
the processing module is further configured to, in a process of re-determining that the firewall device is a main firewall device or a backup firewall device in the firewall backup group, start a fault timer for the main firewall device after the state of the main firewall device is obtained as an unavailable state, where timeout time of the fault timer is longer than a sending interval of a second Assert message; if the firewall equipment receives a second Assert message before the fault timer is overtime, and the state of the main firewall equipment carried in the second Assert message is an unavailable state, resetting the fault timer to zero; and if the firewall equipment does not receive the second Assert message before the fault timer is overtime, the firewall equipment is determined to be the main firewall equipment or the backup firewall equipment in the firewall backup group again.
10. Firewall device of claim 8 or 9,
the processing module is further configured to, when the firewall device is a main firewall device, after sending a second Assert message encapsulated in two layers to other firewall devices, if a failure recovery is detected, determine that the firewall device is the main firewall device in the firewall backup group, and send a third Assert message encapsulated in two layers to other firewall devices in the firewall backup group, where a state of the firewall device carried in the third Assert message is an available state;
the processing module is further configured to, when the firewall device is a backup firewall device, after determining that the firewall device is changed from the backup firewall device to the main firewall device, when receiving a third Assert message encapsulated by two layers from the main firewall device, if the state of the main firewall device obtained from the third Assert message is an available state, determine that the firewall device is a backup firewall device in the firewall backup group.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510007873.XA CN104618148B (en) | 2015-01-07 | 2015-01-07 | The backup method and equipment of a kind of firewall box |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510007873.XA CN104618148B (en) | 2015-01-07 | 2015-01-07 | The backup method and equipment of a kind of firewall box |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104618148A CN104618148A (en) | 2015-05-13 |
| CN104618148B true CN104618148B (en) | 2017-12-08 |
Family
ID=53152439
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510007873.XA Active CN104618148B (en) | 2015-01-07 | 2015-01-07 | The backup method and equipment of a kind of firewall box |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104618148B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108900544A (en) * | 2018-08-13 | 2018-11-27 | 武汉思普崚技术有限公司 | Active and standby fire wall setting method and device |
| CN109698767A (en) * | 2018-12-20 | 2019-04-30 | 杭州迪普科技股份有限公司 | A kind of main/standby switching method and device |
| CN110138656B (en) * | 2019-05-28 | 2022-03-01 | 新华三技术有限公司 | Service processing method and device |
| CN111064826B (en) * | 2019-12-31 | 2022-06-21 | 奇安信科技集团股份有限公司 | Information processing method, apparatus, electronic device and medium executed by firewall |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103227725A (en) * | 2012-03-30 | 2013-07-31 | 杭州华三通信技术有限公司 | Method and device for dual-server backup of firewall |
| CN103414706A (en) * | 2013-07-30 | 2013-11-27 | 曙光信息产业(北京)有限公司 | Method and device for managing double-firewall system |
| CN103441987A (en) * | 2013-07-30 | 2013-12-11 | 曙光信息产业(北京)有限公司 | Method and device for managing dual-computer firewall system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102473170B (en) * | 2009-07-24 | 2016-01-27 | 惠普开发有限公司 | Virtual machine based application service provisioning |
-
2015
- 2015-01-07 CN CN201510007873.XA patent/CN104618148B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103227725A (en) * | 2012-03-30 | 2013-07-31 | 杭州华三通信技术有限公司 | Method and device for dual-server backup of firewall |
| CN103414706A (en) * | 2013-07-30 | 2013-11-27 | 曙光信息产业(北京)有限公司 | Method and device for managing double-firewall system |
| CN103441987A (en) * | 2013-07-30 | 2013-12-11 | 曙光信息产业(北京)有限公司 | Method and device for managing dual-computer firewall system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104618148A (en) | 2015-05-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10554542B2 (en) | Label distribution method and device | |
| CN103596652B (en) | A kind of network control method and device | |
| EP3342108B1 (en) | Method and apparatus for supporting high availability | |
| EP2731313B1 (en) | Distributed cluster processing system and message processing method thereof | |
| CN106656801A (en) | Method and device for redirection of forwarding path of business flow and business flow forwarding system | |
| CN101924654B (en) | Point-to-multipoint service-based path switching method and system | |
| CN103124240B (en) | Gateway configuration method, gateway device and network system | |
| CN104618148B (en) | The backup method and equipment of a kind of firewall box | |
| CN108270690A (en) | The method and apparatus for controlling message flow | |
| CN114143283B (en) | Tunnel self-adaptive configuration method and device, central terminal equipment and communication system | |
| CN105704042A (en) | Message processing method, BNG and BNG cluster system | |
| CN103051538A (en) | Method, control equipment and system for generating ARP (Address Resolution Protocol) table entry | |
| CN106452882B (en) | A backup switching method and system of a universal network passport server | |
| CN108259466A (en) | DDoS flows re-injection method, SDN controllers and network system | |
| CN105450540A (en) | Load balancing method and device as well as DHCP (dynamic host configuration protocol) server | |
| CN116208483B (en) | Method for realizing high-availability bare metal service, related device and storage medium | |
| CN102239670A (en) | A load sharing method and device | |
| CN104243304B (en) | The data processing method of non-full-mesh topological structure, equipment and system | |
| CN116346445A (en) | A method and device for supporting HaVip in traditional bare-metal access scenarios | |
| US11330085B2 (en) | Data transmission protection method, device, system, and computer readable storage medium | |
| CN104683233B (en) | The method of shortening the switchover time of the active/standby router | |
| CN102638396A (en) | Load balancing method and device | |
| CN105847143B (en) | Load balancing method and system based on VRRP | |
| WO2015024523A1 (en) | Ip bearer network failure determining method and system | |
| CN101695041B (en) | Method for realizing routing notification between every two virtual routers and physical router |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |