CN104618148A - Firewall device and backup method thereof - Google Patents
Firewall device and backup method thereof Download PDFInfo
- Publication number
- CN104618148A CN104618148A CN201510007873.XA CN201510007873A CN104618148A CN 104618148 A CN104618148 A CN 104618148A CN 201510007873 A CN201510007873 A CN 201510007873A CN 104618148 A CN104618148 A CN 104618148A
- Authority
- CN
- China
- Prior art keywords
- firewall
- firewall box
- box
- backup group
- backup
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a firewall device and a backup method thereof. The backup method comprises determining whether the firewall device is a main firewall device or a backup firewall device through the firewall device; releasing a backup group IP (Internet Protocol) address network segment route through a backup group upstream interface by the firewall device so as to enable downstream data to be sent to the main firewall device when the firewall device is the main firewall device; returning an ARP (Address Resolution Protocol) response message through a backup group downstream interface by the firewall device so as to enable upstream data to be sent to the main firewall device through an NAT (Network Address Translation) device when the backup group downstream interface receives an ARP request message from the NAT device. According to the firewall device and the backup method thereof, the backup function of N firewall devices is implemented, the problem of the network single-point fault is solved, the resource waste of public network IP addresses is avoided, and resources of the public network IP addresses are effectively saved.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of backup method and equipment of firewall box.
Background technology
As shown in Figure 1, for NAT (Network Address Transport, network address translation) equipment and firewall box separate the networking application schematic diagram disposed.Because NAT device needs to carry out a large amount of conversions, firewall box needs to issue a large amount of firewall policy, in order to alleviate the pressure of NAT device and firewall box, needs NAT device and firewall box separately to dispose.Based on this, first the flow come from Internet passes through firewall box, arrives NAT device afterwards.On firewall box, by firewall policy, attack traffic, undesirable flow can be abandoned, only have effective flow to arrive NAT device, the processing pressure of NAT device can be reduced like this, and do not worry from the flow attacking on Internet.
In order to avoid Single Point of Faliure, the backup functionality of firewall box is most important, namely multiple firewall box is disposed in a network, and on each firewall box, configure VRRP ((Virtual Router RedundancyProtocol, Virtual Router Redundacy Protocol) group, thus realize the active and standby function of firewall box.In order to configure VRRP group, suppose that the quantity of firewall box is N, then need altogether in existing networking to use N+2 public network IP address, each firewall box needs a public network IP address, the upper united mouth of NAT device needs a public network IP address, and VRRP group needs public network IP address is as the virtual IP address of VRRP group.
Therefore, in aforesaid way, the public network address that VRRP group takies is many.
Summary of the invention
The embodiment of the present invention provides a kind of backup method of firewall box, be applied to and comprise in the fire compartment wall backup group of multiple firewall box, be configured with backup group IP address and backup group medium access control MAC Address in described fire compartment wall backup group, said method comprising the steps of: firewall box determines that this firewall box is master firewall equipment in described fire compartment wall backup group or backup firewall box; When described firewall box is master firewall equipment, described firewall box issues backup group IP address network segment route by backup group upstream Interface, is sent to master firewall equipment in described fire compartment wall backup group to make downlink data; Described firewall box is when backup group downstream interface receives the ARP request message from network address translation device, arp response message is returned by backup group downstream interface, carry described backup group IP address and described backup group MAC Address in described arp response message, upstream data is sent to master firewall equipment in described fire compartment wall backup group to make described NAT device; When described firewall box is for backup firewall box, described firewall box no thoroughfare backup group upstream Interface issues backup group IP address network segment route; Described firewall box is when backup group downstream interface receives the ARP request message from NAT device, and no thoroughfare, and backup group downstream interface returns arp response message.
Described firewall box determines that this firewall box is master firewall equipment in described fire compartment wall backup group or backup firewall box, comprise: described firewall box receives the first declaration Assert message of two layers of encapsulation from other firewall box, carries priority and the interface mac address of other firewall box described in a described Assert message; If the priority of described firewall box is greater than the priority of other all firewall box, then described firewall box determines that this firewall box is the master firewall equipment in described fire compartment wall backup group; If the priority of described firewall box is less than the priority of other arbitrary firewall box, then described firewall box determines that this firewall box is the backup firewall box in described fire compartment wall backup group; If the priority of described firewall box is maximum priority, and the priority of described firewall box equals the priority of other firewall box, then: when the interface mac address of described firewall box is greater than the interface mac address of other all firewall box identical with the priority of described firewall box, described firewall box determines that this firewall box is the master firewall equipment in described fire compartment wall backup group; When the interface mac address of described firewall box is less than the interface mac address of other the arbitrary firewall box identical with the priority of described firewall box, described firewall box determines that this firewall box is the backup firewall box in described fire compartment wall backup group; Or, when the interface mac address of described firewall box is greater than the interface mac address of other the arbitrary firewall box identical with the priority of described firewall box, described firewall box determines that this firewall box is the backup firewall box in described fire compartment wall backup group; When the interface mac address of described firewall box is less than the interface mac address of other all firewall box identical with the priority of described firewall box, described firewall box determines that this firewall box is the master firewall equipment in described fire compartment wall backup group.
Described method comprises further:
When described firewall box is master firewall equipment, described firewall box is when detecting that up link breaks down, then described firewall box sends the 2nd Assert message of two layers of encapsulation to other firewall box in described fire compartment wall backup group, and the state of carrying described firewall box in described 2nd Assert message is down state; When described firewall box is for backup firewall box, described firewall box is when receiving the 2nd Assert message from two layers of encapsulation of master firewall equipment, if the state obtaining described master firewall equipment from described 2nd Assert message is down state, then described firewall box redefines this firewall box is master firewall equipment or backup firewall box in described fire compartment wall backup group; If described firewall box determines that this firewall box changes to master firewall equipment by backing up firewall box, then described firewall box issues backup group IP address network segment route by backup group upstream Interface, and sending ARP renewal message by backup group downstream interface, described ARP upgrades in message and carries described backup group IP address and described backup group MAC Address; Or,
When described firewall box is for backup firewall box, if the states of carrying master firewall equipment do not received in Preset Time from two layers of master firewall equipment encapsulation are the 2nd Assert message of upstate, then the down link of described firewall box determination master firewall equipment itself fail and/or master firewall equipment breaks down, and redefine this firewall box in described fire compartment wall backup group for master firewall equipment or backup firewall box; If described firewall box determines that this firewall box changes to master firewall equipment by backing up firewall box, then described firewall box issues backup group IP address network segment route by backup group upstream Interface, and sending ARP renewal message by backup group downstream interface, described ARP upgrades in message and carries described backup group IP address and described backup group MAC Address.
When described firewall box is for backup firewall box, it is master firewall equipment or the process backing up firewall box that described firewall box redefines this firewall box in described fire compartment wall backup group, specifically comprises:
After the state that described firewall box obtains described master firewall equipment is down state, be described master firewall device start failure timer, the time-out time of described failure timer is greater than the transmission interval of the 2nd Assert message; If described firewall box received the 2nd Assert message before described failure timer time-out, and the state of carrying described master firewall equipment in described 2nd Assert message is down state, described firewall box is by described failure timer again zero setting; If described firewall box did not receive the 2nd Assert message before described failure timer time-out, it is master firewall equipment or backup firewall box that described firewall box redefines this firewall box in described fire compartment wall backup group.
Described method comprises further:
When described firewall box is master firewall equipment, after described firewall box sends two layers of the 2nd Assert message encapsulated to other firewall box, if fault recovery detected, then described firewall box determines that this firewall box is master firewall equipment in described fire compartment wall backup group, and the 3rd Assert message of two layers of encapsulation is sent to other firewall box in described fire compartment wall backup group, the state of carrying described firewall box in described 3rd Assert message is upstate;
When described firewall box is for backup firewall box, determine that this firewall box is by backing up after firewall box changes to master firewall equipment at described firewall box, described firewall box is when receiving the 3rd Assert message from two layers of encapsulation of master firewall equipment, if the state obtaining described master firewall equipment from described 3rd Assert message is upstate, then described firewall box determines that this firewall box is backup firewall box in described fire compartment wall backup group.
The embodiment of the present invention provides a kind of firewall box, is applied to and comprises in the fire compartment wall backup group of multiple firewall box; Wherein, be configured with backup group IP address and backup group medium access control MAC Address in described fire compartment wall backup group, described firewall box specifically comprises:
Determination module, for determining that described firewall box is master firewall equipment in described fire compartment wall backup group or backup firewall box;
Processing module, for when described firewall box is master firewall equipment, issues backup group IP address network segment route by backup group upstream Interface, is sent to master firewall equipment in described fire compartment wall backup group to make downlink data; When backup group downstream interface receives the ARP request message from network address translation device, arp response message is returned by backup group downstream interface, carry described backup group IP address and described backup group MAC Address in described arp response message, upstream data is sent to master firewall equipment in described fire compartment wall backup group to make described NAT device;
When described firewall box is for backup firewall box, no thoroughfare, and backup group upstream Interface issues backup group IP address network segment route; When backup group downstream interface receives the ARP request message from NAT device, no thoroughfare, and backup group downstream interface returns arp response message.
Described determination module, specifically for receiving the first declaration Assert message of two layers of encapsulation from other firewall box, carries priority and the interface mac address of other firewall box described in a described Assert message; If the priority of described firewall box is greater than the priority of other all firewall box, then determine that described firewall box is the master firewall equipment in described fire compartment wall backup group; If the priority of described firewall box is less than the priority of other arbitrary firewall box, then determine that described firewall box is the backup firewall box in described fire compartment wall backup group;
If the priority of described firewall box is maximum priority, and the priority of described firewall box equals the priority of other firewall box, then: when the interface mac address of described firewall box is greater than the interface mac address of other all firewall box identical with the priority of described firewall box, determine that described firewall box is the master firewall equipment in described fire compartment wall backup group; When the interface mac address of described firewall box is less than the interface mac address of other the arbitrary firewall box identical with the priority of described firewall box, determine that described firewall box is the backup firewall box in described fire compartment wall backup group; Or, when the interface mac address of described firewall box is greater than the interface mac address of other the arbitrary firewall box identical with the priority of described firewall box, determine that described firewall box is the backup firewall box in described fire compartment wall backup group; When the interface mac address of described firewall box is less than the interface mac address of other all firewall box identical with the priority of described firewall box, determine that described firewall box is the master firewall equipment in described fire compartment wall backup group.
Described processing module, also for when described firewall box is master firewall equipment, when detecting that up link breaks down, send the 2nd Assert message of two layers of encapsulation to other firewall box in described fire compartment wall backup group, the state of carrying described firewall box in described 2nd Assert message is down state; When described firewall box is for backup firewall box, when receiving the 2nd Assert message from two layers of encapsulation of master firewall equipment, if the state obtaining described master firewall equipment from described 2nd Assert message is down state, then redefine described firewall box is master firewall equipment or backup firewall box in described fire compartment wall backup group; If determine that described firewall box changes to master firewall equipment by backing up firewall box, then issue backup group IP address network segment route by backup group upstream Interface, and sending ARP renewal message by backup group downstream interface, described ARP upgrades in message and carries described backup group IP address and described backup group MAC Address; Or,
Described processing module, also for when described firewall box is for backup firewall box, if the states of carrying master firewall equipment do not received in Preset Time from two layers of master firewall equipment encapsulation are the 2nd Assert message of upstate, then determine that the down link of master firewall equipment itself fail and/or master firewall equipment breaks down, and redefine described firewall box in described fire compartment wall backup group for master firewall equipment or backup firewall box; If determine that described firewall box changes to master firewall equipment by backing up firewall box, then issue backup group IP address network segment route by backup group upstream Interface, and sending ARP renewal message by backup group downstream interface, described ARP upgrades in message and carries described backup group IP address and described backup group MAC Address.
Described processing module, be further used for redefining described firewall box is in the process of master firewall equipment or backup firewall box in described fire compartment wall backup group, after the state obtaining described master firewall equipment is down state, for described master firewall device start failure timer, the time-out time of described failure timer is greater than the transmission interval of the 2nd Assert message; If described firewall box received the 2nd Assert message before described failure timer time-out, and the state of carrying described master firewall equipment in described 2nd Assert message is down state, then by described failure timer again zero setting; If described firewall box did not receive the 2nd Assert message before described failure timer time-out, then redefine described firewall box is master firewall equipment or backup firewall box in described fire compartment wall backup group.
Described processing module, be further used for when described firewall box is master firewall equipment, after the 2nd Assert message sending two layers of encapsulation to other firewall box, if fault recovery detected, then determine that described firewall box is master firewall equipment in described fire compartment wall backup group, and the 3rd Assert message of two layers of encapsulation is sent to other firewall box in described fire compartment wall backup group, the state of carrying described firewall box in described 3rd Assert message is upstate;
Described processing module, be further used for when described firewall box is for backup firewall box, determining that described firewall box is by backing up after firewall box changes to master firewall equipment, when receiving the 3rd Assert message from two layers of encapsulation of master firewall equipment, if the state obtaining described master firewall equipment from described 3rd Assert message is upstate, then determine that described firewall box is backup firewall box in described fire compartment wall backup group.
Based on technique scheme, in the embodiment of the present invention, by multiple firewall box is configured to a fire compartment wall backup group, thus realize the backup functionality of N number of firewall box, and solve network Single Point of Faliure problem.By configuring a backup group IP address for fire compartment wall backup group, no matter the quantity of firewall box is how many, all can ensure only to need use 2 public network IP address, namely fire compartment wall backup group needs a public network IP address (i.e. backup group IP address), the upper united mouth of NAT device needs a public network IP address, thus avoid the wasting of resources of public network IP address, effective saving public network IP address resources, the quantity of the public network IP address that NAT device can not be caused to use significantly reduces, and improves the efficiency of NAT conversion.
Accompanying drawing explanation
Fig. 1 is the networking application schematic diagram that in prior art, NAT device and firewall box are separately disposed;
Fig. 2 is the networking application schematic diagram that the NAT device that proposes of the embodiment of the present invention and firewall box are separately disposed;
Fig. 3 is the backup method schematic flow sheet of a kind of firewall box that the embodiment of the present invention proposes;
Fig. 4 is the form schematic diagram of the Assert message that the embodiment of the present invention proposes;
Fig. 5 is the structural representation of a kind of firewall box that the embodiment of the present invention proposes.
Embodiment
For problems of the prior art, the embodiment of the present invention provides a kind of backup method of firewall box, and the method can be applied to and comprise in the fire compartment wall backup group of multiple firewall box.See Fig. 2, the method can be applied to NAT device and firewall box separates in the networking application disposed.In the embodiment of the present invention, fire compartment wall backup group is made up of multiple firewall box, forms a virtual firewall box, and the firewall box in fire compartment wall backup group comprises master firewall equipment and backup firewall box.Master firewall equipment can be one, and master firewall device assumes data retransmission works.Backup firewall box can be one or more, and when master firewall device fails, backup firewall box takes over the work of master firewall equipment, proceeds data retransmission work.Aforesaid way improves reliability, effectively avoids the network interruption problem that firewall box fault causes.Above-mentioned fire compartment wall backup group technology can be called FBGP (Firewall Backup Group Protocol, fire compartment wall backup group agreement).
In the embodiment of the present invention, in fire compartment wall backup group, configure backup group IP address, backup group MAC (Media Access Control, medium access control) address, backup group upstream Interface, backup group downstream interface.Backup group upstream Interface is Internet outlet, and backup group downstream interface is the interface connecting customer network or NAT device.Backup group IP address is public network IP address, and the lower link port address as firewall box works, and is the gateway address that NAT device uploading data forwards.Backup group MAC Address is MAC Address corresponding to backup group IP address, the producing method of backup group MAC Address includes but not limited to: 00-00-5e-00-00+ backup group ID, this backup group ID is the unique identification for fire compartment wall backup group distributes, and the backup group MAC Address as fire compartment wall backup group 128 correspondence is 00-00-5e-00-00-80.
As shown in Figure 3, the backup method of this firewall box specifically can comprise the following steps:
Step 301, firewall box determines that this firewall box is master firewall equipment in fire compartment wall backup group or backup firewall box.Wherein, when firewall box is master firewall equipment, then perform step 302; When firewall box is for backup firewall box, then perform step 303.
In the embodiment of the present invention, firewall box determines that this firewall box is the process of master firewall equipment in fire compartment wall backup group or backup firewall box, specifically include but not limited to as under type: firewall box receives Assert (declaration) message of two layers of encapsulation from other firewall box, at least carries priority and the interface mac address of other firewall box in an Assert message.Further, if the priority of this firewall box is greater than the priority of other all firewall box, then determine that this firewall box is the master firewall equipment in fire compartment wall backup group.If the priority of this firewall box is less than the priority of other arbitrary firewall box, then determine that this firewall box is the backup firewall box in fire compartment wall backup group.If the priority of this firewall box is maximum priority, and the priority of this firewall box equals the priority of other firewall box, then: when the interface mac address of this firewall box is greater than the interface mac address of other all firewall box identical with the priority of this firewall box, determine that this firewall box is the master firewall equipment in fire compartment wall backup group; When the interface mac address of this firewall box is less than the interface mac address of other the arbitrary firewall box identical with the priority of this firewall box, determine that this firewall box is the backup firewall box in fire compartment wall backup group; Or, when the interface mac address of this firewall box is greater than the interface mac address of other the arbitrary firewall box identical with the priority of this firewall box, determine that this firewall box is the backup firewall box in fire compartment wall backup group; When the interface mac address of this firewall box is less than the interface mac address of other all firewall box identical with the priority of this firewall box, determine that this firewall box is the master firewall equipment in fire compartment wall backup group.
As shown in Figure 4, be the form schematic diagram of Assert message.In Assert message, Version (version) field represents the version of FBGP agreement.Type (type) field represents the type of the Assert message of FBGP agreement.FBGP ID (mark) field represents the backup group ID of fire compartment wall backup group, and configurable range is 1 to 255.Priority (priority) field represents the priority of firewall box, and the value of Priority field can be integer, and its value is larger, and the priority of firewall box is higher.State (state) field is the firewall state of FBGP agreement, is divided into upstate, down state two kinds; When the value of state field is 1, represent upstate; When the value of state field is 0, represent down state.FBG IP Address (address) field is backup group IP address.MAC Address field is the interface mac address of firewall box, and the interface mac address of each firewall box is different, and represents different firewall boxs by interface mac address in fire compartment wall backup group.Auth Type (auth type) field represents authentication mode, and the auth type in same fire compartment wall backup group needs identical, if Auth type field contents is different, then and authentication error, packet loss; When Auth the type field value is 0, represents and do not need to carry out certification to message; When Auth the type field value is 1, represents and need to carry out certification to message.CheckSum (School Affairs) field, for preventing message to be modified in transmitting procedure, calculating a checksum value to message content according to checksum algorithm, being filled into CheckSum field.
Before the election not carrying out master firewall equipment, all firewall boxs all can think it oneself is master firewall equipment, and send Assert message by backup group downstream interface to other firewall box in fire compartment wall backup group.After each firewall box receives the Assert message from other firewall box by backup group downstream interface, utilize the priority of other firewall box and the priority of interface mac address and this firewall box and interface mac address, elect this firewall box to be master firewall equipment or backup firewall box.If firewall box is elected as master firewall equipment, then master firewall equipment continues periodically to send Assert message from backup group downstream interface to other firewall box in fire compartment wall backup group.If firewall box is elected as backup firewall box, then backs up firewall box and no longer send Assert message from backup group downstream interface, only detect the Assert message that master firewall equipment sends.
Firewall box is when sending Assert message, and can carry out two layers of encapsulation to Assert message, two layers of encapsulated type can be configured according to actual needs, if two layers of encapsulated type can be 0x88cd.Further, firewall box is when carrying out two layers of encapsulation to Assert message, the target MAC (Media Access Control) address of Assert message is backup group MAC Address, and source MAC is the interface mac address of firewall box.
Step 302, firewall box issues backup group IP address network segment route by backup group upstream Interface, is sent to master firewall equipment in fire compartment wall backup group to make downlink data.Firewall box receives ARP (the Address Resolution Protocol from NAT device at backup group downstream interface, address resolution protocol) request message time, return arp response message by backup group downstream interface to NAT device, upstream data is sent to master firewall equipment in fire compartment wall backup group to make NAT device.Wherein, backup group IP address and the backup group MAC Address of configuration in fire compartment wall backup group can be carried in this arp response message.In addition, backup group IP address network segment route is made up of backup group IP address and mask.
Step 303, firewall box no thoroughfare backup group upstream Interface issues backup group IP address network segment route.Firewall box is when backup group downstream interface receives the ARP request message from NAT device, and no thoroughfare, and backup group downstream interface returns arp response message to NAT device.
Based on this, firewall box can not issue backup group IP address network segment route by backup group upstream Interface, also can not return arp response message by backup group downstream interface.
Based on above-mentioned process, because master firewall equipment issues backup group IP address network segment route (namely issuing the network segment route of carrying backup group IP address and mask information) by backup group upstream Interface, and back up firewall box and can not issue backup group IP address network segment route by backup group upstream Interface, therefore, the master firewall equipment in fire compartment wall backup group is sent to from the downlink data of Internet.Master firewall equipment is after receiving downlink data, by firewall policy, attack traffic, undesirable flow can be abandoned, only have effective downlink data to be forwarded to NAT device, by NAT device, downlink data is changed, and downlink data is sent to user.
On NAT device, specify gateway address to be backup group IP address to the upstream data of access outer net, NAT device sends ARP request message during to backup group IP address, this ARP request message can be sent to master firewall equipment and backup firewall box.Master firewall equipment, when backup group downstream interface receives ARP request message, returns arp response message by backup group downstream interface to NAT device.Backup firewall box, when backup group downstream interface receives ARP request message, can not return arp response message by backup group downstream interface to NAT device.NAT device, after receiving the arp response message from master firewall equipment, upgrades ARP.Through above-mentioned process, NAT device is when sending upstream data, and this upstream data can be sent to the master firewall equipment in fire compartment wall backup group, and can not be sent to the backup firewall box in fire compartment wall backup group.
In the embodiment of the present invention, also configurable FBGP list item on master firewall equipment and backup firewall box, the content of FBGP list item includes but not limited to: the role of the backup group ID of interface name, fire compartment wall backup group, firewall box (master firewall equipment or back up firewall box), the priority of firewall box, the authentication mode of firewall box, the backup group IP address of firewall box, the backup group MAC Address of firewall box, the interface mac address of firewall box, the network segment address information of firewall box.
In the embodiment of the present invention, when firewall box is master firewall equipment, whether master firewall equipment also needs detection to break down, as whether up link breaks down.If when master firewall equipment Inspection is broken down to up link, then master firewall equipment sends the 2nd Assert message of two layers of encapsulation to other firewall box (namely backing up firewall box) in fire compartment wall backup group, and the state of carrying master firewall equipment in the 2nd Assert message is down state.
In the embodiment of the present invention, when firewall box is for backup firewall box, backup firewall box is when receiving the 2nd Assert message from two layers of encapsulation of master firewall equipment, if the state obtaining master firewall equipment from the 2nd Assert message is down state, then back up firewall box and redefine this firewall box in fire compartment wall backup group for master firewall equipment or backup firewall box (specifically determine that mode is carried out for utilizing priority and interface mac address, this determines to illustrate in the superincumbent description of mode, at this, it is no longer repeated), if determine that this firewall box changes to master firewall equipment by backing up firewall box, then this firewall box issues backup group IP address network segment route by backup group upstream Interface, and send ARP renewal message by backup group downstream interface, wherein, this ARP upgrades in message and carries backup group IP address and backup group MAC Address.To make downlink data be sent to current master firewall equipment (i.e. the current backup firewall box changing to master firewall equipment) in fire compartment wall backup group, and NAT device is made upstream data to be sent to current master firewall equipment (i.e. the current backup firewall box changing to master firewall equipment) in fire compartment wall backup group.Further, it is master firewall equipment or the process backing up firewall box that backup firewall box redefines this firewall box in fire compartment wall backup group, specifically comprise: after the state that backup firewall box obtains master firewall equipment is down state, for master firewall device start failure timer, the time-out time of this failure timer is greater than the transmission interval of the 2nd Assert message; If backup firewall box received the 2nd Assert message before failure timer time-out, and the state of carrying master firewall equipment in the 2nd Assert message is down state, then back up firewall box by failure timer again zero setting; If backup firewall box did not receive the 2nd Assert message before failure timer time-out, then backup firewall box redefines this firewall box is master firewall equipment or backup firewall box in fire compartment wall backup group.
Wherein, master firewall equipment can pass through NQA (Network Quality Analyzer, Network Quality Analysis) whether mode or BFD (Bidirectional Forwarding Detection, two-way converting detects) mode detect up link and break down.If when detecting that up link breaks down, then master firewall equipment is not re-used as the master firewall equipment in fire compartment wall backup group, no longer bear data retransmission work, and send the 2nd Assert message to backup firewall box, as periodically sent 3 the 2nd Assert messages, the state of carrying master firewall equipment in the 2nd Assert message is down state.
Backup firewall box is when receiving the 2nd Assert message from master firewall equipment, if the state obtaining master firewall equipment from the 2nd Assert message is down state, it is then master firewall device start failure timer, the time-out time of this failure timer is greater than the transmission interval of the 2nd Assert message, as 3 times of the transmission interval of the 2nd Assert message.If backup firewall box did not receive the 2nd Assert message before failure timer time-out, then backup firewall box redefines this firewall box is master firewall equipment or backup firewall box in fire compartment wall backup group, if determine that this firewall box is master firewall equipment in fire compartment wall backup group, then this backup firewall box works as the master firewall device assumes data retransmission in fire compartment wall backup group.As: backup firewall box issues backup group IP address network segment route by backup group upstream Interface, is sent to this backup firewall box to make downlink data; Backup firewall box sends ARP by backup group downstream interface to NAT device and upgrades message, to make NAT device, upstream data is sent to this backup firewall box.
In the embodiment of the present invention, if master firewall equipment self does not break down, and the down link of master firewall equipment does not break down, then master firewall equipment can periodically send the 2nd Assert message that the state of carrying master firewall equipment is upstate.Based on this, when firewall box is for backup firewall box, if the states of carrying master firewall equipment do not received in Preset Time from two layers of master firewall equipment encapsulation are the 2nd Assert message of upstate, then the down link of firewall box determination master firewall equipment itself fail and/or master firewall equipment breaks down, and redefine this firewall box in fire compartment wall backup group for master firewall equipment or backup firewall box.Further, if firewall box determines that this firewall box changes to master firewall equipment by backing up firewall box, then this firewall box can issue backup group IP address network segment route by backup group upstream Interface, is sent to this backup firewall box to make downlink data; In addition, this firewall box can send ARP by backup group downstream interface and upgrade message, and this ARP upgrades in message and carries backup group IP address and backup group MAC Address, to make NAT device, upstream data is sent to this backup firewall box.
In the embodiment of the present invention, when firewall box is master firewall equipment, master firewall equipment to backup firewall box send two layers encapsulation the 2nd Assert messages after, if master firewall equipment Inspection is to fault recovery, as master firewall equipment Inspection recovers to uplink failure, then master firewall equipment determines that this firewall box is master firewall equipment in fire compartment wall backup group, and the 3rd Assert message of two layers of encapsulation is sent to other firewall box (namely backing up firewall box) in fire compartment wall backup group, and the state of carrying master firewall equipment in the 3rd Assert message is upstate.Further, when firewall box is for backup firewall box, determine that this firewall box is by backing up after firewall box changes to master firewall equipment at backup firewall box, backup firewall box is when receiving the 3rd Assert message from two layers of encapsulation of master firewall equipment, if the state obtaining master firewall equipment from the 3rd Assert message is upstate, then backs up firewall box and determine that this firewall box changes to backup firewall box in fire compartment wall backup group.Through above-mentioned process, master firewall equipment is resumed as master firewall equipment, and backup firewall box is resumed as backup firewall box.
When the fault recovery of master firewall equipment, the process of non-preemption mode can be adopted or adopt preempt-mode process.Further, when adopting non-preemption mode process, master firewall equipment does not need to be resumed into master firewall equipment, and it continues as the backup firewall box in fire compartment wall backup group; Backup firewall box does not need to be resumed as backup firewall box, and it continues as the master firewall equipment in fire compartment wall backup group.When adopting preempt-mode process, master firewall equipment needs to be resumed as master firewall equipment, and it is using as the master firewall equipment in fire compartment wall backup group; Backup firewall box needs to be resumed as backup firewall box, and it is using as the backup firewall box in fire compartment wall backup group.
Based on technique scheme, in the embodiment of the present invention, by multiple firewall box is configured to a fire compartment wall backup group, thus realize the backup functionality of N number of firewall box, and solve network Single Point of Faliure problem.By configuring a backup group IP address for fire compartment wall backup group, no matter the quantity of firewall box is how many, all can ensure only to need use 2 public network IP address, namely fire compartment wall backup group needs a public network IP address (i.e. backup group IP address), the upper united mouth of NAT device needs a public network IP address, thus avoid the wasting of resources of public network IP address, effective saving public network IP address resources, the quantity of the public network IP address that NAT device can not be caused to use significantly reduces, and improves the efficiency of NAT conversion.
Based on the inventive concept same with said method, in the embodiment of the present invention, additionally provide a kind of firewall box, be applied to and comprise in the fire compartment wall backup group of multiple firewall box; Wherein, be configured with backup group IP address and backup group medium access control MAC Address in described fire compartment wall backup group, as shown in Figure 5, described firewall box specifically comprises:
Determination module 11, for determining that described firewall box is master firewall equipment in described fire compartment wall backup group or backup firewall box;
Processing module 12, for when described firewall box is master firewall equipment, issues backup group IP address network segment route by backup group upstream Interface, is sent to master firewall equipment in described fire compartment wall backup group to make downlink data; When backup group downstream interface receives the ARP request message from network address translation device, arp response message is returned by backup group downstream interface, carry described backup group IP address and described backup group MAC Address in described arp response message, upstream data is sent to master firewall equipment in described fire compartment wall backup group to make described NAT device; When described firewall box is for backup firewall box, no thoroughfare, and backup group upstream Interface issues backup group IP address network segment route; When backup group downstream interface receives the ARP request message from NAT device, no thoroughfare, and backup group downstream interface returns arp response message.
Described determination module 11, specifically for receiving the first declaration Assert message of two layers of encapsulation from other firewall box, carries priority and the interface mac address of other firewall box described in a described Assert message; If the priority of described firewall box is greater than the priority of other all firewall box, then determine that described firewall box is the master firewall equipment in described fire compartment wall backup group; If the priority of described firewall box is less than the priority of other arbitrary firewall box, then determine that described firewall box is the backup firewall box in described fire compartment wall backup group;
If the priority of described firewall box is maximum priority, and the priority of described firewall box equals the priority of other firewall box, then: when the interface mac address of described firewall box is greater than the interface mac address of other all firewall box identical with the priority of described firewall box, determine that described firewall box is the master firewall equipment in described fire compartment wall backup group; When the interface mac address of described firewall box is less than the interface mac address of other the arbitrary firewall box identical with the priority of described firewall box, determine that described firewall box is the backup firewall box in described fire compartment wall backup group; Or, when the interface mac address of described firewall box is greater than the interface mac address of other the arbitrary firewall box identical with the priority of described firewall box, determine that described firewall box is the backup firewall box in described fire compartment wall backup group; When the interface mac address of described firewall box is less than the interface mac address of other all firewall box identical with the priority of described firewall box, determine that described firewall box is the master firewall equipment in described fire compartment wall backup group.
Described processing module 12, also for when described firewall box is master firewall equipment, when detecting that up link breaks down, send the 2nd Assert message of two layers of encapsulation to other firewall box in described fire compartment wall backup group, the state of carrying described firewall box in described 2nd Assert message is down state; When described firewall box is for backup firewall box, when receiving the 2nd Assert message from two layers of encapsulation of master firewall equipment, if the state obtaining described master firewall equipment from described 2nd Assert message is down state, then redefine described firewall box is master firewall equipment or backup firewall box in described fire compartment wall backup group; If determine that described firewall box changes to master firewall equipment by backing up firewall box, then issue backup group IP address network segment route by backup group upstream Interface, and sending ARP renewal message by backup group downstream interface, described ARP upgrades in message and carries described backup group IP address and described backup group MAC Address; Or,
Described processing module 12, also for when described firewall box is for backup firewall box, if the states of carrying master firewall equipment do not received in Preset Time from two layers of master firewall equipment encapsulation are the 2nd Assert message of upstate, then determine that the down link of master firewall equipment itself fail and/or master firewall equipment breaks down, and redefine described firewall box in described fire compartment wall backup group for master firewall equipment or backup firewall box; If determine that described firewall box changes to master firewall equipment by backing up firewall box, then issue backup group IP address network segment route by backup group upstream Interface, and sending ARP renewal message by backup group downstream interface, described ARP upgrades in message and carries described backup group IP address and described backup group MAC Address.
Described processing module 12, be further used for redefining described firewall box is in the process of master firewall equipment or backup firewall box in described fire compartment wall backup group, after the state obtaining described master firewall equipment is down state, for described master firewall device start failure timer, the time-out time of described failure timer is greater than the transmission interval of the 2nd Assert message; If described firewall box received the 2nd Assert message before described failure timer time-out, and the state of carrying described master firewall equipment in described 2nd Assert message is down state, then by described failure timer again zero setting; If described firewall box did not receive the 2nd Assert message before described failure timer time-out, then redefine described firewall box is master firewall equipment or backup firewall box in described fire compartment wall backup group.
Described processing module 12, be further used for when described firewall box is master firewall equipment, after the 2nd Assert message sending two layers of encapsulation to other firewall box, if fault recovery detected, then determine that described firewall box is master firewall equipment in described fire compartment wall backup group, and the 3rd Assert message of two layers of encapsulation is sent to other firewall box in described fire compartment wall backup group, the state of carrying described firewall box in described 3rd Assert message is upstate;
Described processing module 12, be further used for when described firewall box is for backup firewall box, determining that described firewall box is by backing up after firewall box changes to master firewall equipment, when receiving the 3rd Assert message from two layers of encapsulation of master firewall equipment, if the state obtaining described master firewall equipment from described 3rd Assert message is upstate, then determine that described firewall box is backup firewall box in described fire compartment wall backup group.
Wherein, the modules of apparatus of the present invention can be integrated in one, and also can be separated deployment.Above-mentioned module can merge into a module, also can split into multiple submodule further.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realize, and can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product is stored in a storage medium, comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform method described in each embodiment of the present invention.It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.It will be appreciated by those skilled in the art that the module in the device in embodiment can carry out being distributed in the device of embodiment according to embodiment description, also can carry out respective change and be arranged in the one or more devices being different from the present embodiment.The module of above-described embodiment can merge into a module, also can split into multiple submodule further.The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.Be only several specific embodiment of the present invention above, but the present invention is not limited thereto, the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.
Claims (10)
1. the backup method of a firewall box, it is characterized in that, the method is applied to and comprises in the fire compartment wall backup group of multiple firewall box, is configured with backup group IP address and backup group medium access control MAC Address, said method comprising the steps of in described fire compartment wall backup group:
Firewall box determines that this firewall box is master firewall equipment in described fire compartment wall backup group or backup firewall box;
When described firewall box is master firewall equipment, described firewall box issues backup group IP address network segment route by backup group upstream Interface, is sent to master firewall equipment in described fire compartment wall backup group to make downlink data; Described firewall box is when backup group downstream interface receives the ARP request message from network address translation device, arp response message is returned by backup group downstream interface, carry described backup group IP address and described backup group MAC Address in described arp response message, upstream data is sent to master firewall equipment in described fire compartment wall backup group to make described NAT device;
When described firewall box is for backup firewall box, described firewall box no thoroughfare backup group upstream Interface issues backup group IP address network segment route; Described firewall box is when backup group downstream interface receives the ARP request message from NAT device, and no thoroughfare, and backup group downstream interface returns arp response message.
2. the method for claim 1, is characterized in that, described firewall box determines that this firewall box is master firewall equipment in described fire compartment wall backup group or backup firewall box, comprising:
Described firewall box receives the first declaration Assert message of two layers of encapsulation from other firewall box, carries priority and the interface mac address of other firewall box described in a described Assert message;
If the priority of described firewall box is greater than the priority of other all firewall box, then described firewall box determines that this firewall box is the master firewall equipment in described fire compartment wall backup group;
If the priority of described firewall box is less than the priority of other arbitrary firewall box, then described firewall box determines that this firewall box is the backup firewall box in described fire compartment wall backup group;
If the priority of described firewall box is maximum priority, and the priority of described firewall box equals the priority of other firewall box, then: when the interface mac address of described firewall box is greater than the interface mac address of other all firewall box identical with the priority of described firewall box, described firewall box determines that this firewall box is the master firewall equipment in described fire compartment wall backup group; When the interface mac address of described firewall box is less than the interface mac address of other the arbitrary firewall box identical with the priority of described firewall box, described firewall box determines that this firewall box is the backup firewall box in described fire compartment wall backup group; Or, when the interface mac address of described firewall box is greater than the interface mac address of other the arbitrary firewall box identical with the priority of described firewall box, described firewall box determines that this firewall box is the backup firewall box in described fire compartment wall backup group; When the interface mac address of described firewall box is less than the interface mac address of other all firewall box identical with the priority of described firewall box, described firewall box determines that this firewall box is the master firewall equipment in described fire compartment wall backup group.
3. the method for claim 1, is characterized in that, described method comprises further:
When described firewall box is master firewall equipment, described firewall box is when detecting that up link breaks down, then described firewall box sends the 2nd Assert message of two layers of encapsulation to other firewall box in described fire compartment wall backup group, and the state of carrying described firewall box in described 2nd Assert message is down state; When described firewall box is for backup firewall box, described firewall box is when receiving the 2nd Assert message from two layers of encapsulation of master firewall equipment, if the state obtaining described master firewall equipment from described 2nd Assert message is down state, then described firewall box redefines this firewall box is master firewall equipment or backup firewall box in described fire compartment wall backup group; If described firewall box determines that this firewall box changes to master firewall equipment by backing up firewall box, then described firewall box issues backup group IP address network segment route by backup group upstream Interface, and sending ARP renewal message by backup group downstream interface, described ARP upgrades in message and carries described backup group IP address and described backup group MAC Address; Or,
When described firewall box is for backup firewall box, if the states of carrying master firewall equipment do not received in Preset Time from two layers of master firewall equipment encapsulation are the 2nd Assert message of upstate, then the down link of described firewall box determination master firewall equipment itself fail and/or master firewall equipment breaks down, and redefine this firewall box in described fire compartment wall backup group for master firewall equipment or backup firewall box; If described firewall box determines that this firewall box changes to master firewall equipment by backing up firewall box, then described firewall box issues backup group IP address network segment route by backup group upstream Interface, and sending ARP renewal message by backup group downstream interface, described ARP upgrades in message and carries described backup group IP address and described backup group MAC Address.
4. method as claimed in claim 3, it is characterized in that, when described firewall box is for backup firewall box, it is master firewall equipment or the process backing up firewall box that described firewall box redefines this firewall box in described fire compartment wall backup group, specifically comprises:
After the state that described firewall box obtains described master firewall equipment is down state, be described master firewall device start failure timer, the time-out time of described failure timer is greater than the transmission interval of the 2nd Assert message; If described firewall box received the 2nd Assert message before described failure timer time-out, and the state of carrying described master firewall equipment in described 2nd Assert message is down state, described firewall box is by described failure timer again zero setting; If described firewall box did not receive the 2nd Assert message before described failure timer time-out, it is master firewall equipment or backup firewall box that described firewall box redefines this firewall box in described fire compartment wall backup group.
5. the method as described in claim 3 or 4, is characterized in that, described method comprises further:
When described firewall box is master firewall equipment, after described firewall box sends two layers of the 2nd Assert message encapsulated to other firewall box, if fault recovery detected, then described firewall box determines that this firewall box is master firewall equipment in described fire compartment wall backup group, and the 3rd Assert message of two layers of encapsulation is sent to other firewall box in described fire compartment wall backup group, the state of carrying described firewall box in described 3rd Assert message is upstate;
When described firewall box is for backup firewall box, determine that this firewall box is by backing up after firewall box changes to master firewall equipment at described firewall box, described firewall box is when receiving the 3rd Assert message from two layers of encapsulation of master firewall equipment, if the state obtaining described master firewall equipment from described 3rd Assert message is upstate, then described firewall box determines that this firewall box is backup firewall box in described fire compartment wall backup group.
6. a firewall box, is characterized in that, is applied to and comprises in the fire compartment wall backup group of multiple firewall box; Wherein, be configured with backup group IP address and backup group medium access control MAC Address in described fire compartment wall backup group, described firewall box specifically comprises:
Determination module, for determining that described firewall box is master firewall equipment in described fire compartment wall backup group or backup firewall box;
Processing module, for when described firewall box is master firewall equipment, issues backup group IP address network segment route by backup group upstream Interface, is sent to master firewall equipment in described fire compartment wall backup group to make downlink data; When backup group downstream interface receives the ARP request message from network address translation device, arp response message is returned by backup group downstream interface, carry described backup group IP address and described backup group MAC Address in described arp response message, upstream data is sent to master firewall equipment in described fire compartment wall backup group to make described NAT device;
When described firewall box is for backup firewall box, no thoroughfare, and backup group upstream Interface issues backup group IP address network segment route; When backup group downstream interface receives the ARP request message from NAT device, no thoroughfare, and backup group downstream interface returns arp response message.
7. firewall box as claimed in claim 6, is characterized in that,
Described determination module, specifically for receiving the first declaration Assert message of two layers of encapsulation from other firewall box, carries priority and the interface mac address of other firewall box described in a described Assert message; If the priority of described firewall box is greater than the priority of other all firewall box, then determine that described firewall box is the master firewall equipment in described fire compartment wall backup group; If the priority of described firewall box is less than the priority of other arbitrary firewall box, then determine that described firewall box is the backup firewall box in described fire compartment wall backup group;
If the priority of described firewall box is maximum priority, and the priority of described firewall box equals the priority of other firewall box, then: when the interface mac address of described firewall box is greater than the interface mac address of other all firewall box identical with the priority of described firewall box, determine that described firewall box is the master firewall equipment in described fire compartment wall backup group; When the interface mac address of described firewall box is less than the interface mac address of other the arbitrary firewall box identical with the priority of described firewall box, determine that described firewall box is the backup firewall box in described fire compartment wall backup group; Or, when the interface mac address of described firewall box is greater than the interface mac address of other the arbitrary firewall box identical with the priority of described firewall box, determine that described firewall box is the backup firewall box in described fire compartment wall backup group; When the interface mac address of described firewall box is less than the interface mac address of other all firewall box identical with the priority of described firewall box, determine that described firewall box is the master firewall equipment in described fire compartment wall backup group.
8. firewall box as claimed in claim 6, is characterized in that,
Described processing module, also for when described firewall box is master firewall equipment, when detecting that up link breaks down, send the 2nd Assert message of two layers of encapsulation to other firewall box in described fire compartment wall backup group, the state of carrying described firewall box in described 2nd Assert message is down state; When described firewall box is for backup firewall box, when receiving the 2nd Assert message from two layers of encapsulation of master firewall equipment, if the state obtaining described master firewall equipment from described 2nd Assert message is down state, then redefine described firewall box is master firewall equipment or backup firewall box in described fire compartment wall backup group; If determine that described firewall box changes to master firewall equipment by backing up firewall box, then issue backup group IP address network segment route by backup group upstream Interface, and sending ARP renewal message by backup group downstream interface, described ARP upgrades in message and carries described backup group IP address and described backup group MAC Address; Or,
Described processing module, also for when described firewall box is for backup firewall box, if the states of carrying master firewall equipment do not received in Preset Time from two layers of master firewall equipment encapsulation are the 2nd Assert message of upstate, then determine that the down link of master firewall equipment itself fail and/or master firewall equipment breaks down, and redefine described firewall box in described fire compartment wall backup group for master firewall equipment or backup firewall box; If determine that described firewall box changes to master firewall equipment by backing up firewall box, then issue backup group IP address network segment route by backup group upstream Interface, and sending ARP renewal message by backup group downstream interface, described ARP upgrades in message and carries described backup group IP address and described backup group MAC Address.
9. firewall box as claimed in claim 8, is characterized in that,
Described processing module, be further used for redefining described firewall box is in the process of master firewall equipment or backup firewall box in described fire compartment wall backup group, after the state obtaining described master firewall equipment is down state, for described master firewall device start failure timer, the time-out time of described failure timer is greater than the transmission interval of the 2nd Assert message; If described firewall box received the 2nd Assert message before described failure timer time-out, and the state of carrying described master firewall equipment in described 2nd Assert message is down state, then by described failure timer again zero setting; If described firewall box did not receive the 2nd Assert message before described failure timer time-out, then redefine described firewall box is master firewall equipment or backup firewall box in described fire compartment wall backup group.
10. firewall box as claimed in claim 8 or 9, is characterized in that,
Described processing module, be further used for when described firewall box is master firewall equipment, after the 2nd Assert message sending two layers of encapsulation to other firewall box, if fault recovery detected, then determine that described firewall box is master firewall equipment in described fire compartment wall backup group, and the 3rd Assert message of two layers of encapsulation is sent to other firewall box in described fire compartment wall backup group, the state of carrying described firewall box in described 3rd Assert message is upstate;
Described processing module, be further used for when described firewall box is for backup firewall box, determining that described firewall box is by backing up after firewall box changes to master firewall equipment, when receiving the 3rd Assert message from two layers of encapsulation of master firewall equipment, if the state obtaining described master firewall equipment from described 3rd Assert message is upstate, then determine that described firewall box is backup firewall box in described fire compartment wall backup group.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510007873.XA CN104618148B (en) | 2015-01-07 | 2015-01-07 | The backup method and equipment of a kind of firewall box |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510007873.XA CN104618148B (en) | 2015-01-07 | 2015-01-07 | The backup method and equipment of a kind of firewall box |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104618148A true CN104618148A (en) | 2015-05-13 |
| CN104618148B CN104618148B (en) | 2017-12-08 |
Family
ID=53152439
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510007873.XA Active CN104618148B (en) | 2015-01-07 | 2015-01-07 | The backup method and equipment of a kind of firewall box |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104618148B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108900544A (en) * | 2018-08-13 | 2018-11-27 | 武汉思普崚技术有限公司 | Active and standby fire wall setting method and device |
| CN109698767A (en) * | 2018-12-20 | 2019-04-30 | 杭州迪普科技股份有限公司 | A kind of main/standby switching method and device |
| CN110138656A (en) * | 2019-05-28 | 2019-08-16 | 新华三技术有限公司 | Method for processing business and device |
| CN111064826A (en) * | 2019-12-31 | 2020-04-24 | 奇安信科技集团股份有限公司 | Information processing method, apparatus, electronic device, and medium executed by firewall |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120117565A1 (en) * | 2009-07-24 | 2012-05-10 | Hewlett-Packard Development Company, L.P. | Virtual-machine-based application-service provision |
| CN103227725A (en) * | 2012-03-30 | 2013-07-31 | 杭州华三通信技术有限公司 | Method and device for dual-server backup of firewall |
| CN103414706A (en) * | 2013-07-30 | 2013-11-27 | 曙光信息产业(北京)有限公司 | Method and device for managing double-firewall system |
| CN103441987A (en) * | 2013-07-30 | 2013-12-11 | 曙光信息产业(北京)有限公司 | Method and device for managing dual-computer firewall system |
-
2015
- 2015-01-07 CN CN201510007873.XA patent/CN104618148B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120117565A1 (en) * | 2009-07-24 | 2012-05-10 | Hewlett-Packard Development Company, L.P. | Virtual-machine-based application-service provision |
| CN103227725A (en) * | 2012-03-30 | 2013-07-31 | 杭州华三通信技术有限公司 | Method and device for dual-server backup of firewall |
| CN103414706A (en) * | 2013-07-30 | 2013-11-27 | 曙光信息产业(北京)有限公司 | Method and device for managing double-firewall system |
| CN103441987A (en) * | 2013-07-30 | 2013-12-11 | 曙光信息产业(北京)有限公司 | Method and device for managing dual-computer firewall system |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108900544A (en) * | 2018-08-13 | 2018-11-27 | 武汉思普崚技术有限公司 | Active and standby fire wall setting method and device |
| CN109698767A (en) * | 2018-12-20 | 2019-04-30 | 杭州迪普科技股份有限公司 | A kind of main/standby switching method and device |
| CN110138656A (en) * | 2019-05-28 | 2019-08-16 | 新华三技术有限公司 | Method for processing business and device |
| CN110138656B (en) * | 2019-05-28 | 2022-03-01 | 新华三技术有限公司 | Service processing method and device |
| CN111064826A (en) * | 2019-12-31 | 2020-04-24 | 奇安信科技集团股份有限公司 | Information processing method, apparatus, electronic device, and medium executed by firewall |
| CN111064826B (en) * | 2019-12-31 | 2022-06-21 | 奇安信科技集团股份有限公司 | Information processing method, apparatus, electronic device, and medium executed by firewall |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104618148B (en) | 2017-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105024855B (en) | Distributed type assemblies manage system and method | |
| EP3016316B1 (en) | Network control method and apparatus | |
| EP2426827B1 (en) | Method and network system for implementing user port orientation in multi-machine backup scenario of broadband remote access server | |
| CN102035676B (en) | ARP (Address Resolution Protocol) interaction based method and equipment for detecting and recovering link fault | |
| CN101951345B (en) | Message transmitting method and equipment | |
| US9692697B2 (en) | Control channel establishing method, forwarding point, and controller | |
| CN104104570A (en) | Aggregation processing method in IRF (Intelligent Resilient Framework) system and device | |
| US11153185B2 (en) | Network device snapshots | |
| CN102209064B (en) | Method of using VRRP to provide backup for access equipment and VRRP gateway equipment | |
| CN104753828A (en) | SDN controller, data central system and route connection method | |
| CN103763310A (en) | Firewall service system and method based on virtual network | |
| CN103763121A (en) | Method and device for quickly issuing network configuration information | |
| CN103036702B (en) | A kind of N+1 backup method of cross-network segment and device | |
| CN102711234A (en) | Method for synchronizing ARP (address resolution protocol) tables between master and slave VRRP (virtual router redundancy protocol) devices and VRRP device | |
| WO2020030000A1 (en) | Disaster recovery switching method, related device and computer storage medium | |
| CN102333027A (en) | Traffic load sharing realization method based on virtual router redundancy protocol extend (VRRPE) backup group and realization apparatus thereof | |
| CN106936943A (en) | The distribution method and system of virtual machine address | |
| US20160205033A1 (en) | Pool element status information synchronization method, pool register, and pool element | |
| CN104618148A (en) | Firewall device and backup method thereof | |
| CN104065508A (en) | Application service health examination method, device and system | |
| CN103581025A (en) | Method and system for processing routing information and equipment | |
| CN103200117B (en) | A kind of load-balancing method and device | |
| CN104579729B (en) | The notification method and device of CGN single board default | |
| CN102651711B (en) | A kind of methods, devices and systems set up and use the floating network segment | |
| CN103220189A (en) | Multi-active detection (MAD) backup method and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |