CN115225397B - Control method, control device, firewall and computer readable storage medium - Google Patents
Control method, control device, firewall and computer readable storage medium Download PDFInfo
- Publication number
- CN115225397B CN115225397B CN202210869336.6A CN202210869336A CN115225397B CN 115225397 B CN115225397 B CN 115225397B CN 202210869336 A CN202210869336 A CN 202210869336A CN 115225397 B CN115225397 B CN 115225397B
- Authority
- CN
- China
- Prior art keywords
- firewall
- interface
- new
- outgoing interface
- session
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000004891 communication Methods 0.000 claims abstract description 20
- 238000004590 computer program Methods 0.000 claims description 5
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 14
- 238000001514 detection method Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 238000007726 management method Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000032683 aging Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000004888 barrier function Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0668—Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Cardiology (AREA)
- General Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a control method, a control device, a firewall and a computer readable storage medium. The method comprises the following steps: after the self-firewall is switched to the main firewall, determining the state of each outgoing interface based on the marks of each outgoing interface of the self-firewall; when the outlet interface corresponding to the service flow session is in a non-communication state, searching a new route and a new outlet interface corresponding to the service flow session; when a new route and a new outgoing interface are found, the traffic flow session is updated based on the new route and the new outgoing interface, so that a message corresponding to the traffic flow session is sent out from the new outgoing interface based on the new route path. By the method, when the corresponding outgoing interface of the service flow session of the backup firewall is not enabled, and after the primary and the backup firewalls are switched, service communication is carried out through the new route and the new outgoing interface, and by adopting the method, the smooth switching of the primary and the backup firewalls can be realized.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a control method, a control device, a firewall, and a computer readable storage medium.
Background
The firewall is a protective barrier generated between the environment acting on the internal and external networks by means of hardware and software, so as to block the unsafe network factors of the computer.
The HA (Highly Available, high availability) firewall system consists essentially of a primary firewall and a backup firewall. As shown in fig. 1, the firewall FW01 is a primary firewall, and the firewall FW02 is a backup firewall. The traffic flow session on the primary and secondary fireproof walls is symmetrical, and because the traffic flow session on the primary fireproof wall points out the interface eth1 in the downlink direction, the corresponding traffic flow session on the secondary fireproof wall also points out the interface eth1 in the downlink direction.
However, the inventor found in practice that when the outgoing interface eth1 of the backup firewall is not enabled, if the primary-backup firewall switch is triggered at this time, as shown in fig. 2, the firewall FW02 becomes a new primary firewall at this time after the switch, and the firewall FW01 becomes a new backup firewall, and the traffic related to the session is not enabled until the traffic session is aged and deleted because the traffic session is directed to the outgoing interface eth1 in the disabled state at the firewall FW 02. Session aging on a firewall means that the session timeout is removed when no traffic has hit the session for a fixed time (e.g., 1800 seconds).
Disclosure of Invention
An object of an embodiment of the present application is to provide a control method, apparatus, firewall, and computer readable storage medium, so as to ensure that when an outgoing interface corresponding to a service flow session of a backup firewall is not enabled, normal communication of a service can still be ensured after a primary firewall and a backup firewall are switched.
The invention is realized in the following way:
In a first aspect, an embodiment of the present application provides a control method, which is applied to a firewall; the method comprises the following steps: after the self-firewall is switched to the main firewall, determining the state of each outgoing interface based on the marks of each outgoing interface of the self-firewall; when an outgoing interface corresponding to a service flow session is in a non-communication state, searching a new route and a new outgoing interface corresponding to the service flow session; and when the new route and the new outgoing interface are found, updating the service flow session based on the new route and the new outgoing interface so that a message corresponding to the service flow session is sent out from the new outgoing interface based on a new route path.
In the embodiment of the application, after the firewall is switched to the main firewall, the state of each outgoing interface can be determined based on the marks of each outgoing interface, and then when the outgoing interface corresponding to the service flow session is in a non-passing state, a new route and a new outgoing interface are searched at the moment to update the service flow session. By the method, when the corresponding outgoing interface of the service flow session of the backup firewall is not enabled, and after the primary and the backup firewalls are switched, service communication is carried out through the new route and the new outgoing interface, and by adopting the method, the smooth switching of the primary and the backup firewalls can be realized.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, when a new route and a new outbound interface are not found, the method further includes: and deleting the service flow session.
In the embodiment of the application, when the firewall does not find a new route and a new outgoing interface, the service stream session corresponding to the outgoing interface in the non-communication state is directly deleted, and by adopting the mode, the condition that the service is always non-communication before the service stream session is aged and deleted because the service stream session always points to the non-communication outgoing interface can be avoided.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, after the deleting the service flow session, the method further includes: when the own outlet interface is restored to be in a smooth state, a new service flow session is reconstructed based on the received service message.
In the embodiment of the application, because the service flow session of the outlet interface pointing to the non-communication state is deleted, when the outlet interface of the service flow session is restored to the unobstructed state, a new service flow session can be reconstructed based on the service message so as to facilitate the service to restore communication at the first time.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, before the method is switched to the main firewall, the method further includes: detecting the state of each output interface of the device; when detecting that the first outlet interface of the first outlet interface is in a non-passing state, marking the first outlet interface; wherein the flag is used to characterize the status of the first output interface as not enabled.
In the embodiment of the application, when the firewall is a standby firewall, the firewall can detect the states of all the interfaces of the firewall, and when the first outlet interface of the firewall is detected to be in an idle state, the first outlet interface is marked, and the firewall is detected and marked in advance, so that the firewall can be controlled by directly utilizing the marking result when the firewall is switched to the main firewall, and the smooth switching between the main firewall and the standby firewall can be realized.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, the detecting a state of each output interface of the device includes: and sending a heartbeat message to opposite terminal equipment connected with each outgoing interface so as to detect the state of each outgoing interface of the opposite terminal equipment.
In the embodiment of the application, the firewall can conveniently and accurately detect the states of the interfaces by sending the heartbeat message to the opposite terminal equipment connected with the interfaces.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, before the method is switched to the main firewall, the method further includes: continuously detecting the states of all interfaces of the device; and deleting the mark of the first outlet interface when the state that the first outlet interface is restored to be unobstructed is detected.
In the embodiment of the application, before the firewall is switched to the main firewall, the firewall continuously detects the states of all the interfaces of the firewall, and when the first outlet interface is detected to be restored to the unobstructed state, the mark of the first outlet interface is deleted, so that the normal communication of the service flow session can be realized by continuously utilizing the first outlet interface when the firewall is switched to the main firewall.
In a second aspect, an embodiment of the present application provides a control device applied to a firewall; the device comprises: the interface outlet module is used for determining the state of each interface based on the mark of each interface after the interface outlet module is switched into the main firewall; the session management module is used for searching a new route and a new outlet interface corresponding to the service flow session when the outlet interface corresponding to the service flow session is in a non-passing state; and updating the service flow session based on the new route and the new outgoing interface when the new route and the new outgoing interface are found, so that a message corresponding to the service flow session is sent out from the new outgoing interface based on a new route path.
With reference to the foregoing technical solution of the second aspect, in some possible implementation manners, the session management module is further configured to delete the service flow session when a new route and a new egress interface are not found.
In a third aspect, an embodiment of the present application provides a firewall, including: the device comprises a processor and a memory, wherein the processor is connected with the memory; the memory is used for storing programs; the processor is configured to invoke a program stored in the memory to perform a method as provided by the embodiments of the first aspect described above and/or in combination with some possible implementations of the embodiments of the first aspect described above.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method as provided by the embodiments of the first aspect described above and/or in connection with some possible implementations of the embodiments of the first aspect described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a block diagram of a HA firewall system.
Fig. 2 is a block diagram of another HA firewall system.
Fig. 3 is a block diagram of a first HA firewall system according to an embodiment of the present application.
Fig. 4 is a block diagram of a firewall according to an embodiment of the application.
Fig. 5 is a block diagram of a second HA firewall system according to an embodiment of the present application.
Fig. 6 is a block diagram of a third HA firewall system according to an embodiment of the present application.
Fig. 7 is a flowchart of steps of a control method according to an embodiment of the present application.
Fig. 8 is a block diagram of a fourth HA firewall system according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
Referring to fig. 3, an embodiment of the present application provides an HA firewall system, which includes a first firewall and a second firewall.
The first firewall and the second firewall are both configured between the communication links of the server and the client.
The structure of the firewall will be described first. The first firewall and the second firewall may be of the following structures.
Referring to fig. 4, in architecture, a firewall may include a processor and memory. The processor is electrically connected to the memory, either directly or indirectly, for data transmission or interaction, and the components may be electrically connected to each other, for example, via one or more communication buses or signal lines. The control means comprise at least one software module which may be stored in memory in the form of software or Firmware (Firmware) or which is solidified in the Operating System (OS) of the firewall. The processor is configured to execute executable modules stored in the memory, such as software functional modules and computer programs included in the control device, to implement the control method. The processor may execute the computer program after receiving the execution instruction.
The processor may be an integrated circuit chip having signal processing capabilities. The Processor may also be a general-purpose Processor, such as a central processing unit (Central Processing Unit, CPU), digital signal Processor (DIGITAL SIGNAL Processor, DSP), application Specific Integrated Circuit (ASIC), discrete gate or transistor logic, discrete hardware components, and may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. Further, the general purpose processor may be a microprocessor or any conventional processor or the like.
The Memory may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable programmable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), and electrically erasable programmable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM). The memory is used for storing a program, and the processor executes the program after receiving the execution instruction.
It should be noted that the structure shown in fig. 4 is only illustrative, and the firewall provided by the embodiment of the application may have fewer or more components than those shown in fig. 4, or may have a different configuration from that shown in fig. 4. In addition, the components shown in fig. 4 may be implemented by software, hardware, or a combination thereof.
The application of the HA firewall system is described below.
In an application of the HA firewall system, the first firewall may be a primary firewall and the second firewall may be a backup firewall. It is also possible that the first firewall is a standby firewall and the second firewall is a primary firewall.
The primary firewall and the secondary firewall can also perform primary-backup switching in application, wherein the switching mode can be manual active switching or automatic switching when the primary firewall fails.
It should be noted that, the service flow session on the active-standby firewall is symmetrical, and the configuration of the service flow session can be implemented by the HA link between the two.
As shown in fig. 3, the first firewall is a primary firewall, and the second firewall is a standby firewall, and since the traffic session on the first firewall points out the interface eth1 in the downstream direction, the corresponding traffic session on the second firewall also points out the interface eth1 in the downstream direction.
Assuming that the primary and backup firewall switching occurs at this time, the switched HA firewall system may refer to fig. 5. In fig. 5, the second firewall is the primary firewall and the first firewall is the backup firewall. At this time, the downstream direction of the previous traffic flow session continues to point to the outgoing interface eth1, that is, the message corresponding to the traffic flow session is sent out from the outgoing interface eth 1.
In the application scenario, if the outgoing interface eth1 of the second firewall is not enabled, the failure may be caused by the outgoing interface failure, the routing failure, or the failure of other downstream devices, which may cause that the service related to the service flow session corresponding to the outgoing interface eth1 is not enabled until the service flow session is aged and deleted. As shown in fig. 6, when the second firewall shows that the interface eth1 is not enabled, the traffic message corresponding to the traffic session cannot reach the client.
It should be noted that, since the traffic message always hits the traffic session, the traffic session cannot be aged and deleted. Session aging on a firewall means that the session timeout is removed when no traffic has hit the session for a fixed time (e.g., 1800 seconds).
In view of this problem, the embodiment of the present application configures a control method in both the first firewall and the second firewall to solve this problem.
Referring to fig. 7, an embodiment of the present application provides a control method applied to any firewall of an HA firewall system, where the control method provided by the embodiment of the present application is not limited by the sequence shown in fig. 7 and the following, and the method includes: step S101 to step S103.
Step S101: after the self is switched to the main firewall, the state of each outgoing interface is determined based on the mark of each outgoing interface of the self.
When the firewall is switched to the main firewall, the state of each outgoing interface is determined first. In the embodiment of the application, the determination is performed by a marking mode.
In an embodiment, before the firewall is switched to the main firewall, the firewall may detect the state of each outgoing interface of the firewall, and when detecting that the first outgoing interface of the firewall is in a non-passing state, mark the first outgoing interface.
It should be noted that this flag is used to indicate that the first output interface is in a non-enabled state. If the outgoing interface eth1 of the second firewall in fig. 6 is not enabled, the outgoing interface eth1 is marked.
The above-mentioned marks may be symbols, numerals, etc., and the present application is not limited thereto.
Therefore, in the embodiment of the application, when the firewall is a standby firewall, the firewall detects the states of all the interfaces of the firewall, marks the first outlet interface when the state that the first outlet interface of the firewall is not enabled is detected, and detects and marks in advance so that the firewall can be controlled by directly using the marking result when the firewall is switched to the main firewall, thereby realizing smooth switching between the main firewall and the standby firewall.
Optionally, after marking the first outgoing interface and before the firewall is switched to the primary firewall, the method further comprises: continuously detecting the states of all interfaces of the device; and deleting the mark of the first outlet interface when the first outlet interface is detected to be restored to the unobstructed state.
That is, before the firewall is switched to the main firewall, the firewall continuously detects the states of the interfaces of the firewall, and when the first outlet interface is detected to be restored to the unobstructed state, the mark of the first outlet interface is deleted, so that the normal communication of the service flow session can be continuously realized by using the first outlet interface when the firewall is switched to the main firewall.
Of course, the firewall may also be marked differently based on the status of the outgoing interface, such as FALSE when the outgoing interface is in a non-enabled state and TRUE when the outgoing interface is in a clear state. The present application is not limited to this.
In other embodiments, after the firewall is switched to the standby firewall, the firewall may detect the state of each outgoing interface of the firewall, and when detecting that the first outgoing interface of the firewall is in a non-passing state, mark the first outgoing interface, which is not limited by the application.
In the embodiment of the present application, the firewall may detect each outgoing interface by sending a heartbeat message to each peer device connected to each outgoing interface.
That is, the firewall may send a heartbeat message to the peer device, and then determine the state of the outgoing interface by determining whether the peer device returns a response message. For example, the firewall sends a heartbeat message to the opposite terminal device at intervals of preset time, if no response message returned by the opposite terminal device is received after the preset times of sending, the out interface is determined to be in a non-passing state. Otherwise, the output interface is in a unobstructed state.
The preset duration and the preset times can be set according to practical situations, for example, the preset duration is 3 seconds, and the preset times are 5 times.
In the embodiment of the application, the firewall can conveniently and accurately detect the states of the interfaces by sending the heartbeat message to the opposite terminal equipment connected with the interfaces.
Step S102: and when the outgoing interface corresponding to the service flow session is in a non-passing state, searching a new route and a new outgoing interface corresponding to the service flow session.
When the traffic flow session corresponds to a state that the outgoing interface is not enabled, for example, when the outgoing interface eth1 of the second firewall in fig. 6 is not enabled, at this time, the routes related to the outgoing interface are set to be invalid first, and then the new routes and the searching of the outgoing interface are triggered.
It should be noted that, the searching route may be understood as searching for a next hop node of the service packet, and the searching out interface may be understood as determining from which out interface the service packet is sent out.
Step S103: when a new route and a new outgoing interface are found, the traffic flow session is updated based on the new route and the new outgoing interface, so that a message corresponding to the traffic flow session is sent out from the new outgoing interface based on the new route path.
If the firewall device finds a new route and a new outgoing interface that can match the traffic stream session, the traffic stream session is updated based on the new route and the new outgoing interface. Assuming that the new outgoing interface is the outgoing interface eth2 of the second firewall, the HA firewall system at this time may refer to fig. 8, where when the second firewall receives a service packet and hits the updated service flow session, the service packet is sent from the outgoing interface eth2 of the second firewall.
It can be seen that, in the embodiment of the present application, after the firewall is switched to the main firewall, the state of each outgoing interface may be determined based on the mark of each outgoing interface, and then when the outgoing interface corresponding to the traffic flow session is in a non-passing state, a new route and a new outgoing interface may be found to update the traffic flow session. By the method, when the corresponding outgoing interface of the service flow session of the backup firewall is not enabled, and after the primary and the backup firewalls are switched, service communication is carried out through the new route and the new outgoing interface, and by adopting the method, the smooth switching of the primary and the backup firewalls can be realized.
If the firewall does not find the new route and the new outbound interface, the control method further comprises: and deleting the service flow session.
It should be noted that, when the firewall does not find a new route and a new outgoing interface, the firewall directly deletes the service flow session corresponding to the outgoing interface in the non-passing state, so that the situation that the service is always non-passing before the service flow session is aged and deleted due to the fact that the service flow session always points to the non-passing outgoing interface can be avoided.
Accordingly, after deleting the traffic stream session, the method further comprises: when the own outlet interface is restored to be in a smooth state, a new service flow session is reconstructed based on the received service message.
The own egress interface may be an egress interface in a previously failed state corresponding to the deleted traffic stream session.
The outgoing interface here may also be a new outgoing interface that may match the traffic stream session, such as the outgoing interface eth2 shown in fig. 8.
It should be noted that, since the traffic session of the outgoing interface pointing to the failed state is deleted, when the outgoing interface of the traffic session is restored to the failed state, a new traffic session may be reconstructed based on the traffic message, so as to facilitate the traffic to resume communication at the first time.
Based on the same inventive concept, an embodiment of the present application further provides a control device, including:
The interface outlet module is used for determining the state of each interface based on the mark of each interface after the interface outlet module is switched into the main firewall;
The session management module is used for searching a new route and a new outlet interface corresponding to the service flow session when the outlet interface corresponding to the service flow session is in a non-passing state; and updating the service flow session based on the new route and the new outgoing interface when the new route and the new outgoing interface are found, so that a message corresponding to the service flow session is sent out from the new outgoing interface based on a new route path.
Optionally, the session management module is further configured to delete the traffic stream session when a new route and a new outgoing interface are not found.
Optionally, the session management module is further configured to reconstruct a new service flow session based on the received service message when the own egress interface is restored to a clear state after the service flow session is deleted.
Optionally, the apparatus further comprises a detection module.
The detection module is used for detecting the states of all interfaces of the detection module before the detection module is switched into the main firewall; when detecting that the first outlet interface of the first outlet interface is in a non-passing state, marking the first outlet interface; wherein the flag is used to characterize the status of the first output interface as not enabled.
The detection module is also specifically configured to send a heartbeat message to an opposite terminal device connected to each outgoing interface, so as to detect the state of each outgoing interface of the detection module.
The detection module is also specifically used for continuously detecting the states of the interfaces of the detection module before the detection module is switched to the main firewall; and deleting the mark of the first outlet interface when the state that the first outlet interface is restored to be unobstructed is detected.
It should be noted that, since it will be clearly understood by those skilled in the art, for convenience and brevity of description, the specific working processes of the systems, apparatuses and units described above may refer to the corresponding processes in the foregoing method embodiments, which are not repeated herein.
Based on the same inventive concept, the embodiments of the present application also provide a computer-readable storage medium having stored thereon a computer program which, when executed, performs the method provided in the above embodiments.
The storage media may be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk Solid STATE DISK (SSD)), etc.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be through some communication out interface, indirect coupling or communication connection of devices or units, electrical, mechanical, or other form.
Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Furthermore, functional modules in various embodiments of the present application may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (8)
1. A control method, characterized by being applied to a firewall; the method comprises the following steps:
after the standby firewall is switched to the main firewall, determining the state of each outgoing interface based on the mark of each outgoing interface of the standby firewall;
When an outgoing interface corresponding to a service flow session is in a non-communication state, searching a new route and a new outgoing interface corresponding to the service flow session;
when the new route and the new outgoing interface are found, updating the service flow session based on the new route and the new outgoing interface so that a message corresponding to the service flow session is sent out from the new outgoing interface based on a new route path;
And deleting the service flow session when the new route and the new outlet interface are not found.
2. The method of claim 1, wherein after said deleting the traffic stream session, the method further comprises:
when the own outlet interface is restored to be in a smooth state, a new service flow session is reconstructed based on the received service message.
3. The method of claim 1, wherein before itself is switched to the primary firewall, the method further comprises:
detecting the state of each output interface of the device;
when detecting that the first outlet interface of the first outlet interface is in a non-passing state, marking the first outlet interface; wherein the flag is used to characterize the status of the first output interface as not enabled.
4. A method according to claim 3, wherein detecting the status of each of its own interfaces comprises:
and sending a heartbeat message to opposite terminal equipment connected with each outgoing interface so as to detect the state of each outgoing interface of the opposite terminal equipment.
5. A method according to claim 3, wherein before itself is switched to the primary firewall, the method further comprises:
continuously detecting the states of all interfaces of the device;
and deleting the mark of the first outlet interface when the state that the first outlet interface is restored to be unobstructed is detected.
6. A control device, characterized by being applied to a firewall; the device comprises:
the interface outputting module is used for determining the state of each interface based on the mark of each interface of the standby firewall after the standby firewall is switched to the main firewall;
The session management module is used for searching a new route and a new outlet interface corresponding to the service flow session when the outlet interface corresponding to the service flow session is in a non-passing state; and updating the traffic flow session based on the new route and the new egress interface when the new route and the new egress interface are found, so that a message corresponding to the traffic flow session is sent out from the new egress interface based on a new route path;
the session management module is further configured to delete the service flow session when a new route and a new outbound interface are not found.
7. A firewall, comprising: the device comprises a processor and a memory, wherein the processor is connected with the memory;
The memory is used for storing programs;
The processor is configured to execute a program stored in the memory, and to perform the method according to any one of claims 1-5.
8. A computer-readable storage medium, characterized in that a computer program is stored thereon, which, when being run by a computer, performs the method according to any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210869336.6A CN115225397B (en) | 2022-07-22 | 2022-07-22 | Control method, control device, firewall and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210869336.6A CN115225397B (en) | 2022-07-22 | 2022-07-22 | Control method, control device, firewall and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115225397A CN115225397A (en) | 2022-10-21 |
| CN115225397B true CN115225397B (en) | 2024-05-03 |
Family
ID=83613458
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210869336.6A Active CN115225397B (en) | 2022-07-22 | 2022-07-22 | Control method, control device, firewall and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115225397B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1933448A (en) * | 2006-08-17 | 2007-03-21 | 华为技术有限公司 | Business fast convergent method and network equipment |
| US7197660B1 (en) * | 2002-06-26 | 2007-03-27 | Juniper Networks, Inc. | High availability network security systems |
| CN101009661A (en) * | 2007-01-25 | 2007-08-01 | 华为技术有限公司 | Method and device for updating stream forward table content based on the stream forward |
| CN101841408A (en) * | 2010-05-07 | 2010-09-22 | 北京星网锐捷网络技术有限公司 | Primary/standby route equipment switching method and route equipment |
| CN105141493A (en) * | 2015-07-27 | 2015-12-09 | 浙江宇视科技有限公司 | Service frame processing method and system during ring network fault |
| CN107241208A (en) * | 2016-03-29 | 2017-10-10 | 华为技术有限公司 | A kind of message forwarding method, the first interchanger and related system |
| CN110661705A (en) * | 2019-09-29 | 2020-01-07 | 北京物芯科技有限责任公司 | Hardware network switching engine and network fault processing system and method |
| CN111030877A (en) * | 2019-12-26 | 2020-04-17 | 杭州迪普科技股份有限公司 | Main/standby equipment switching method and device |
| CN112383414A (en) * | 2020-10-28 | 2021-02-19 | 北京中科网威信息技术有限公司 | Method and device for fast switching of dual-computer hot backup |
| CN112866245A (en) * | 2021-01-18 | 2021-05-28 | 中国工商银行股份有限公司 | Message routing method and device |
| CN113765858A (en) * | 2020-06-05 | 2021-12-07 | 中创为(成都)量子通信技术有限公司 | Method and device for realizing high-performance state firewall |
| CN114301842A (en) * | 2021-12-30 | 2022-04-08 | 山石网科通信技术股份有限公司 | Route searching method and device, storage medium, processor and network system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7864665B2 (en) * | 2004-10-07 | 2011-01-04 | Tekelec | Methods and systems for detecting IP route failure and for dynamically re-routing VoIP sessions in response to failure |
| US10333827B2 (en) * | 2012-04-11 | 2019-06-25 | Varmour Networks, Inc. | Adaptive session forwarding following virtual machine migration detection |
| CN116055160A (en) * | 2023-01-10 | 2023-05-02 | 北京威努特技术有限公司 | Method for solving restarting and restoring service session of firewall equipment |
-
2022
- 2022-07-22 CN CN202210869336.6A patent/CN115225397B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7197660B1 (en) * | 2002-06-26 | 2007-03-27 | Juniper Networks, Inc. | High availability network security systems |
| CN1933448A (en) * | 2006-08-17 | 2007-03-21 | 华为技术有限公司 | Business fast convergent method and network equipment |
| CN101009661A (en) * | 2007-01-25 | 2007-08-01 | 华为技术有限公司 | Method and device for updating stream forward table content based on the stream forward |
| CN101841408A (en) * | 2010-05-07 | 2010-09-22 | 北京星网锐捷网络技术有限公司 | Primary/standby route equipment switching method and route equipment |
| CN105141493A (en) * | 2015-07-27 | 2015-12-09 | 浙江宇视科技有限公司 | Service frame processing method and system during ring network fault |
| CN107241208A (en) * | 2016-03-29 | 2017-10-10 | 华为技术有限公司 | A kind of message forwarding method, the first interchanger and related system |
| CN110661705A (en) * | 2019-09-29 | 2020-01-07 | 北京物芯科技有限责任公司 | Hardware network switching engine and network fault processing system and method |
| CN111030877A (en) * | 2019-12-26 | 2020-04-17 | 杭州迪普科技股份有限公司 | Main/standby equipment switching method and device |
| CN113765858A (en) * | 2020-06-05 | 2021-12-07 | 中创为(成都)量子通信技术有限公司 | Method and device for realizing high-performance state firewall |
| CN112383414A (en) * | 2020-10-28 | 2021-02-19 | 北京中科网威信息技术有限公司 | Method and device for fast switching of dual-computer hot backup |
| CN112866245A (en) * | 2021-01-18 | 2021-05-28 | 中国工商银行股份有限公司 | Message routing method and device |
| CN114301842A (en) * | 2021-12-30 | 2022-04-08 | 山石网科通信技术股份有限公司 | Route searching method and device, storage medium, processor and network system |
Non-Patent Citations (1)
| Title |
|---|
| 基于动态信息同步的防火墙双机热备研究;孔平;袁宝;刘宗杰;;中国新通信(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115225397A (en) | 2022-10-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6658595B1 (en) | Method and system for asymmetrically maintaining system operability | |
| US20160134467A1 (en) | Method and apparatus for switching between master device and backup device | |
| US7076696B1 (en) | Providing failover assurance in a device | |
| US10911295B2 (en) | Server apparatus, cluster system, cluster control method and program | |
| KR101038364B1 (en) | A method and device for intelligent failover in a load-balanced networking environment | |
| US10680893B2 (en) | Communication device, system, and method | |
| US10560550B1 (en) | Automatic configuration of a replacement network device in a high-availability cluster | |
| CN110730125B (en) | Message forwarding method and device, dual-active system and communication equipment | |
| CN109088818B (en) | Equipment linkage switching method and device | |
| CN113364618B (en) | Power grid monitoring system master-slave equipment anti-error switching method based on penalty coefficient rule | |
| WO2020057445A1 (en) | Communication system, method, and device | |
| EP3680780B1 (en) | Cluster system, control method, and corresponding computer program | |
| US8370897B1 (en) | Configurable redundant security device failover | |
| CN115225397B (en) | Control method, control device, firewall and computer readable storage medium | |
| CN111131035A (en) | Data transmission method and device | |
| CN117201507A (en) | Cloud platform switching method and device, electronic equipment and storage medium | |
| CN111629386B (en) | Communication method, system and equipment | |
| WO2015180265A1 (en) | Multi-link protection switching method and device | |
| CN110661599B (en) | HA implementation method, device and storage medium between main node and standby node | |
| US11258700B1 (en) | Enhanced messaging for backup state status notifications in communications networks | |
| CN111130953B (en) | VNF availability monitoring method, device and medium | |
| US20170346678A1 (en) | Methods, systems, and computer readable media for providing high availability support at a bypass switch | |
| CN111897681A (en) | Message forwarding method and device, computing equipment and storage medium | |
| JP2005033360A (en) | Bridge apparatus and method for processing bridge thereof | |
| CN113660199B (en) | Method, device and equipment for protecting flow attack and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |