CN117081910A - Main/standby switching system and method of firewall - Google Patents
Main/standby switching system and method of firewall Download PDFInfo
- Publication number
- CN117081910A CN117081910A CN202310309217.XA CN202310309217A CN117081910A CN 117081910 A CN117081910 A CN 117081910A CN 202310309217 A CN202310309217 A CN 202310309217A CN 117081910 A CN117081910 A CN 117081910A
- Authority
- CN
- China
- Prior art keywords
- alarm
- firewall
- switching
- matching
- primary
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000007246 mechanism Effects 0.000 claims abstract description 48
- 230000001960 triggered effect Effects 0.000 claims abstract description 13
- 230000000149 penetrating effect Effects 0.000 claims abstract description 9
- 238000004891 communication Methods 0.000 claims description 32
- 238000004590 computer program Methods 0.000 claims description 11
- 230000008520 organization Effects 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- RWSOTUBLDIXVET-UHFFFAOYSA-N Dihydrogen sulfide Chemical compound S RWSOTUBLDIXVET-UHFFFAOYSA-N 0.000 claims description 2
- 230000005856 abnormality Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 238000011084 recovery Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0663—Performing the actions predefined by failover planning, e.g. switching to standby network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0677—Localisation of faults
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a method and a system for switching a master firewall and a slave firewall. The system comprises: the alarm policy centralized configuration platform is used for acquiring TCP data flows of a plurality of specified mechanisms penetrating through the same firewall in real time to calculate a TCP retransmission rate, and performing first matching on the TCP retransmission rate and a first alarm rule to judge whether to trigger generation of a first alarm; the network management platform is used for collecting the first alarms from the multiple specified mechanisms and performing second matching with the second alarm rules to judge whether the second alarms are triggered; the unified alarm platform is used for alarming the second alarm and converting the second alarm into a switching instruction; and the firewall switching module is used for realizing the active-standby switching of the firewall based on the switching instruction. According to the application, the firewall faults and the main-path IPS faults can be found, and the automatic switching of the main and the standby of the firewall can be realized, so that the transaction is quickly recovered.
Description
Technical Field
The application relates to a computer security technology, in particular to a main-standby switching system of a firewall and a main-standby switching method of the firewall.
Background
The current data center widely uses a stateful firewall, the main firewall is connected with an IPS in series, and according to the occurred production event, the transaction abnormality of an organization is caused by the abnormality of the main firewall or the main IPS, but the existing monitoring means can not effectively locate the extreme abnormal situation of the transaction abnormality caused by the blockage of the firewall or the main IPS part and the like.
At present, the firewall state is mainly monitored by means of a network manager ping, snmp, syslog, however, when a firewall problem is found, the firewall needs to be manually switched.
Moreover, the monitoring means such as the network manager ping, snmp, syslog can monitor and discover most faults of the firewall, but is insensitive to detection of extreme conditions of transaction abnormality caused by partial tamping of the firewall, partial tamping of the IPS and the like, so that the fault locating time is long.
Disclosure of Invention
The embodiment of the application provides a main-standby switching system of a firewall and a main-standby switching method of the firewall, which can realize automatic switching of the firewall.
The system for switching the primary firewall and the standby firewall according to one aspect of the application is characterized by comprising the following components:
the system comprises an alarm policy centralized configuration platform, a network management platform and a control system, wherein the alarm policy centralized configuration platform is used for acquiring TCP data traffic of a plurality of specified mechanisms penetrating through the same firewall in real time, calculating TCP retransmission rate according to the TCP data traffic, performing first matching on the TCP retransmission rate and a preset first alarm rule to judge whether to trigger generation of a first alarm, and uploading the generated first alarm to the network management platform;
the network management platform is used for collecting the first alarms sent from the multiple specified mechanisms and performing second matching with a preset second alarm rule to judge whether to trigger the generation of the second alarms, and sending the second alarms to the following unified alarm platform under the condition of triggering the generation of the second alarms;
the unified alarm platform is used for receiving the second alarm, converting the second alarm into a switching instruction and sending the switching instruction to the firewall switching module; and
and the firewall switching module is used for realizing the active-standby switching of the firewall based on the switching instruction.
Optionally, the alarm policy centralized configuration platform is further configured to identify a communication packet of the specified mechanism, perform matching identification on the identified communication packet and a preset feature value, and send the generated first alarm to the network management platform only when the identified communication packet is not matched with the preset feature value.
Optionally, the alarm policy centralized configuration platform includes:
the flow acquisition module is used for acquiring TCP data flows of a plurality of specified mechanisms penetrating through the same firewall in real time;
the retransmission rate calculation module is used for calculating TCP retransmission rate according to the TCP data flow;
the first matching module is used for carrying out first matching on the TCP retransmission rate and a preset first alarm rule so as to judge whether to trigger generation of a first alarm;
the message identification module is used for identifying the communication message and matching the identified communication message with the preset characteristic value; and
and the alarm uploading module is used for uploading the first alarm generated by the first matching module to the network management platform under the condition that the communication message identified by the message identification module is not matched with the preset characteristic value.
Optionally, when the communication message identified by the message identification module matches the preset feature value, the alarm uploading module does not upload the generated first alarm to the network management platform.
Optionally, the prescribed mechanism is a mechanism that a transaction amount index of a plurality of mechanisms that transact with the firewall is greater than a prescribed threshold.
Optionally, the first alarm rule is set to be higher than a preset TCP retransmission rate.
Optionally, the second alarm rule is set to trigger the first alarm at a prescribed institution of the portion of the plurality of prescribed institutions within a prescribed time.
Optionally, the second alarm rule is set such that the first alarm is triggered by two or more of the plurality of predetermined mechanisms within a predetermined time.
Optionally, the second alarm is sent to the unified alarm platform through a pre-written SPL script in the network management platform under the condition of triggering the second alarm.
Optionally, an application response code is used as the characteristic value.
The method for switching the active and standby firewalls in one aspect of the application is characterized by comprising the following steps:
a flow collection step, namely acquiring TCP data flows of a plurality of stipulated mechanisms penetrating through a firewall in real time, and acquiring TCP retransmission rates of the stipulated mechanisms according to the TCP data flows;
a first matching step, namely, respectively carrying out first matching on the TCP retransmission rate and a preset first alarm rule for the plurality of setting mechanisms so as to judge whether to trigger generation of a first alarm;
an alarm uploading step of uploading the first alarm generated in the first matching step;
a second matching step, namely collecting the first alarms sent by the plurality of specified mechanisms and carrying out second matching on the basis of a preset second alarm rule to judge whether to trigger generation of a second alarm or not;
an instruction switching step of receiving the second alarm and converting the second alarm into a switching instruction; and a firewall switching step, namely realizing the active-standby switching of the firewall based on the switching instruction.
Optionally, between the flow acquisition step and the first matching step, further comprises:
and a message identification step, namely identifying the communication message of the specified mechanism and carrying out matching identification with a preset characteristic value.
Optionally, in the alert sending step, the first alert generated in the first matching step is sent only if the communication message identified in the message identifying step does not match the preset feature value.
Optionally, the first alarm rule is set to be higher than a preset TCP retransmission rate.
Optionally, the second alarm rule is set to trigger the first alarm at a prescribed institution of the portion of the plurality of prescribed institutions within a prescribed time.
Optionally, the second alarm rule is set such that the first alarm is triggered by two or more of the plurality of predetermined mechanisms within a predetermined time.
The computer readable medium according to one aspect of the present application has a computer program stored thereon, wherein the computer program when executed by a processor implements the method for switching between active and standby firewalls.
The computer equipment comprises a storage module, a processor and a computer program stored on the storage module and capable of running on the processor, and is characterized in that the switching method of the active and standby firewalls is realized when the processor executes the computer program.
As described above, according to the system and method for switching the active and standby firewalls of the present application, the hardware resources in the existing network can be utilized to collect the flow passing through the firewall in real time, collect and analyze the transaction flow passing through the key mechanism of the firewall, generate an alarm, send the alarm to the network management platform, further analyze and process the alarm by the network management platform, send the alarm to the unified alarm platform, and automatically switch the firewall by the associated firewall switching module, thereby realizing the firewall fault/active-path IPS fault discovery, the firewall active-standby automatic switching, and the rapid recovery of the transaction.
Drawings
These and other objects and advantages of the present application will become more fully apparent from the following detailed description taken in conjunction with the accompanying drawings, in which like or similar elements are designated by like reference numerals.
Fig. 1 is a block diagram of a switching system of a primary and a backup firewall according to an embodiment of the application.
Fig. 2 is a flow chart schematically showing an outline flow of a method for switching a primary firewall and a secondary firewall according to an embodiment of the present application.
Detailed Description
The following presents a simplified summary of the application in order to provide a basic understanding of the application. It is not intended to identify key or critical elements of the application or to delineate the scope of the application.
For the purposes of brevity and explanation, the principles of the present application are described herein primarily with reference to exemplary embodiments thereof. However, those skilled in the art will readily recognize that the same principles are equally applicable to and can be implemented in all types of inter-service call relationship comb systems and inter-service call relationship comb methods applied to cloud platforms, and that any such variations do not depart from the true spirit and scope of the present patent application.
Also, in the following description, reference is made to the accompanying drawings that illustrate specific exemplary embodiments. Electrical, mechanical, logical and structural changes may be made to these embodiments without departing from the spirit and scope of the present application. Furthermore, while a feature of the application may have been disclosed with respect to only one of several implementations/embodiments, such feature may be combined with one or more other features of the other implementations/embodiments, as may be desired and/or advantageous for any given or identifiable function. The following description is, therefore, not to be taken in a limiting sense, and the scope of the present application is defined by the appended claims and their equivalents.
Terms such as "comprising" and "including" mean that the technical solution of the present application does not exclude the presence of other elements (modules) and steps than those directly and explicitly described in the description and claims.
Before explaining the active-standby switching method of the firewall and the active-standby switching system of the firewall, related technical terms are briefly explained.
(1)IPS
IPS (Intrusion Prevention System ) refers to a computer network security facility, which is a supplement to antivirus software and firewalls.
(2)ping
Ping (Packet Internet Groper, internet packet explorer) refers to a procedure for testing network connectivity.
(3)snmp
The snmp (Simple Network Management Protocol ) is a standard protocol specifically designed for managing network nodes (servers, workstations, routers, switches, hub, etc.) in an IP network, which is an application layer protocol.
(4)syslog
syslog, often referred to as a system log or system record, is a standard used to deliver documentary messages over an internet protocol (TCP/IP) network.
(5)TCP
TCP (Transmission Control Protocol ) is a connection-oriented, reliable, byte-stream based transport layer communication protocol.
(6)SPLUNK
Spluk is the engine of machine data. The use of spluk can collect, index and utilize all applications, servers and devices generated fast moving computer data.
(7) TCP retransmission rate
TCP retransmission rate = number of TCP retransmission packets per unit time/total number of TCP transmitted packets.
Fig. 1 is a block diagram of a switching system of a primary and a backup firewall according to an embodiment of the application.
As shown in fig. 1, a switching system of a primary and backup firewall according to an embodiment of the present application includes: the alarm policy centralized configuration platform 100, the network management platform 200, the unified alarm platform 300 and the firewall switching module 400.
The alarm policy centralized configuration platform 100 is configured to obtain TCP data traffic of a plurality of predetermined mechanisms traversing the same firewall, calculate a TCP retransmission rate according to the TCP data traffic, and perform a first match on the TCP retransmission rate and a preset first alarm rule to determine whether to trigger a first alarm.
On the other hand, the alarm policy centralized configuration platform 100 is further configured to identify a communication packet of the specified mechanism, perform matching identification on the identified communication packet and a preset feature value, and send the first alarm to the network management platform 200 only when the identified communication packet is not matched with the preset feature value.
In the case of a bank-related transaction system, for example, the first 50 institutions of the transaction amount may be used as the predetermined institutions, or, for example, the national 17 university may be used as the predetermined institutions.
Among other things, as one example, the alarm policy centralized configuration platform 100 includes:
the flow acquisition module 110 is configured to acquire TCP data flows of a plurality of predetermined institutions penetrating through the same firewall in real time;
a retransmission rate calculation module 120, configured to calculate a TCP retransmission rate according to the TCP data traffic; and
a first matching module 130, configured to perform a first matching between the TCP retransmission rate and a preset first alarm rule to determine whether to trigger a first alarm, where the first alarm rule is set to be higher than a preset TCP retransmission rate, for example;
the message identifying module 140 is configured to identify a communication message and match the identified communication message with the preset feature value; and
the alarm upload module 150 uploads the first alarm generated by the first matching module 130 to the network management platform 200 when the communication message identified by the message identification module 140 is not matched with the preset feature value.
That is, in the alarm policy centralized configuration platform 100, when the communication message identified by the message identification module 120 matches the preset feature value, the alarm upload module 150 does not upload the first alarm to the network management platform 200, and when the communication message identified by the message identification module 120 does not match the preset feature value, the alarm upload module 150 uploads the first alarm set forth by the first matching module 130 to the network management platform 200.
The communication message content of the specified mechanism is identified, the identified communication message is matched with a preset characteristic value, if the characteristic value is hit, the mechanism application problem is judged, the non-network communication layer is faulty, otherwise, the alarm sending module 150 is triggered to send the first alarm generated by the first matching module 130 to the network management platform 200. As the feature value, for example, an application response code may be used. Thus, the fault on the network communication plane can be more accurately identified.
The network management platform 200 is configured to collect the first alarms sent from the multiple predetermined institutions and perform a second match with a preset second alarm rule to determine whether to trigger generation of the second alarms, and send the second alarms to the following unified alarm platform 300 when the second alarms are triggered to be generated, for example, the second alarms are generated through a SPL script written in advance, and sent to the unified alarm platform 300.
The network management platform 200 may employ spluk. As one example, the network management platform 200 includes:
an alarm collection module 210, configured to collect the first alarms sent from the multiple specified institutions;
the second matching module 220 performs a second matching with a preset second alarm rule to determine whether to trigger to generate a second alarm; and
the alarm forwarding module 230 forwards the second alarm to the unified alarm platform 300 in case of triggering the generation of the second alarm.
The second alarm rule is set such that the first alarm is generated and sent up by triggering of a part of the plurality of predetermined mechanisms within a predetermined time, for example, if the first alarm is sent up by two or more different mechanisms passing through the same firewall within a predetermined time (for example, within 1 minute), the second alarm is triggered because if the TCP retransmission rate of two or more predetermined mechanisms is problematic at the same time, the probability of the main firewall (tandem IPS) being problematic is higher, thereby improving the accuracy of fault location.
The unified alarm platform 300 is configured to receive the second alarm, convert the second alarm into a switching instruction, and send the switching instruction to the firewall switching module 400. On the other hand, the unified alert platform 300 can also be used to present an alert from the second alert. The firewall switching module 400 is configured to implement active/standby switching of the firewall based on the switching instruction, where the firewall switching module 400 implements active/standby switching of the firewall through automatic flow arrangement.
As described above, in the switching system of the active/standby firewalls of the present application, the alarm policy centralized configuration platform 100 performs real-time capturing and TCP data flow analysis on the flow of the key mechanism passing through the firewall to obtain the TCP retransmission rate of the key mechanism, matches the defined alarm rule, generates the first alarm if the alarm rule is triggered, and sends the first alarm to the network management platform 200 under the specified condition, and the network management platform 200 further analyzes and processes the first alarm, for example, if two or more first alarms passing through the same firewall in the past 1 minute exist, it is determined that the active firewall/IPS is abnormal, generates the second alarm and sends the second alarm to the unified alarm platform 300, and then the unified alarm platform 300 associates the firewall switching module 400 to realize the automatic switching of the firewall, and switches the mechanism transaction to the standby firewall, thereby realizing the rapid recovery of the transaction.
Next, a method for switching a primary firewall and a backup firewall according to an embodiment of the present application will be described.
Fig. 2 is a flow chart schematically showing an outline flow of a method for switching a primary firewall and a secondary firewall according to an embodiment of the present application.
As shown in fig. 2, the method for switching the active/standby firewall according to an embodiment of the present application includes the following steps:
flow collection step S100: the alarm policy centralized configuration platform 100 acquires TCP data traffic of a plurality of stipulated institutions penetrating through a firewall in real time, and acquires TCP retransmission rates of the stipulated institutions according to the TCP data traffic;
a first matching step S200: the alarm policy centralized configuration platform 100 respectively performs first matching on the TCP retransmission rate and a preset first alarm rule for the plurality of specified mechanisms so as to judge whether to trigger generation of a first alarm;
message identification step S300: the alarm policy centralized configuration platform 100 identifies the communication message of the specified mechanism and performs matching identification with a preset characteristic value;
alarm upload step S400: in the case that the message identification step is not matched with the preset feature value, the alarm policy centralized configuration platform 100 sends the generated first alarm to the network management platform 200;
second matching step S500: the network management platform 200 performs second matching on the plurality of preset second alarm rules for judging whether to trigger generation of a second alarm;
instruction conversion step S600: the unified alarm platform 300 receives the second alarm and converts the second alarm into a switching instruction; and
firewall switching step S700: the firewall switching module 400 realizes the active-standby switching of the firewall based on the switching instruction.
The first alarm rule is set to be higher than a preset TCP retransmission rate. The second alarm rule is set such that a first alarm is triggered by a prescribed organization of a portion of the plurality of prescribed organizations within a prescribed time. Preferably, the second alarm rule is set so that the first alarm is triggered by two or more predetermined mechanisms among the plurality of predetermined mechanisms within a predetermined time.
The present application also provides a computer readable medium having stored thereon a computer program which, when executed by a processor, implements the above-described method for switching a primary firewall to a backup firewall.
The application also provides a computer device, which comprises a storage module, a processor and a computer program stored on the storage module and capable of running on the processor, wherein the processor realizes the method for switching the main firewall and the standby firewall when executing the computer program.
As described above, according to the system and method for switching the active and standby firewalls of the present application, the hardware resources in the existing network can be utilized to collect the flow passing through the firewall in real time, collect and analyze the transaction flow passing through the key mechanism of the firewall, generate an alarm, send the alarm to the network management platform, further analyze and process the alarm by the network management platform, send the alarm to the unified alarm platform, and automatically switch the firewall by the associated firewall switching module, thereby realizing the firewall fault/active-path IPS fault discovery, the firewall active-standby automatic switching, and the rapid recovery of the transaction.
The above is merely an embodiment of the present application, but the scope of the present application is not limited thereto. Other possible variations or substitutions will occur to those skilled in the art from the teachings disclosed herein and are intended to be within the scope of the present application. The embodiments of the present application and features in the embodiments may also be combined with each other without conflict. The protection scope of the present application is subject to the claims.
Claims (18)
1. A system for switching a primary firewall to a backup firewall, comprising:
the system comprises an alarm policy centralized configuration platform, a network management platform and a control system, wherein the alarm policy centralized configuration platform is used for acquiring TCP data traffic of a plurality of specified mechanisms penetrating through the same firewall in real time, calculating TCP retransmission rate according to the TCP data traffic, performing first matching on the TCP retransmission rate and a preset first alarm rule to judge whether to trigger generation of a first alarm, and uploading the generated first alarm to the network management platform;
the network management platform is used for collecting the first alarms sent from the multiple specified mechanisms and performing second matching with preset second alarm rules to judge whether to trigger the generation of the second alarms, and sending the generated second alarms to the following unified alarm platform;
the unified alarm platform is used for receiving the second alarm, converting the second alarm into a switching instruction and sending the switching instruction to the firewall switching module; and
and the firewall switching module is used for realizing the active-standby switching of the firewall based on the switching instruction.
2. The switching system of a primary and a backup firewall according to claim 1,
the alarm policy centralized configuration platform is further used for identifying the communication message of the specified mechanism, carrying out matching identification on the identified communication message and a preset characteristic value, and uploading the generated first alarm to the network management platform only when the identified communication message is not matched with the preset characteristic value.
3. The primary-backup firewall switching system of claim 2, wherein the alarm policy centralized configuration platform comprises:
the flow acquisition module is used for acquiring TCP data flows of a plurality of specified mechanisms penetrating through the same firewall in real time;
the retransmission rate calculation module is used for calculating TCP retransmission rate according to the TCP data flow;
the first matching module is used for carrying out first matching on the TCP retransmission rate and a preset first alarm rule so as to judge whether to trigger generation of a first alarm;
the message identification module is used for identifying the communication message and matching the identified communication message with the preset characteristic value; and
and the alarm uploading module is used for uploading the first alarm generated by the first matching module to the network management platform only when the communication message identified by the message identification module is not matched with the preset characteristic value.
4. The switching system of a primary and a backup firewall according to claim 3,
and when the communication message identified by the message identification module is matched with the preset characteristic value, the alarm uploading module does not upload the generated first alarm to the network management platform.
5. The switching system of a primary and a backup firewall according to claim 1,
the prescribed mechanism is a mechanism in which a transaction amount index of a plurality of mechanisms that transact by using a firewall is greater than a prescribed threshold.
6. The switching system of a primary and a backup firewall according to claim 1,
the first alarm rule is set to be higher than a preset TCP retransmission rate.
7. The switching system of a primary and a backup firewall according to claim 1,
the second alarm rule is set such that a first alarm is triggered by a prescribed organization of a portion of the plurality of prescribed organizations within a prescribed time.
8. The switching system of a primary and a backup firewall according to claim 7,
the second alarm rule is set so that the first alarm is triggered by two or more predetermined mechanisms among the plurality of predetermined mechanisms within a predetermined time.
9. The switching system of a primary and a backup firewall according to claim 1,
and sending the second alarm to the unified alarm platform through a pre-written SPL script under the condition of triggering the second alarm in the network management platform.
10. The switching system of a primary and a backup firewall according to claim 3,
an application response code is used as the characteristic value.
11. The method for switching the master and slave firewalls is characterized by comprising the following steps:
a flow collection step, namely acquiring TCP data flows of a plurality of stipulated mechanisms penetrating through a firewall in real time, and acquiring TCP retransmission rates of the stipulated mechanisms according to the TCP data flows;
a first matching step, namely, respectively carrying out first matching on the TCP retransmission rate and a preset first alarm rule for the plurality of setting mechanisms so as to judge whether to trigger generation of a first alarm;
an alarm uploading step of uploading the first alarm generated in the first matching step;
a second matching step, namely collecting the first alarms sent by the plurality of specified mechanisms and carrying out second matching on the basis of a preset second alarm rule to judge whether to trigger generation of a second alarm or not;
an instruction switching step of receiving the second alarm and converting the second alarm into a switching instruction; and
and a firewall switching step, namely realizing the active-standby switching of the firewall based on the switching instruction.
12. The method for switching a primary firewall to a backup firewall of claim 11, further comprising, between said traffic collecting step and said first matching step:
and a message identification step, namely identifying the communication message of the specified mechanism and carrying out matching identification with a preset characteristic value.
13. The method for switching a primary and a backup firewall according to claim 11,
in the alarm uploading step, the first alarm generated in the first matching step is uploaded only when the communication message identified in the message identification step is not matched with the preset characteristic value.
14. The method for switching a primary and a backup firewall according to claim 11,
the first alarm rule is set to be higher than a preset TCP retransmission rate.
15. The method for switching a primary and a backup firewall according to claim 11,
the second alarm rule is set such that a first alarm is triggered by a prescribed organization of a portion of the plurality of prescribed organizations within a prescribed time.
16. The method for switching a primary and a backup firewall according to claim 15,
the second alarm rule is set so that the first alarm is triggered by two or more predetermined mechanisms among the plurality of predetermined mechanisms within a predetermined time.
17. A computer readable medium having a computer program stored thereon, characterized in that,
the computer program, when executed by a processor, implements the method for switching a primary and a secondary firewall according to any one of claims 11 to 16.
18. A computer device comprising a memory module, a processor and a computer program stored on the memory module and executable on the processor, characterized in that,
the processor, when executing the computer program, implements the method for switching a primary firewall and a secondary firewall according to any one of claims 11 to 16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310309217.XA CN117081910A (en) | 2023-03-27 | 2023-03-27 | Main/standby switching system and method of firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310309217.XA CN117081910A (en) | 2023-03-27 | 2023-03-27 | Main/standby switching system and method of firewall |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117081910A true CN117081910A (en) | 2023-11-17 |
Family
ID=88712187
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310309217.XA Pending CN117081910A (en) | 2023-03-27 | 2023-03-27 | Main/standby switching system and method of firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117081910A (en) |
-
2023
- 2023-03-27 CN CN202310309217.XA patent/CN117081910A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2493525C (en) | Method and apparatus for outage measurement | |
| US7213179B2 (en) | Automated and embedded software reliability measurement and classification in network elements | |
| US20110270957A1 (en) | Method and system for logging trace events of a network device | |
| US7430688B2 (en) | Network monitoring method and apparatus | |
| US20070168505A1 (en) | Performance monitoring in a network | |
| CN103810076A (en) | Monitoring method and device for data reproduction | |
| JP2008059114A (en) | Automatic network monitoring system using snmp | |
| CN107809321B (en) | Method for realizing safety risk evaluation and alarm generation | |
| CN113794590B (en) | Method, device and system for processing network security situation awareness information | |
| CN111865667A (en) | Network connectivity fault root cause positioning method and device | |
| KR100887874B1 (en) | System for managing fault of internet and method thereof | |
| CN117081910A (en) | Main/standby switching system and method of firewall | |
| KR100964392B1 (en) | System and method for managing network failure | |
| CN113612647B (en) | Alarm processing method and device | |
| CN113285937B (en) | Safety audit method and system based on traditional substation configuration file and IEC103 protocol flow | |
| CN114374838A (en) | Network camera monitoring method, device, equipment and medium | |
| CN114006719A (en) | AI verification method, device and system based on situation awareness | |
| CN111917594B (en) | Honey court architecture-based trapping node fault real-time detection method | |
| US20230009270A1 (en) | OPC UA-Based Anomaly Detection and Recovery System and Method | |
| KR100623554B1 (en) | Intrusion Tolerant Technologies of DNS and DHCP Server for Survival of Internet Service | |
| CN114244682B (en) | Equipment alarm loss and leakage repairing method and device | |
| Song et al. | Internet router outage measurement: An embedded approach | |
| CN117527353A (en) | Log monitoring method and device, electronic equipment and storage medium | |
| CN117938635A (en) | Fault detection method and device based on ICMP protocol and computer equipment | |
| Yang et al. | Detecting peer-to-peer botnets in SCADA systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |