CN113612778A - Resource pooling firewall cluster system and communication method - Google Patents
Resource pooling firewall cluster system and communication method Download PDFInfo
- Publication number
- CN113612778A CN113612778A CN202110895558.0A CN202110895558A CN113612778A CN 113612778 A CN113612778 A CN 113612778A CN 202110895558 A CN202110895558 A CN 202110895558A CN 113612778 A CN113612778 A CN 113612778A
- Authority
- CN
- China
- Prior art keywords
- firewall
- group
- switch
- firewalls
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000004891 communication Methods 0.000 title claims abstract description 23
- 238000011176 pooling Methods 0.000 title claims abstract description 11
- 238000001514 detection method Methods 0.000 claims description 35
- 230000008569 process Effects 0.000 claims description 11
- 230000015654 memory Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 206010033799 Paralysis Diseases 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 230000002708 enhancing effect Effects 0.000 description 2
- 230000002349 favourable effect Effects 0.000 description 2
- 238000013467 fragmentation Methods 0.000 description 2
- 238000006062 fragmentation reaction Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 101100321817 Human parvovirus B19 (strain HV) 7.5K gene Proteins 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0663—Performing the actions predefined by failover planning, e.g. switching to standby network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The utility model provides a firewall cluster system and communication method of resource pooling, wherein, the system includes: the first switch is connected with the external network equipment and the first and second firewall groups, the second switch is connected with the internal network equipment and the first and second firewall groups, and the first and second switches respectively guide an external network data packet sent by the external network equipment and an internal network data packet sent by the internal network equipment to different firewalls according to the fault conditions of the firewalls in the first and second firewall groups; the first firewall group and the second firewall group determine whether the data packet can pass according to a preset strategy rule, the inner network data packet which can pass is sent to the outer network equipment through the first switch, and the outer network data packet which can pass is sent to the inner network equipment through the second switch. The method can avoid risks such as network faults and the like caused by equipment faults and software faults, greatly improves the overall high availability of the network, and can flexibly realize firewall expansion.
Description
Technical Field
The present disclosure relates to the field of firewalls, and in particular, to a resource pooling firewall cluster system and a communication method.
Background
With the rapid development of IT technology, various network device resource pooling technologies are also gradually evolving forward, and in the prior art, in order to reduce communication negotiation obstacles between devices in a resource pool, network devices of the same manufacturer and model are generally deployed in the resource pool. The deployment method of the resource pool can cause that the network equipment in the whole resource pool can not work, is serious or even paralyzed due to software bugs of the same product, and is not beneficial to the high availability of the whole network.
In the prior art, firewall deployment architectures are deployed on the basis of a main firewall and a standby firewall at the network area boundary, so that the daily operation and maintenance complexity and workload can be increased, capacity expansion cannot be realized, and if the problem of limited performance capacity exists, only a replacement mode can be adopted. The firewall replacement needs to select a change window, and the operation and maintenance are not flexible, so that the high availability of the whole network is not facilitated, and the stability of the network production environment is not maintained.
In addition, the main and standby devices deployed in the firewall deployment architecture are devices of the same model of the same manufacturer, so that the main and standby devices are all paralyzed due to software of the same product, which is not favorable for high availability of the network.
Disclosure of Invention
The method is used for solving the problems that in the prior art, a firewall deployment architecture is that a main firewall device and a standby firewall device are deployed at the boundary of a network area, the deployment architecture has complex daily operation and maintenance, capacity expansion can be realized only by selecting a firewall replacement mode when performance capacity is limited, and firewall replacement is inflexible.
To solve the above technical problem, a first aspect herein provides a resource-pooled firewall cluster system, comprising:
the firewall system comprises a first switch, a second switch, a first firewall group and a second firewall group, wherein the same firewall group comprises the same main firewall and standby firewall, and the firewalls in different firewall groups are different;
the first switch is connected with an external network device, a first firewall group and a second firewall group, the second switch is connected with an internal network device, the first firewall group and the second firewall group, and the first switch and the second switch respectively guide an external network data packet sent by the external network device and an internal network data packet sent by the internal network device to different firewalls according to the fault conditions of the firewalls in the first firewall group and the second firewall group;
the first firewall group and the second firewall group determine whether a data packet can pass according to a preset strategy rule, an internal network data packet which can pass is sent to the external network equipment through the first switch, and an external network data packet which can pass is sent to the internal network equipment through the second switch.
As a further embodiment herein, policy routing is deployed on the interconnection interfaces of the first switch and the first and second firewall groups and the interconnection interfaces of the second switch and the first and second firewall groups;
the strategy route records the combination relation of the source address, the destination address and the skipped firewall address, and the outer network data packet and the inner network data packet are guided to the corresponding firewall through the strategy route;
the skipped firewall address comprises an address of a first firewall group and an address of a second firewall group, only one firewall group address is started, and when the firewall group fails, the other firewall group address is started.
As a further embodiment herein, the fault condition of the firewalls in the first and second firewall groups is detected by the first switch and/or the second switch, and the detection process includes:
sending a detection request to firewalls in the first firewall group and the second firewall group;
and analyzing according to detection results returned by the firewalls in the first firewall group and the second firewall group, and determining the fault conditions of the firewalls in the first firewall group and the second firewall group.
As a further embodiment herein, the failure detection of the firewalls in the first and second firewall groups by the first switch and/or the second switch comprises:
sending a detection request to firewalls in the first firewall group and the second firewall group;
and analyzing according to detection results returned by the firewalls in the first firewall group and the second firewall group, and determining the fault conditions of the firewalls in the first firewall group and the second firewall group.
As a further embodiment herein, the analyzing according to the detection results returned by the firewalls in the first firewall group and the second firewall group to determine the failure condition of the firewalls in the first firewall group and the second firewall group includes:
determining the network performance of each firewall according to the detection results returned by the firewalls in the first firewall group and the second firewall group;
and if the network performance of the firewall does not meet the preset condition, determining that the firewall has a fault.
As a further embodiment herein, the first switch and the second switch respectively direct the external network data packet sent by the external network device and the internal network data packet sent by the internal network device to different firewalls according to the failure condition of the firewalls in the first firewall group and the second firewall group includes:
when a first firewall group and a second firewall group are normal, the first switch sends an external network data packet sent by the external network equipment to a main firewall in the first firewall group, and the second switch sends an internal network data packet sent by the internal network equipment to a main firewall in the second firewall group;
when the main firewall in any firewall group fails, the data packet sent to the main firewall in the firewall group is guided to the standby firewall of the firewall group;
when both the main and standby firewalls in any firewall group fail, the data packet sent to the firewall group is guided to another firewall group;
when the two firewall groups are in failure, the first switch and the second switch directly send the data packet to the destination end.
In a further embodiment of the present disclosure, an OSPF protocol is deployed among the intranet device, the first switch, the second switch, and the extranet device, and when the failure type is that both firewall groups fail, the first switch and the second switch directly send the data packet to the destination end by using the OSPF protocol.
A second aspect of the present disclosure provides a communication method of the resource-pooled firewall cluster system in any one of the foregoing embodiments, including:
the first switch and the second switch respectively guide an external network data packet sent by the external network equipment and an internal network data packet sent by the internal network equipment to different firewalls according to the fault conditions of the firewalls in the first firewall group and the second firewall group;
the first firewall group and the second firewall group determine whether a data packet can pass according to a preset strategy rule, an internal network data packet which can pass is sent to the external network equipment through the first switch, and an external network data packet which can pass is sent to the internal network equipment through the second switch.
As a further embodiment herein, the communication method of the resource-pooled firewall cluster system further comprises:
the first switch and/or the second switch send detection requests to firewalls in the first firewall group and the second firewall group;
and analyzing according to detection results returned by the firewalls in the first firewall group and the second firewall group, and determining the fault conditions of the firewalls in the first firewall group and the second firewall group.
As a further embodiment herein, the analyzing according to the detection results returned by the firewalls in the first firewall group and the second firewall group to determine the failure condition of the firewalls in the first firewall group and the second firewall group includes:
determining the network performance of each firewall according to the detection results returned by the firewalls in the first firewall group and the second firewall group;
and if the network performance of the firewall does not meet the preset condition, determining that the firewall has a fault.
As a further embodiment herein, the first switch and the second switch respectively direct the external network data packet sent by the external network device and the internal network data packet sent by the internal network device to different firewalls according to the failure condition of the firewalls in the first firewall group and the second firewall group includes:
when a first firewall group and a second firewall group are normal, the first switch sends an external network data packet sent by the external network equipment to a main firewall in the first firewall group, and the second switch sends an internal network data packet sent by the internal network equipment to a main firewall in the second firewall group;
when the main firewall in any firewall group fails, the data packet sent to the main firewall in the firewall group is guided to the standby firewall of the firewall group;
when both the main and standby firewalls in any firewall group fail, the data packet sent to the firewall group is guided to another firewall group;
when the two firewall groups are in failure, the first switch and the second switch directly send the data packet to the destination end.
The firewall cluster system comprises a first switch, a second switch, a first firewall group and a second firewall group, wherein the same firewall group comprises the same main firewall and standby firewall, and the firewalls in different firewall groups are different, so that the problem that the whole network equipment cannot work due to software bugs of one firewall equipment can be avoided. The first switch and the second switch respectively guide an external network data packet sent by the external network equipment and an internal network data packet sent by the internal network equipment to different firewalls according to the fault conditions of the firewalls in the first firewall group and the second firewall group; the first firewall group and the second firewall group determine whether a data packet can pass according to a preset strategy rule, an internal network data packet capable of passing is sent to the external network equipment through the first switch, and the external network data packet capable of passing is sent to the internal network equipment through the second switch, so that the problem that network equipment cannot work when both a main firewall and a standby firewall fail in the prior art can be avoided, the overall high availability of a network is greatly improved, the expansion of the firewall can be flexibly realized, and the method and the device have important significance for enhancing the reliability of the network and improving the quality of network service.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments or technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a block diagram illustrating a firewall cluster system for resource pooling according to an embodiment herein;
FIG. 2 illustrates a policy routing topology diagram according to embodiments herein;
FIG. 3 is a flow diagram illustrating a firewall failure detection process according to an embodiment herein;
fig. 4 illustrates a first schematic diagram of firewall failover according to an embodiment herein;
FIG. 5 illustrates a second schematic diagram of firewall failover in accordance with an embodiment herein;
FIG. 6 illustrates a first flowchart of a firewall cluster system communication method of resource pooling of embodiments herein;
FIG. 7 is a block diagram illustrating a computer device according to an embodiment of the present disclosure.
Description of the symbols of the drawings:
110. a first switch;
120. a second switch;
130. a first firewall group;
140. a second firewall group;
200. an extranet device;
300. an intranet device;
FW1-1, FW1-2, FW2-1, FW2-2, firewall;
FW1, FW2, firewall group;
702. a computer device;
704. a processor;
706. a memory;
708. a drive mechanism;
710. an input/output module;
712. an input device;
714. an output device;
716. a presentation device;
718. a graphical user interface;
720. a network interface;
722. a communication link;
724. a communication bus.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments herein without making any creative effort, shall fall within the scope of protection.
It should be noted that the terms "first," "second," and the like in the description and claims herein and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments herein described are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or device that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or device.
The present specification provides method steps as described in the examples or flowcharts, but may include more or fewer steps based on routine or non-inventive labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an actual system or apparatus product executes, it can execute sequentially or in parallel according to the method shown in the embodiment or the figures.
It should be noted that the resource pooling firewall cluster system and communication method herein can be used in the financial field, and can also be used in any field other than the financial field.
In an embodiment of this document, a resource-pooled firewall cluster system is provided, which is used to solve the problems that in the prior art, firewall deployment architectures deploy two main and standby firewall devices at a network area boundary, the deployment architecture has complex daily operation and maintenance, capacity expansion can be performed only by selecting a firewall replacement mode when performance capacity is limited, and firewall replacement is inflexible, and the existing firewall deployment architecture is not favorable for high availability of a network because the main and standby devices are devices of the same model of the same manufacturer. Specifically, as shown in fig. 1, the resource-pooling firewall cluster system includes:
the firewall system comprises a first switch 110(BorderLeaf, BL), a second switch 120, a first firewall group 130 and a second firewall group 140, wherein the same firewall group comprises the same main firewall and standby firewall, and the firewalls in different firewall groups are different, the difference described herein refers to the difference in the types and manufacturers of the firewalls, that is, the main firewall and the standby firewall in the first firewall group 130 belong to the firewall of the same type and manufacturer, and the main firewall and the standby firewall in the second firewall group 140 belong to the firewalls of other types and manufacturers.
The first switch 110 is connected to the external network device 200, the first firewall group 130 and the second firewall group 140, and the second switch 120 is connected to the internal network device 300, the first firewall group 130 and the second firewall group 140. The first switch 110 and the second switch 120 respectively direct the extranet data packet sent by the extranet device 200 and the intranet data packet sent by the intranet device 300 to different firewalls according to the failure condition of the firewalls in the first firewall group 130 and the second firewall group 140.
The first firewall group 130 and the second firewall group 140 determine whether the data packet is passable according to a preset policy rule, transmit the passable intranet data packet to the extranet device 200 through the first switch 110, and transmit the passable extranet data packet to the intranet device 300 through the second switch 120.
In detail, the first switch 110 and the second switch 120 may be two separate switches, or may be two uplink and downlink switches virtualized by using a virtual technology. In a specific embodiment, the first switch 110 and the second switch 120 are configured with 2 blocks of 48 × 10G single boards, where CE16804 is selected, and the current network bandwidth is 5G at the highest, so as to meet the maximum performance requirement of a single line. The board card can support ACL with the upper limit of 7.5K and the evaluation upper limit of the number of ACLs in the row of 3K, so that the performance requirement can be met. In implementation, in order to implement high availability deployment, an M-LAG (i.e., a cross-device Link Aggregation Group) is also deployed between the first switch 110 and the second switch 120, 2 × 40G is used as a peer-Link (direct connection Aggregation chain), 2 × 40G is deployed as a route escape path, and the peer-Link is used for exchanging protocol messages and transmitting partial traffic, so as to ensure normal operation of the M-LAG. When the address fragmentation module is implemented, the first switch and the second switch can simulate more switches so as to deal with different address fragmentation.
In a specific embodiment, the first firewall group 130 and the second firewall group 140 respectively select the usg95 series firewall and the Xinhua three M9 series firewall, the types and manufacturers of the firewalls in the same firewall group are the same, and the types and manufacturers of the firewalls in different firewall groups are different, so that the situation that the whole firewall group is unavailable due to the bug of the product software can be prevented, the whole intranet is exposed, and the firewall equipment of different types and manufacturers is selected to realize high availability.
The preset policy rules of each firewall in the firewall group are consistent, that is, the same, the policy rules are used for determining whether the data packet can pass through, and the policy rules can be determined specifically according to the functions of the firewalls, and the specific content of the policy rules is not limited herein.
The extranet device and the intranet device described herein may include a plurality of devices including, but not limited to, a server, a router, and the like, which is not limited herein.
According to the embodiment, the first switch and the second switch are used for respectively guiding the extranet data packet sent by the extranet equipment and the intranet data packet sent by the intranet equipment to different firewalls according to the fault conditions of the firewalls in the first firewall group and the second firewall group, so that the problem that network equipment cannot work when the main and standby firewalls in the prior art break down can be avoided, the overall high availability of the network is greatly improved, the capacity expansion of the firewalls can be flexibly realized, the network reliability is enhanced, and the network service quality is improved.
In an embodiment herein, Policy Based Routing (PBR) is deployed on the interconnection interfaces of the first switch 110 and the first firewall group 130 and the second firewall group 140 and the interconnection interfaces of the second switch 120 and the first firewall group 130 and the second firewall group 140, and is used for matching traffic (i.e. packets) of a source address network segment and a destination address network segment, and directing the traffic to the firewalls, where the source address refers to a source address of the packet and the destination address refers to a destination address of the packet. And recording the combination relation of the source address, the destination address and the skipped firewall address in the PBR, and guiding the outer network data packet and the inner network data packet to the corresponding firewall through the PBR. The skipped firewall address includes the addresses of two firewall groups, only one firewall group address is started, and when the firewall group is abnormal, the other firewall group address is started.
The method adopts a mode of combining the source address and the destination address as the PBR drainage condition, so that the consistency of the back-and-forth path on the firewall can be ensured.
In one embodiment, as shown in fig. 2, the PBR comprises:
the first switch and the external network equipment interconnection interface: pbr1, sr-ip: outside-subnet, dst-ip: intranet-vpc-subnet, nexthop: vrrp 10;
the main firewall FW1-1 in the first firewall group: static routing, dst-ip: intranet-vpc-subnet, nexthop: vrrp 2;
the second switch and the intranet equipment interconnection interface: pbr2, sr-ip: intranet-vpc-subnet, dst-ip: outside-subnet, nexthop: vrrp 20;
the first firewall group is provided with a firewall FW 1-2: static routing, dst-ip: outside-subnet, nexthop: vrrp 1.
Wherein sr-IP is a source address IP, dst-IP is a destination address IP, nexthop in the interconnection interface of the first switch and the external network equipment and the interconnection interface of the second switch and the internal network equipment is a firewall group address, nexthop in the first firewall group FW1 and the second firewall group FW2 is a firewall address in the firewall group, outside-subnet is an external address network segment, and intranet-vpc-subnet is an internal address network segment.
The embodiment performs fragment processing on the addresses of the external network equipment and the internal network equipment, and leads the addresses to different firewall groups. In addition, different wall pools are guided based on the address of the external equipment, so that the firewall resource pool can be more adaptive to the heterogeneous firewall resource pool, hardware equipment and software versions of different manufacturers and models have different processing mechanisms, communication quality and application service verification can be more comprehensively performed on the firewall group, and loads are relatively balanced according to the fact that the access amount of the intranet application is not communicated.
In an embodiment of this document, the fault condition of the firewalls in the first firewall group and the second firewall group is detected by the first switch and/or the second switch, as shown in fig. 3, the detection process includes:
Specifically, the detection request sent in step 301 is used to obtain log information of the firewall, and after receiving the detection request, the firewall sends the log information (i.e., a detection result) to the switch.
The step 302 of analyzing the detection results returned by the firewalls in the first firewall group and the second firewall group to determine the fault condition of the firewalls in the first firewall group and the second firewall group includes:
and calculating the network performance of each firewall according to the detection results returned by the firewalls in the first firewall group and the second firewall group, determining the fault of the firewall if the network performance of the firewall does not accord with the preset condition, and determining the normal of the firewall if the network performance of the firewall accords with the preset condition.
The network performance of the firewall comprises: response time, network jitter, packet loss rate, etc. The preset conditions define the upper limit value of each network performance, for example, the response time is not greater than the preset time, the network jitter frequency is not greater than the preset frequency, and the packet loss rate is not greater than the preset packet loss rate. And if the calculated network performance of the firewall exceeds or reaches the upper limit value, determining that the firewall has a fault.
In specific implementation, in order to prevent inaccurate detection at one time and avoid errors, the above steps 301 to 302 need to be continuously performed, and if the network performance of the firewall calculated for N consecutive times (e.g., three times, each time with a certain time interval) does not meet the preset condition, the firewall fault is determined.
The embodiment can avoid interruption of network communication or reduction of network service quality, and simultaneously carry out network fault positioning and troubleshooting in time.
In an embodiment of this document, the first switch and the second switch respectively direct the external network data packet sent by the external network device and the internal network data packet sent by the internal network device to different firewalls according to the failure condition of the firewalls in the first firewall group and the second firewall group, including:
(1) when a first firewall group and a second firewall group are normal, the first switch sends an external network data packet sent by the external network equipment to a main firewall in the first firewall group, and the second switch sends an internal network data packet sent by the internal network equipment to the main firewall in the second firewall group.
(2) And when the main firewall in any firewall group has a fault, the data packet sent to the main firewall in the firewall group is guided to the standby firewall of the firewall group. As shown in fig. 4, when a failure occurs in the firewall FW1-1 in the firewall group FW1 and the firewall FW2-1 in the firewall group FW2, the packet addressed to the firewall FW1-1 is sent to the firewall FW1-2, and the packet addressed to the firewall FW2-1 is sent to the firewall FW 2-2.
(3) And when the main and standby firewalls in any firewall group have faults, the data packet sent to the firewall group is guided to another firewall group. As shown in fig. 5, when both the firewall FW1-1 and the firewall FW1-2 in the firewall group FW1 fail, the data packet sent to the firewall group FW1 is sent to the firewall in FW 2.
(4) And when the two firewall groups are in failure, the first switch and the second switch directly send the data packet to the destination end.
In detail, an Open Shortest Path First (OSPF) protocol is deployed among the intranet device, the First switch, the second switch, and the extranet device, and when the failure type is that both firewall groups fail, the First switch and the second switch directly send the data packet to a destination end by using the OSPF protocol, where the destination end refers to the extranet device or the intranet device. The first exchanger and the second exchanger directly send the data packet to the destination end, so that no obvious interruption induction exists outside. In specific implementation, OSPF 65033Area 0 can be deployed between the switch and the intranet equipment, OSPF65066Area 1 can be deployed between the extranet equipment and the switch, two VLANs are deployed at the interconnection interface between the switch and the firewall group, the same network segment address is configured, and 2 pairs of VRRP addresses are deployed respectively as the next hop of the PRR flow guide.
The above (1) may be a default configuration of the system, the above (2) may be a master-slave switching by a mechanism in which the fire wall groups are master-slave to each other, the above (3) may be a switching of the fire wall groups by the above policy routing, and the above (4) may be implemented by using an OSPF protocol. According to the firewall switching scheme, the high availability of the network can be greatly guaranteed.
In an embodiment of this document, there is further provided a resource-pooled firewall cluster system communication method, as shown in fig. 6, including:
step 610, the first switch guides an external network data packet sent by the external network equipment to a first firewall group;
step 620, the first firewall group determines whether the external network data packet passes through according to a preset policy rule, and sends the external network data packet which passes through to the intranet equipment through the second switch;
step 630, the second switch directs the intranet data packet sent by the intranet equipment to a second firewall group;
step 640, the second firewall group determines whether the intranet data packet passes through according to a preset policy rule, and sends the inner network data packet that can pass through to the external network equipment through the first switch;
and 650, respectively guiding the external network data packet sent by the external network equipment and the internal network data packet sent by the internal network equipment to different firewalls by the first switch and the second switch set according to the fault conditions of the first firewall set and the second firewall set.
Specifically, when the main firewall in the first firewall group fails, the data packet sent to the main firewall in the first firewall group is directed to the standby firewall in the first firewall group. And when the main and standby firewalls in the first firewall group have faults, the data packet sent to the first firewall group is guided to the second firewall group. And when the main firewall in the second firewall group has a fault, the data packet sent to the main firewall in the second firewall group is guided to the standby firewall in the second firewall group.
And when the main and standby firewall in the second firewall group have faults, the data packet sent to the second firewall group is guided to the second firewall group.
When the two firewall groups are in failure, the first switch and the second switch directly send the data packet to the destination end.
In a further embodiment, the resource-pooled firewall cluster system communication method further includes:
the first switch and/or the second switch sends detection requests to firewalls in the first firewall group and the second firewall group;
and analyzing according to detection results returned by the firewalls in the first firewall group and the second firewall group, and determining the fault conditions of the firewalls in the first firewall group and the second firewall group.
Specifically, the detection results returned by the firewall in the first firewall group and the second firewall group are analyzed to determine the fault conditions of the firewall in the first firewall group and the second firewall group, including:
determining the network performance of each firewall according to the detection results returned by the firewalls in the first firewall group and the second firewall group;
and if the network performance of the firewall does not meet the preset condition, determining that the firewall has a fault.
The firewall cluster based on pooling is deployed by selecting firewalls of different brands and models, a firewall cluster (namely a clustered heterogeneous deployment architecture) is designed, and the firewall to which the data packet is sent is determined according to the firewall fault condition in the firewall cluster, so that risks such as network breakdown faults and the like caused by two different aspects of hardware faults of equipment, bug of software version and the like can be avoided. The technology greatly improves the overall high availability performance of the network, and has important significance for enhancing the reliability of the network and improving the quality of network service.
In an embodiment herein, a computer device is further provided for debugging the switch and the firewall, as shown in fig. 7, which is a schematic structural diagram of a node in the embodiment herein, in this embodiment, structures of a node in a side chain network and a node in a main chain network are described, and may include a relay node, a decision maker node, or other functional node, which is referred to as a computer device in this embodiment, and the computer device 702 may include one or more processors 704, such as one or more Central Processing Units (CPUs), each of which may implement one or more hardware threads. The computer device 702 may also include any memory 706 for storing any kind of information, such as code, settings, data, etc. For example, and without limitation, the memory 706 can include any one or more of the following in combination: any type of RAM, any type of ROM, flash memory devices, hard disks, optical disks, etc. More generally, any memory may use any technology to store information. Further, any memory may provide volatile or non-volatile retention of information. Further, any memory may represent fixed or removable components of computer device 702. In one case, when the processor 704 executes associated instructions that are stored in any memory or combination of memories, the computer device 702 can perform any of the operations of the associated instructions. The computer device 702 also includes one or more drive mechanisms 708, such as a hard disk drive mechanism, an optical disk drive mechanism, or the like, for interacting with any memory.
It should be understood that, in various embodiments herein, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments herein.
It should also be understood that, in the embodiments herein, the term "and/or" is only one kind of association relation describing an associated object, meaning that three kinds of relations may exist. For example, a and/or B, may represent: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided herein, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electric, mechanical or other form of connection.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purposes of the embodiments herein.
In addition, functional units in the embodiments herein may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present invention may be implemented in a form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The principles and embodiments of this document are explained herein using specific examples, which are presented only to aid in understanding the methods and their core concepts; meanwhile, for the general technical personnel in the field, according to the idea of this document, there may be changes in the concrete implementation and the application scope, in summary, this description should not be understood as the limitation of this document.
Claims (10)
1. A resource-pooled firewall cluster system, comprising: the firewall system comprises a first switch, a second switch, a first firewall group and a second firewall group, wherein the same firewall group comprises the same main firewall and standby firewall, and the firewalls in different firewall groups are different;
the first switch is connected with an external network device, a first firewall group and a second firewall group, the second switch is connected with an internal network device, the first firewall group and the second firewall group, and the first switch and the second switch respectively guide an external network data packet sent by the external network device and an internal network data packet sent by the internal network device to different firewalls according to the fault conditions of the firewalls in the first firewall group and the second firewall group;
the first firewall group and the second firewall group determine whether a data packet can pass according to a preset strategy rule, an internal network data packet which can pass is sent to the external network equipment through the first switch, and an external network data packet which can pass is sent to the internal network equipment through the second switch.
2. The resource-pooled firewall cluster system of claim 1, wherein policy routing is deployed at the interconnection interfaces of the first switch and the first firewall group and the interconnection interfaces of the second switch and the first firewall group and the second firewall group;
the strategy route records the combination relation of the source address, the destination address and the skipped firewall address, and the outer network data packet and the inner network data packet are guided to the corresponding firewall through the strategy route;
the skipped firewall address comprises an address of a first firewall group and an address of a second firewall group, only one firewall group address is started, and when the firewall group fails, the other firewall group address is started.
3. The resource-pooled firewall cluster system of claim 1, wherein failure conditions of firewalls in a first firewall group and a second firewall group are detected by the first switch and/or the second switch, the detection process comprising:
sending a detection request to firewalls in the first firewall group and the second firewall group;
and analyzing according to detection results returned by the firewalls in the first firewall group and the second firewall group, and determining the fault conditions of the firewalls in the first firewall group and the second firewall group.
4. The resource-pooled firewall cluster system of claim 3, wherein analyzing the detection results returned by the firewalls in the first firewall group and the second firewall group to determine the failure of the firewalls in the first firewall group and the second firewall group comprises:
determining the network performance of each firewall according to the detection results returned by the firewalls in the first firewall group and the second firewall group;
and if the network performance of the firewall does not meet the preset condition, determining that the firewall has a fault.
5. The firewall cluster system of claim 1, wherein the first switch and the second switch respectively direct the external network packet sent by the external network device and the internal network packet sent by the internal network device to different firewalls according to the failure of the firewalls in the first firewall group and the second firewall group, the firewall cluster system comprising:
when a first firewall group and a second firewall group are normal, the first switch sends an external network data packet sent by the external network equipment to a main firewall in the first firewall group, and the second switch sends an internal network data packet sent by the internal network equipment to a main firewall in the second firewall group;
when the main firewall in any firewall group fails, the data packet sent to the main firewall in the firewall group is guided to the standby firewall of the firewall group;
when both the main and standby firewalls in any firewall group fail, the data packet sent to the firewall group is guided to another firewall group;
when the two firewall groups are in failure, the first switch and the second switch directly send the data packet to the destination end.
6. The resource-pooled firewall cluster system according to claim 5, wherein an OSPF protocol is deployed among the intranet device, the first switch, the second switch and the extranet device, and when the failure type is failure of both firewall groups, the first switch and the second switch directly send the packet to the destination using the OSPF protocol.
7. A firewall cluster system communication method for resource pooling according to any one of claims 1 to 6, comprising:
the first switch and the second switch respectively guide an external network data packet sent by the external network equipment and an internal network data packet sent by the internal network equipment to different firewalls according to the fault conditions of the firewalls in the first firewall group and the second firewall group;
the first firewall group and the second firewall group determine whether a data packet can pass according to a preset strategy rule, an internal network data packet which can pass is sent to the external network equipment through the first switch, and an external network data packet which can pass is sent to the internal network equipment through the second switch.
8. The resource-pooled firewall cluster system communication method of claim 7, further comprising:
the first switch and/or the second switch send detection requests to firewalls in the first firewall group and the second firewall group;
and analyzing according to detection results returned by the firewalls in the first firewall group and the second firewall group, and determining the fault conditions of the firewalls in the first firewall group and the second firewall group.
9. The method of claim 8, wherein determining the failure of the firewalls in the first firewall group and the second firewall group by analyzing the detection results returned by the firewalls in the first firewall group and the second firewall group comprises:
determining the network performance of each firewall according to the detection results returned by the firewalls in the first firewall group and the second firewall group;
and if the network performance of the firewall does not meet the preset condition, determining that the firewall has a fault.
10. The method according to claim 7, wherein the first switch and the second switch respectively direct the extranet packet sent by the extranet device and the intranet packet sent by the intranet device to different firewalls according to the failure of the firewalls in the first firewall group and the second firewall group, the method comprising:
when a first firewall group and a second firewall group are normal, the first switch sends an external network data packet sent by the external network equipment to a main firewall in the first firewall group, and the second switch sends an internal network data packet sent by the internal network equipment to a main firewall in the second firewall group;
when the main firewall in any firewall group fails, the data packet sent to the main firewall in the firewall group is guided to the standby firewall of the firewall group;
when both the main and standby firewalls in any firewall group fail, the data packet sent to the firewall group is guided to another firewall group;
when the two firewall groups are in failure, the first switch and the second switch directly send the data packet to the destination end.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110895558.0A CN113612778A (en) | 2021-08-05 | 2021-08-05 | Resource pooling firewall cluster system and communication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110895558.0A CN113612778A (en) | 2021-08-05 | 2021-08-05 | Resource pooling firewall cluster system and communication method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113612778A true CN113612778A (en) | 2021-11-05 |
Family
ID=78307005
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110895558.0A Pending CN113612778A (en) | 2021-08-05 | 2021-08-05 | Resource pooling firewall cluster system and communication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113612778A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114301766A (en) * | 2021-12-30 | 2022-04-08 | 山石网科通信技术股份有限公司 | Communication method, communication apparatus, storage medium, and processor |
| CN114666090A (en) * | 2022-02-11 | 2022-06-24 | 广州理工学院 | Fire-proof wall |
| CN114884955A (en) * | 2022-06-14 | 2022-08-09 | 平安科技(深圳)有限公司 | Transparent agent deployment system and method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070294754A1 (en) * | 2006-06-14 | 2007-12-20 | Microsoft Corporation | Transparently extensible firewall cluster |
| CN105827623A (en) * | 2016-04-26 | 2016-08-03 | 山石网科通信技术有限公司 | Data center system |
| CN108989352A (en) * | 2018-09-03 | 2018-12-11 | 平安科技(深圳)有限公司 | Method of realizing fireproof wall, device, computer equipment and storage medium |
-
2021
- 2021-08-05 CN CN202110895558.0A patent/CN113612778A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070294754A1 (en) * | 2006-06-14 | 2007-12-20 | Microsoft Corporation | Transparently extensible firewall cluster |
| CN105827623A (en) * | 2016-04-26 | 2016-08-03 | 山石网科通信技术有限公司 | Data center system |
| CN108989352A (en) * | 2018-09-03 | 2018-12-11 | 平安科技(深圳)有限公司 | Method of realizing fireproof wall, device, computer equipment and storage medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114301766A (en) * | 2021-12-30 | 2022-04-08 | 山石网科通信技术股份有限公司 | Communication method, communication apparatus, storage medium, and processor |
| CN114666090A (en) * | 2022-02-11 | 2022-06-24 | 广州理工学院 | Fire-proof wall |
| CN114884955A (en) * | 2022-06-14 | 2022-08-09 | 平安科技(深圳)有限公司 | Transparent agent deployment system and method |
| CN114884955B (en) * | 2022-06-14 | 2023-05-30 | 平安科技(深圳)有限公司 | Transparent proxy deployment system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113612778A (en) | Resource pooling firewall cluster system and communication method | |
| CN106464589B (en) | Method and apparatus for partial software defined network switch replacement in IP networks | |
| US10678746B2 (en) | Virtual network optimizing a physical network | |
| US8270306B2 (en) | Fault management apparatus and method for identifying cause of fault in communication network | |
| EP2774048B1 (en) | Affinity modeling in a data center network | |
| US10318335B1 (en) | Self-managed virtual networks and services | |
| CN113973042B (en) | Method and system for root cause analysis of network problems | |
| US20220052916A1 (en) | Orchestration of Activities of Entities Operating in a Network Cloud | |
| US8817605B2 (en) | Cross-layer reconfiguration method for surviving multiple-link network failures | |
| US11121941B1 (en) | Monitoring communications to identify performance degradation | |
| US7940682B2 (en) | Systems configured to automatically identify open shortest path first (OSPF) protocol problems in a network and related computer program products and methods | |
| US20230231806A1 (en) | Ghost routing | |
| US20090086642A1 (en) | High availability path audit | |
| US20230060758A1 (en) | Orchestration of Activities of Entities Operating in a Network Cloud | |
| US10181997B2 (en) | Methods, systems and computer readable media for providing receive port resiliency in a network equipment test device | |
| WO2017052589A1 (en) | Pre-processing of data packets with network switch application-specific integrated circuit | |
| EP4161019A1 (en) | Intelligent sd-wan edge with ai-assisted path selection | |
| CN112637054B (en) | Networking optimization method and device for IP bearing network, computing equipment and storage medium | |
| CN115396385B (en) | Method and device for quickly recovering service of stack switch and computing equipment | |
| CN107104837A (en) | The method and control device of path detection | |
| CN116708137A (en) | FW disaster recovery method, FW disaster recovery device and computer readable storage medium | |
| ENAN | FAILURE RECOVERY IN SDN: A SEGMENT ROUTING BASED LINK PROTECTION APPROACH | |
| CN117938741A (en) | WAN port and LAN port multiplexing switching method, device and storage medium of switch | |
| CN117675505A (en) | Event processing method, device and system | |
| CN114465885A (en) | Method and controller for generating capacity expansion configuration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211105 |