CN1317853C - Network safety equipment and assemblied system and method for implementing high availability - Google Patents

Network safety equipment and assemblied system and method for implementing high availability Download PDF

Info

Publication number
CN1317853C
CN1317853C CN 200410070804 CN200410070804A CN1317853C CN 1317853 C CN1317853 C CN 1317853C CN 200410070804 CN200410070804 CN 200410070804 CN 200410070804 A CN200410070804 A CN 200410070804A CN 1317853 C CN1317853 C CN 1317853C
Authority
CN
China
Prior art keywords
cluster
node
information
layer
network
Prior art date
Application number
CN 200410070804
Other languages
Chinese (zh)
Other versions
CN1725702A (en
Inventor
刘春梅
刘永锋
王刚
宋春雨
王伟
Original Assignee
联想网御科技(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 联想网御科技(北京)有限公司 filed Critical 联想网御科技(北京)有限公司
Priority to CN 200410070804 priority Critical patent/CN1317853C/en
Publication of CN1725702A publication Critical patent/CN1725702A/en
Application granted granted Critical
Publication of CN1317853C publication Critical patent/CN1317853C/en

Links

Abstract

本发明公开了一种网络安全设备,用于组成具有高可用性的集群系统,该网络安全设备包含控制层和转发层。 The present invention discloses a network security device, the composition for high-availability cluster system, the network security device comprising a control layer and a forwarding layer. 本发明还公开了一种实现网络安全设备高可用性的系统,包括一个以上作为集群系统中集群节点的网络安全设备,每个网络安全设备包含控制层和转发层。 The present invention also discloses a system for high availability of the network security device comprising a security device over a network cluster nodes in the cluster system, each network security device comprising a control layer and a forwarding layer. 本发明还公开了一种实现网络安全设备高可用性的方法,该方法包括:控制层监控集群状态变化,根据集群状态信息进行负载分配,并将集群状态信息和负载分配信息下发给转发层;转发层根据控制层下发的集群状态信息和负载分配信息对数据包进行处理,并发送会话状态信息同步给同一集群系统的其它集群节点。 The present invention also discloses a method for implementing high availability of the network security device, the method comprising: monitoring cluster control layer state change load sharing state information according to the cluster, the cluster and the distributed forwarding layer load distribution information and status information; forwarding layer packet according to the data issued by the control layer state information and the cluster load distribution information, and transmits the synchronization session state information to other cluster nodes in the same cluster. 本发明提供的系统和方法可以实现网络安全设备的高可用性,并适应多种网络拓扑要求。 The system and method of the present invention may be implemented to provide high availability network security device, and adapt to a variety of network topologies required.

Description

一种网络安全设备及其组成的实现高可用性的系统及方法 A network security device and its components to achieve high availability of the system and method

技术领域 FIELD

本发明涉及网络安全技术领域,特别涉及一种网络安全设备及其组成的实现高可用性的系统及方法。 The present invention relates to network security technology, and particularly relates to a network device and a security system and method for high availability implemented thereof.

背景技术 Background technique

随着当今网络应用的迅猛增长,保证持续稳定的系统运行时间变得越来越重要,而防火墙作为网络安全体系的基础和保护企业网内部安全的核心控制设备,也日渐成为限制网络带宽的瓶颈和单一故障点,并极大地制约了网络的实际应用,因此,提高防火墙的高可用性和处理性能越来越受到人们的重视。 With the rapid growth of today's network applications, to ensure sustainable and stable system uptime is becoming increasingly important, and the firewall as the core foundation of internal security and protect the enterprise network security system control devices, network bandwidth is becoming a bottleneck restricting and a single point of failure, and greatly restricted the practical application of the network, thus improving the firewall's processing performance and high availability more and more people's attention.

高可用性(HA)技术是指利用冗余网络设备、冗余电源、冗余协议等构建的具有高可用性的网络设备集群系统。 High Availability (HA) technology is built using redundant network devices, redundant power supplies, redundant protocol network device having high availability cluster system. 该集群系统中的设备能自动检测网络中的故障节点或失效节点,并且当集群系统中的设备自动检测到网络中的故障节点或失效节点时,集群系统能够自动适当地重新进行配置,使集群系统中的其它节点能够自动承担故障或失效节点承载的服务,实现服务的不中断。 The cluster devices in the system can automatically detect the failure node or a failed node in the network, and when the cluster devices in the system automatically detects the failure node or a failed node in the network, the cluster system can automatically appropriately reconfigure the cluster other node in the system can automatically undertake service node bearer malfunction or failure of implementation of the service is not interrupted. 另外,高可用性技术还可以利用集群的并行处理方法提高网络的处理性能。 Further, high-availability technology may also be utilized parallel processing to improve the processing performance of the cluster network.

防火墙常见的集群模式有三种:双机热备模式、负载均衡模式和链路冗余模式。 Common firewall cluster model, there are three: dual hot standby mode, link redundancy and load balancing mode mode. 在双机热备模式中,多个防火墙中有一个为主防火墙,其余防火墙为从防火墙,只有其中的主防火墙处于活动状态,对收到的数据包进行处理。 In the hot standby mode in the duplex, in a plurality of firewalls based firewall, the firewall from the rest of the firewall, the firewall only one master is active, receiving the data packet processing. 在负载均衡模式中,多个防火墙中有一个为主防火墙,其余防火墙为从防火墙,主从防火墙都处于活动状态,共同分担网络流量。 In load balancing mode, multiple firewalls in a main firewall, the firewall from the rest of the firewall, the firewall from the master are active, shared network traffic. 在链路冗余模式下,可以不区分主从防火墙,各防火墙都能够收到数据包并进行处理,但每个防火墙收到的数据包并不相同,即单一数据包在同一时刻只发送给一台防火墙。 In the redundant link mode, the master may not be distinguished from the firewall, the firewall can each receive and process data packets, each data packet received by the firewall is not the same, i.e. a single data packet at the same time sent only to a firewall.

现有技术主要是在双机热备模式下实现防火墙高可用性的。 The prior art is to achieve a firewall in a hot standby mode dual-high availability. 该模式下,集群系统包含两台配置完全相同的防火墙,分别为主防火墙和从防火墙,主防火墙处于工作状态,从防火墙处于备份状态。 In this mode, the system comprising a cluster of two identically configured firewall, the firewall and are oriented from the firewall, the firewall is the main operating state, from the firewall in the backup state. 当主防火墙失效时,从防火墙可以接管主防火墙的业务,保证网络连接的不间断。 When the primary firewall fails, the firewall can take over from the primary firewall services, ensure uninterrupted network connectivity. 虽然现有技术可以采用双机热备模式实现网络业务的不中断,但无法实现多机动态负载均衡等方式,也不能适应多样的高可用性的网络拓扑的要求。 While the prior art may be employed to achieve dual-mode hot standby network traffic is not interrupted, but not multi-machine dynamic load balancing, etc., can not meet the diverse requirements of high availability of the network topology. 另外,现有技术在实现防火墙等网络安全设备高可用性的硬件架构上尚未提出具体的实现方案。 In addition, the prior art on the hardware architecture firewalls and other network security devices for high availability has not been put forward concrete implementation.

发明内容 SUMMARY

有鉴于此,本发明的主要目的在于提供一种实现集群系统高可用性的网络安全设备,使其能组成具有高可用性的集群系统。 In view of this, the main object of the present invention is to provide a high availability cluster system provides network security device, it can be composed of high-availability cluster system.

本发明的另一目的在于提供一种实现网络安全设备高可用性的系统,使其能灵活设置硬件结构,实现网络安全设备的高可用性,并适应多种网络拓扑要求。 Another object of the present invention is to provide a system for high availability of the network security device, so that it can flexibly set the hardware configuration, to achieve high availability of the network security device, and adapt to a variety of network topologies required.

本发明进一步的目的在于提供一种实现网络安全设备高可用性的方法,使其能实现网络安全设备的高可用性,并适应多种网络拓扑要求。 A further object of the present invention to provide a network security device implemented method of high availability, the network security device so that it can achieve high availability, the network topology and adapt to a variety of requirements.

为达到上述目的,本发明的技术方案是这样实现的:本发明公开了一种网络安全设备,用于组成具有高可用性的集群系统;该网络安全设备包含控制层和转发层;所述控制层用于监控集群状态变化,进行节点配置信息的同步,根据集群状态变化进行负载分配,并将集群状态变化信息和负载分配信息下发给转发层;所述转发层用于根据控制层下发的信息对数据包进行处理,更新会话状态信息,并进行会话状态信息的同步。 To achieve the above object, the technical solution of the present invention is implemented as follows: The present invention discloses a network security device, the composition having a high availability cluster system; the network security device comprising a control layer and a forwarding layer; the control layer monitoring state changes for the cluster, synchronization information of a node configuration, load allocation change of state dependent on a cluster, and the cluster changes the status is sent to the forwarding information and the load distribution layer information; forwarding layer for emitting the control layer according to the processing the data packet information, updates the session state information, and synchronization session state information.

其中,所述控制层包括:心跳及负载分配功能模块和路径/网口监视功能模块;所述路径/网口监视功能模块用于监视网络安全设备节点的状态变化,并将包含节点状态变化的信号发送给心跳及负载分配功能模块;所述心跳及负载分配功能模块用于发送和接收心跳信号以监控集群状态变化,进行节点配置信息的同步,接收路径/网口监视功能模块发送来的包含节点状态变化的信号,根据集群状态变化和节点状态进行负载分配,并将负载分配信息下发给转发层。 Wherein the control layer comprises: a heartbeat and load sharing function module and the path / network port monitoring module; the path / network port monitoring module for monitoring a status of nodes of the network security device changes, and the node status change comprising and a heartbeat signal to the load distribution function module; load distribution function of the heartbeat and means for transmitting and receiving a heartbeat signal to monitor the state change of the cluster, synchronization, receive path / network port monitoring module sends to the node configuration information comprises node status change signal, the state change of load distribution in accordance with the cluster and node status, and forwarding information to the load distribution layer.

所述控制层可以进一步包括用于同步上层应用会话状态信息的上层应用同步状态功能模块。 The control layer may further comprise an upper layer application module synchronization functionality upper synchronization state state information for the application session.

上述方案中,所述转发层包含:会话同步功能模块和数据转发模块;所述数据转发模块用于接收控制层下发的负载分配信息,根据数据包信息和负载分配信息对数据包进行处理,并将会话状态信息发送给会话同步功能模块;所述会话同步功能模块用于接收数据转发模块发送来的会话状态信息,并将包含会话状态信息的会话状态同步信号发送出去。 In the above embodiment, the forwarding layer comprises: a session synchronization module and a data forwarding module; the data forwarding means for the load distribution control information sent by the receiving layer, the data packet according to data packet information and load distribution information, session and the session state information to the synchronization module; the session synchronization function means for receiving the session state information transmitted data forwarding module, and session state comprises a synchronization signal sent session state information.

其中,所述控制层包含专用的HA网口。 Wherein the control layer comprises a HA specific network port. 所述转发层包含用于转发数据包的普通数据网口和用于同步状态信息的同步网口,同步网口为专用同步网口或普通数据网口。 The forwarding layer comprising a common data network port, and forward the packet network interface for synchronizing status information of the synchronization, the synchronization dedicated network port synchronous network interface or general data network port.

本发明还公开了一种实现网络安全设备高可用性的系统,包括一个以上作为集群系统中集群节点的网络安全设备;每个网络安全设备包含控制层和转发层;所述控制层用于监控集群状态变化,根据集群状态变化进行负载分配,并将集群状态变化信息和负载分配信息下发给转发层;所述转发层用于根据控制层下发的信息对数据包进行处理,并更新会话状态信息;所述每个网络安全设备的控制层之间通过彼此发送和接收心跳信号进行心跳通信,进行节点配置信息的同步;所述每个网络安全设备的转发层之间通过彼此发送和接收会话状态同步信号进行会话状态同步。 The present invention also discloses a system for high availability of the network security device comprising a security device over a network cluster nodes in the cluster system; each network security device comprising a control layer and a forwarding layer; the control layer for monitoring a cluster state change according to change of load distribution state of the cluster, and the information sent to the forwarding layer information and the cluster load distribution state change; the layer for forwarding the data packet according to the information delivered by the control layer, and updates the session state information; and a control layer between each of the network security device is performed by sending and receiving heartbeat heartbeat communication with each other, the node configuration information synchronization; another by sending each repeater between the network layer and the security device receives a session state synchronization session state synchronization signal.

其中,所述网络安全设备的控制层包括:心跳及负载分配功能模块和路径/网口监视功能模块;所述路径/网口监视功能模块用于监视网络安全设备节点的状态变化,并将包含节点状态变化的信号发送给心跳及负载分配功能模块;所述心跳及负载分配功能模块用于发送和接收心跳信号以监控集群状态变化,进行节点配置信息的同步,接收路径/网口监视功能模块发送来的包含节点状态变化的信号,根据集群状态变化和节点状态进行负载分配,并将负载分配信息下发给转发层。 Wherein the control layer of the network security device comprising: a heart rate and load sharing function module and the path / network port monitoring module; the path / network port monitoring module for monitoring a status of nodes of the network security device changes, and comprising node status change signal is transmitted to the heartbeat module and load distribution function; load distribution function of the heartbeat and means for transmitting and receiving a heartbeat signal to monitor the state change of the cluster, synchronization, receive path / network port monitoring module node configuration information It comprises a signal transmitted node status change, the state of load distribution in accordance with change of the cluster and node status, and forwarding information to the load distribution layer.

所述网络安全设备的控制层可以进一步包括用于同步上层应用会话状态信息的上层应用同步状态功能模块。 The control layer of the network security device may further comprise an upper layer application state synchronization function for synchronizing the upper layer application module session state information.

上述方案中,所述网络安全设备的转发层包含:会话同步功能模块和数据转发模块;所述数据转发模块用于接收控制层下发的负载分配信息,根据数据包信息和负载分配信息对数据包进行处理,并将会话状态信息发送给会话同步功能模块;所述会话同步功能模块用于接收数据转发模块发送来的会话状态信息,并将包含会话状态信息的会话状态同步信号发送出去。 In the above embodiment, the forwarding layer network security device comprising: a session synchronization modules and data forwarding module; the data forwarding means for the load distribution control information sent by the receiving layers according to the data packet information and load distribution information packet processing, and the session state information to a synchronization module session; the session synchronization function means for receiving the data transfer session state information sent by the module, and session status comprises a synchronization signal sent session state information.

其中,所述网络安全设备的控制层之间可以通过设定的专用HA网口相连。 Wherein the HA may be connected through a dedicated network port setting between the control layer of the network security device. 所述网络安全设备的转发层之间可以通过设定的专用同步网口或普通数据网口相连。 It can be connected by setting a network port or a dedicated synchronization interface between the normal data forwarding network layer of the network security device. 所述网络安全设备可以为防火墙。 The security device may be a network firewall.

相应地,本发明进一步公开了一种实现网络安全设备高可用性的方法,适用于由一个以上网络安全设备作为集群节点组成的集群系统,集群系统中包含一个主节点和至少一个从节点,每个集群节点包含控制层和转发层;其特征在于,该方法包括:控制层监控集群状态变化,根据集群状态信息进行负载分配,并将集群状态信息和负载分配信息下发给转发层;转发层根据控制层下发的集群状态信息和负载分配信息对数据包进行处理,并将会话状态信息发送给同一集群系统的其它集群节点以进行会话状态同步。 Accordingly, the present invention further discloses a network security device method for implementing high availability for by more than one cluster network security device as a cluster of nodes, the cluster system comprises at least a master node and a slave node, each cluster nodes and forwarding control layer comprising a layer; characterized in that, the method comprising: monitoring cluster control layer changes state, load distribution according to the cluster state information, and sent to the forwarding layer state information and the cluster load distribution information; the forwarding layer delivered by the control layer state information and the cluster load distribution information to process the packet, and the session state information to other nodes in the same cluster in a cluster system for state synchronization session.

其中,所述控制层监控集群状态变化并进行负载分配的过程可以包括以下步骤:A.根据集群状态变化确定集群系统当前的主节点、节点的个数以及集群节点的工作状态;B.主节点根据集群工作模式和集群节点信息分配负载,将分配的负载信息通知给从节点,并更新集群节点信息。 Wherein said monitor control layer and the cluster state change load distribution process may include the following steps: A change of state of the cluster is determined in accordance with the current primary node of the cluster system, the number of nodes and the status of the cluster node; B master node. according to the cluster and cluster nodes operating mode load distribution information, the distribution of information to the load from the node, cluster nodes and update information.

其中,所述步骤A可以包括:判断集群网络拓扑变化是节点加入还是节点退出,如果是节点加入,则判断当前加入节点是否检测到心跳信号,如果不是,则将把当前加入节点设置为主节点,然后执行所述步骤B,否则将把当前加入节点设置为从节点,然后执行所述步骤B;如果是节点退出,则判断当前离开的节点是否是主节点,如果是,则将优先级最高的从节点设置为主节点后,然后执行所述步骤B;否则直接执行所述步骤B。 Wherein, the step A may include: determining network topology changes or a cluster node to join node is withdraw, if a node is added, it is determined whether the current node is added to the heartbeat signal is detected, if not, the addition of the current node as the primary node and then performing the step B, and otherwise, will be added to the current node is set to the node, then performing the step B; if the node is withdraw, it is determined whether the current node is the master node to leave, if so, the highest priority after setting the node from the master node, then performing the step B; otherwise, directly executing the step B.

步骤B中,所述主节点根据集群工作模式分配负载可以包括:集群工作模式为负载均衡模式时,如果集群系统中仅包含主节点,则主节点将全部负载的hash值范围分配给自身,如果集群系统中包含主从节点,则主节点按照预先设定的负载分配算法分配负载hash值范围;集群工作模式为双机热备模式时,将全部负载的hash值范围分配给主节点;集群工作模式为链路冗余模式时,将全部负载的hash值范围分配给每个节点。 Step B, the master node may include dispensing load operation mode in accordance with a cluster: the cluster operation mode hash value range load balancing mode, if the cluster contains only the master node, the master node will be assigned to all the loads of its own, if the system includes a main cluster node, the master node according to the load distribution algorithm assigned hash value previously selected load range; cluster mode is the hot working dual-standby mode, the hash value of the entire range of load assigned to the master node; cluster work link redundancy mode is the mode, hash values ​​of all the range of load assigned to each node.

上述方案中,所述转发层对收到的数据包进行处理的过程包括以下步骤:a.判断节点的状态是否为工作状态,如果不是,则将收到的数据包丢掉,否则执行步骤b;b.转发层根据收到的数据包的信息计算数据包的hash值,并判断该数据包hash值是否落在本节点处理的hash值范围内,如果不是,则将该数据包丢掉;否则对数据包继续进行处理。 During the above-described embodiment, the layer receiving the forwarded data packet processing comprising the steps of: a node status determination whether the operation state, if not, the received packets lost, otherwise step b;. b calculated hash value of the data forwarding layer packet according to data packet information received, and determines whether the packet hash value hash value falls within the scope of the processing node, if not, then the packet is discarded; otherwise for packet processing continues.

其中,在所述步骤a之前,该方法可以进一步包括:确定集群系统当前的集群工作模式,如果当前的集群工作模式为负载均衡模式,则直接执行步骤b;如果当前集群工作模式为双机热备模式,则继续执行步骤a;如果当前集群工作模式为链路冗余模式,则对数据包继续进行处理。 Wherein, prior to said step a, the method may further comprise: determining a current mode of the cluster cluster system, if the current operation mode is the load balancing cluster mode, perform Step B; if the current operation mode is the cluster stateful standby mode, proceed to step a; if the current operation mode is the cluster link redundancy mode, the data packets continue processing. 其中,所述对数据包继续进行处理可以为:对数据包进行安全规则匹配或转发数据包。 Wherein said packet processing may proceed as follows: or forwarding data packets to match the data packet security rules.

由上述方案可以看出,本发明的关键在于:本发明提供的系统由多个集群节点组成,每个集群节点均包含控制层和转发层;控制层负责监控集群状态,向转发层通告集群状态的变化。 As can be seen from the above embodiment, the present invention is critical: the system according to the present invention is provided by a plurality of cluster nodes, each cluster node contains a control layer and a forwarding layer; control layer is responsible for monitoring the state of the cluster, the cluster advertisement state to the forwarding layer The change. 转发层负责根据控制层下发的信息对收到的数据包进行处理,并同步节点会话状态。 Layer is responsible for forwarding the received data packet according to the information delivered by the control layer, and synchronizing node session state. 本发明提供的方法包括控制层根据网络拓扑变化进行负载分配的过程和转发层对收到的数据包进行处理的过程。 The method of the present invention include process control in accordance with the load distribution layer network topology change process and the receiving layer forwarding data packets to be processed.

因此,本发明所提供的这种实现集群系统高可用性的网络安全设备以其组成的高可用性的系统及方法,在系统硬件设计上灵活多变,控制层与转发层可以灵活设置,并且分层处理可以使各层的任务单一,每层可以独立处理自己的专项任务,保证数据包的转发速度。 Thus, this implementation of the present invention provides a high-availability cluster system equipment for its network security system and method for high availability of the composition, on a flexible hardware design, control layer and the forwarding layer can be flexibly set and stratified processing tasks can be made of single layers, each layer can be processed independently of their specific tasks to ensure that the packet forwarding speed. 本发明还可以构建高可用性的负载均衡集群,双机热备集群,链路冗余集群,扩大了HA拓扑环境的工作模式。 The present invention can also build high availability cluster load balancing, stateful failover cluster, the cluster link redundancy, expanding the working mode topology HA environment. 集群中的网络安全设备可以全部处于工作状态,进行动态的负载分摊,也可以分别处于工作和备份的状态。 Cluster network security devices may be all in working condition, dynamic load sharing, can also work in the state and backup, respectively. 通过选择负载均衡的集群工作模式,本发明提供的防火墙集群不但可以在各防火墙节点之间均衡用户负载,还可以消除防火墙作为网络设备可能出现的单点故障,即在防火墙上进行无缝式切换和动态负载均衡。 Select a load balancing cluster operation mode, the present invention not only provides a firewall cluster load balancing between the user node firewall, you may also eliminate single points of failure as a network firewall device that may occur, i.e., seamless switching at the firewall formula and dynamic load balancing. 这样,当一台防火墙出现故障后,集群系统中其它防火墙会接管出现故障防火墙的所有网络会话,网络会话不会被中断。 Thus, when a firewall fails, the other firewall cluster system will take over all network sessions faulty firewall, network session will not be interrupted.

附图说明 BRIEF DESCRIPTION

图1为本发明实现防火墙高可用性的系统结构示意图;图2为本发明根据网络拓扑变化进行负载均衡的方法实现流程图;图3为本发明转发层对数据包进行处理的方法实现流程图;图4为负载均衡模式下的防火墙高可用性系统结构示意图; Figure 1 is a schematic structural diagram of a firewall invention achieves high availability system; FIG. 2 is a flowchart implemented method of load balancing according to the present invention, the network topology changes; method of forwarding the data packet layer processing processes for implementing the present invention, FIG 3; FIG 4 is a schematic system configuration of a high availability load balancing mode in the firewall;

图5为双机热备模式下的防火墙高可用性系统结构示意图;图6为链路冗余模式下的防火墙高可用性系统结构示意图。 FIG 5 is a schematic structural diagram of a high availability system firewall in hot standby mode Duplex; FIG. 6 is a schematic diagram of a high availability system in the firewall configuration link redundancy mode.

具体实施方式 Detailed ways

下面结合附图及具体实施例对本发明再作进一步详细的说明。 Specific embodiments of the present disclosure will be described in further detail below in conjunction with the accompanying drawings and.

本发明提供的实现集群系统高可用性的网络安全设备包含控制层和转发层。 Achieve high availability cluster system according to the present invention provides a network security device comprises a control layer and a forwarding layer. 基于这样的网络安全设备,本发明提供的系统是一个由多个上述网络安全设备组成的集群系统,该系统的每个集群节点就是一个网络安全设备,每个网络安全设备均包含控制层和转发层。 Based on such a network security device, the system according to the present invention is to provide a cluster by a plurality of network security devices, each of which cluster node of the system is a network security device, each network security device contains a control layer and a forwarding Floor. 其中,控制层负责监控集群状态,向转发层通告集群状态的变化。 Wherein the control layer is responsible for monitoring the state of the cluster, change to the forwarding layer advertise the cluster state. 转发层负责根据控制层下发的信息对收到的数据包进行处理,并同步节点会话状态。 Layer is responsible for forwarding the received data packet according to the information delivered by the control layer, and synchronizing node session state. 相应地,本发明提供的方法包括控制层根据网络拓扑变化进行负载均衡的过程和转发层对收到的数据包进行处理的过程。 Accordingly, the present invention provides a method of controlling layer comprises a load balancing process and the process of forwarding layer receiving data packets according to a network topology change processing.

下面以网络安全设备是防火墙为例说明本发明。 Below the network security device is a firewall according to the present invention is described as an example. 本实施例中,防火墙就是集群系统中的集群节点,所组成的集群系统可以称为防火墙集群。 In this embodiment, the firewall is the cluster nodes in the cluster system, composed of a cluster system may be referred to as a firewall cluster.

本发明实现防火墙高可用性的系统可以应用于多种工作模式下,包括负载均衡模式、双机热备模式和链路冗余模式。 The present invention achieves high availability firewall system can be used under a variety of operating modes, including load balancing mode, hot standby redundancy mode and a link mode. 下面以负载均衡模式为例详细说明本发明实现防火墙高可用性的系统。 Load balancing mode as an example below to illustrate the present invention in detail firewall achieve high availability systems.

图1为本发明负载均衡模式下实现防火墙高可用性的系统结构示意图,包括两个防火墙,防火墙1和防火墙2,每个防火墙均包含控制层和转发层。 Figure 1 is a schematic view of the invention load balancing mode high-availability system configuration firewalls, including two firewall, a firewall and 2, each firewall control layer and contains forwarding layer. 其中,控制层用于监控整个防火墙集群的状态,并将集群状态的变化等信息下发给转发层;控制层还用于根据集群的状态等信息进行动态负载hash值分配,并将获得的hash值分配范围下发给转发层;控制层之间发送和接收心跳信号,进行节点配置同步和状态同步。 Wherein the control layer for monitoring the state of the whole firewall cluster, the information sent to the forwarding layer changes the state of the cluster and the like; a control layer further hash value for dynamic load distribution information according to the state of the cluster, and the obtained hash send the assigned value range forwarding layer; transmitted between the control layer and the heartbeat signal received, a node configuration and state synchronization. 转发层用于接收控制层下发的集群状态变化等信息,并根据收到的信息对收到的数据包进行处理或丢弃;转发层之间进行会话状态同步。 Sent by the forwarding layer for receiving control layer information cluster status change, receiving and processing a data packet or discards the received information; conversation state synchronization between the forwarding layer. 控制层可以与转发层置于同一个硬件板上,也可以分开单独置于不同的硬件板上,甚至可以用一台单独的计算机来实现。 And forwarding the control layer may be a hardware board placed in the same layer, it may be individually separated into different hardware boards, and even may be implemented using a separate computer.

本实施例中,控制层之间可以通过专用的HA网口进行信息交互,即集群中的各防火墙节点通过HA网口进行心跳通信,实时监测各防火墙节点的状态。 In this embodiment, the control may be performed by a dedicated layer between HA network interface information interaction, i.e., each cluster node heartbeat communication through the firewall HA network interface, real-time monitoring of the status of the firewall node. 另外,控制层之间进行心跳通信的HA网口也用于控制层之间的集群状态信息的同步。 Further, the control proceeds HA heartbeat communication between the network interface layer is also used to synchronize the cluster state information between the control layer. 转发层之间通过同步网口进行信息交互,同步网口可以采用专用的网口,也可以采用普通的数据网口。 Forwarding information interaction between the layers through the synchronous network port, network port can be synchronized with a dedicated network port, may be employed conventional data network port.

如图1所示,控制层之间通过HA网口发送和接收心跳信号来监测整个防火墙集群的状态和网络拓扑的变化,根据集群的状态、集群节点的状态信息和预先配置的负载均衡算法重新分配各节点处理的负载hash值范围,并向转发层下发集群的状态信息和节点处理的负载hash值范围等信息;转发层根据控制层下发的集群系统的状态信息和节点处理的负载hash值范围等信息对数据包进行处理,并通过同步网口发送会话状态同步信息给同一集群的其它节点的转发层。 1, the control layer is transmitted between the HA and the network interface to receive a heartbeat signal and to monitor changes in the state of the entire network topology firewall cluster, according to the state of the cluster, the cluster nodes of the status information and the load balancing algorithm re preconfigured each distribution node processing load hash value ranges, and forward layer issued cluster load range of hash values ​​and node information such as processing status information; hash load forwarding layer according to the state delivered by the system control layer information and the cluster node processing range of values ​​and other information to process the packet, and transmits the synchronization information by the synchronization session status to the network interface layer forwarding to other nodes in the same cluster.

其中,当设备刚启动时,控制层向转发层下发的信息包括:机群ID、节点ID、节点优先级、集群工作模式、本节点的工作状态、网络拓扑变化的序号、本节点处理数据包的hash值范围和用于转发层同步的网口。 Wherein, when the device has just started, the control layer to the information sent by the forwarding layer comprising: a cluster ID, node ID, node priority, the cluster operation mode, the operating state of the local node, the serial number changes in network topology, the node processing the packet the hash value ranges and for forwarding network interface layer synchronization. 其中,机群ID用于标识该节点所在的集群,节点ID用于标识该集群中的节点。 Wherein, for the cluster ID identifying the cluster node is located, the node ID for identifying the nodes in the cluster. 节点优先级由启动顺序决定,优先级最高的节点为主节点。 Node priority is determined by the boot order, with the highest priority node master. 集群工作模式包括负载均衡模式、双机热备模式和链路冗余模式。 Cluster operation mode includes a load balancing mode, hot standby mode and dual-mode link redundancy. 本节点的工作状态为工作状态或备份状态。 Operating state to the operating state of the local node or a backup state. 网络拓扑变化的序号在集群刚启动时为1,集群拓扑每变化一次,网络拓扑变化的序号加1,集群节点个数、各集群节点的优先级以及各集群节点的资源使用情况都可能引起网络拓扑的变化。 Number of network topology changes just started when the cluster 1, cluster topology change each time, plus No. 1 network topology changes, the number of cluster nodes, resource usage and priority of each cluster node of each cluster node can cause network changes in topology. 本节点处理数据包的hash值范围由控制层根据集群工作模式与节点信息进行分配。 This hash value range of nodes for packet processing performed by the distribution control layer and the operation mode in accordance with the cluster node information. 用于转发层同步的网口是由管理员配置的,转发层根据该设置将会话同步信息通过该网口转发给其它节点的转发层。 For forwarding network layer synchronization port is configured by the administrator, the forwarding layer synchronization session forwarding information forwarded to other nodes through the layer network interface according to the setting. 上述信息中,机群ID、节点ID、节点优先级、集群工作模式、集群节点的工作状态和网络拓扑变化信息均可称为集群状态信息。 The above information, cluster ID, node ID, node priority, the cluster operation mode, the operating state of the cluster nodes and the network topology change information may be referred to as the cluster state information.

当有节点离线或新的节点加入时,控制层监测到网络拓扑的变化后,就会修改已存入转发层的信息。 When a node is offline or a new node is added, the control layer is monitored network topology changes, modifications will forward the information layers have been deposited. 修改的信息包括:节点优先级、本节点的工作状态、网络拓扑变化的序号以及由控制层重新分配的本节点处理数据包hash值范围。 Modification information includes: the node priority, the operating state of the local node, and the number of changes in network topology data processed by the control node redistribution layer packet hash values.

转发层对收到的数据包进行处理的具体过程为:如果当前的集群工作模式为负载均衡模式或链路冗余模式,则转发层根据收到的数据包的信息计算数据包的hash值,并判断计算得到的数据包的hash值是否落在本节点处理的范围内,如果没有落在本节点hash值范围内,则把该数据包丢掉,如果落在本节点hash值范围内,则继续处理。 The specific process of forwarding the received data packet layer processing is performed: if the current operation mode is the cluster load balancing mode or redundancy mode link, the calculated hash value data forwarding layer packet according to the received information packet, and determines whether the calculated hash value of the packet is within the scope of the present node processing, if the hash value does not fall within the scope of the present node, put the packet lost, if the hash value falls within the scope of the node, continue deal with. 继续处理可以包括安全规则匹配和数据转发等。 Continue to address security rules may include matching and data forwarding. 如果当前集群工作模式为双机热备模式,则转发层判断本节点的工作状态是否为有效处理状态,如果处于备份状态,则把数据包丢掉,如果是工作状态,则根据收到的数据包的信息计算数据包的hash值,并判断计算得到的数据包的hash值是否落在本节点处理的范围内,如果没有落在本节点hash值范围内,则把该数据包丢掉,如果落在本节点hash值范围内,则继续处理。 If the current operation mode is the cluster hot standby mode, it is determined whether the forwarding layer of the present operation state is valid node process state, when in the backup state, put the lost packets, if the operation state is, in accordance with the received data packet the packet information calculating a hash value, and determines whether the hash value of the data packet calculated falls within the scope of node processing, if the hash value does not fall within the scope of the present node, put the packet lost, if falls within the scope of the hash value of the node, then processing continues.

转发层还根据收到的网络拓扑变化的序号判断网络状态是否改变,如果网络拓扑变化的序号发生改变,则说明网络状态发生改变,比如新节点加入,或节点离线,这时,转发层之间就会通过控制层下发的用于转发层同步的网口进行状态同步。 The forwarding layer sequence number also determines whether to change the state of the network topology changes received, if the number of changes in the network topology is changed, then the state of the network changes, such as addition of a new node, or node offline, then, between the forward layer state will be synchronized by a synchronizing network layer forwarding port issued by the control layer.

下面以负载均衡模式为例详细说明控制层和转发层所包含的各个功能模块。 Load balancing mode as an example in the following detailed description of the individual functional module control layer and a forwarding layer contained.

控制层包含心跳及负载分配功能模块和路径/网口监视功能模块。 Control layer comprising a heartbeat and load sharing function module and the path / network port monitoring module. 其中,节点控制层心跳及负载分配功能模块通过HA网口发送和接收心跳信号,并根据是否收到心跳信号来判断节点是否在线或离线。 Wherein the control node and the load distribution layer heartbeat function module for transmitting and receiving signals via HA heartbeat network port, and determines whether a node received online or offline depending on whether a heartbeat signal.

在负载均衡模式下,整个集群包含一个主节点和至少一个从节点。 In the load balancing mode, the entire cluster comprising at least a master node and a slave node. 所有节点都包含在集群节点状态表中,优先级最高,比如优先级为1的节点为主节点,负责控管整个集群系统。 All nodes in the cluster node status are included in the table, the highest priority, such as the priority of the master node to node 1, controls how the entire cluster system. 主节点周期性地将自己的心跳alive信号传播给各从节点,从节点也周期性地将自己的心跳alive信号传播给主节点。 The master node periodically propagate their heart alive signals to each slave node, the slave node also periodically propagate their heart alive signals to the master node.

如果主节点在规定时间没有收到某一从节点的心跳alive信号,则认为该从节点已经离线,主节点会从集群节点状态表中删除该节点,同时更新节点状态表中各节点的信息,比如节点优先级等,然后将该信息通过同步节点状态表信号发送给从节点。 If the master node in a specified time has not received a heartbeat from node alive signal is considered to have an offline node from the master node will remove the node from the cluster node status table, and updates the node status table of each node, node priority, etc. for example, this information is then sent from the node node state table synchronization signal. 如果主节点离线了,优先级为2的从节点在规定时间内没有收到主节点的心跳alive信号,认为主节点已经离线,该节点会自动升为主节点来控管整个集群,删除自身集群节点状态表中原来的主节点。 If the master node goes offline, priority 2 from the node does not receive heartbeat alive signal the master node within the specified time, that the master node has gone offline, the node will automatically rise to the main Controls the entire cluster node, remove the cluster itself node state table original primary node. 同样地,主节点更新集群节点状态表,并将集群节点状态表同步给从节点。 Similarly, the cluster master node updates the node status table, and the cluster nodes from the node to the synchronization state table.

每次有节点加入集群或离开集群,主节点都会重新调整集群中各节点的网络负载。 Each time the cluster nodes join or leave the cluster, the cluster master node will re-adjust the load of each network node. 主节点控制层心跳及负载分配功能模块根据当前集群中的节点个数,节点优先级、节点资源等信息,以及预先配置的负载均衡算法分配各节点处理数据包的hash值范围。 The master node and the load distribution control layer heartbeat function module is assigned a hash value range of each node processes data packets according to information of the number of nodes in the current cluster, node priority, node resources, and load balancing algorithm preconfigured. 主节点通过HA网口向从节点发送同步负载信号将各节点处理的hash值范围通知给从节点。 The master node through each node hash value range from the processing node HA notifies the network port to the load signal transmitted from the sync node. 从节点收到同步负载信号后,将获得的hash值范围下发给各自对应的转发层。 After receiving the synchronization signal from the load node, each corresponding to the forwarding layer delivers the obtained hash value range.

集群节点控制层心跳及负载分配功能模块还通过发送同步配置信号保证各节点的配置信息相同。 Cluster nodes heartbeat control layer and load allocation module is further configured synchronization signal to ensure that the same configuration information sent by each node. 在一组实施相同的整体安全策略并且共享相同配置的防火墙集群系统中,当一台防火墙节点新加入集群系统时,集群中的主防火墙节点会向该新加入的防火墙节点发送同步配置信号对其进行自动配置同步。 In one set of firewall cluster same overall security policy and share the same configuration, a firewall when the new node cluster, the node cluster master firewall configuration signal synchronized its transmission to the newly added node firewall automatic configuration synchronization. 如果在集群正常运转中,管理员对主防火墙节点配置进行了更改,主防火墙节点也会将发生的任何更改通过同步配置信号同步给其它所有从防火墙节点。 If the normal operation of the cluster, the administrator of the master node configuration changes to the firewall, the firewall master node will also occur any changes through configuration synchronization signal synchronized to the firewall from all other nodes. 同样地,如果管理员对从防火墙节点的配置进行了更改,从防火墙节点也会将发生的任何更改通过同步配置信号同步给其它节点,包括主节点。 Likewise, if the administrator of the firewall configuration node changes, any changes to the configuration synchronization signal synchronized to the other nodes, including the master node from the firewall node will also occur. 这样保证了集群系统中的各防火墙节点保持相同的配置信息。 This ensures that each node in the cluster system firewall to keep the same configuration information. 其中,配置信息包括节点的IP地址、采用的安全规则等。 Wherein the configuration information includes an IP address of the node, such as the use of the security rules.

另外,集群中的主节点控制层的心跳及负载分配功能模块周期性地广播自身的系统时间给集群中的从节点,从节点收到同步时间信号后更新自身的系统时间。 Further, the control layer of the master node cluster heartbeat and load allocation module periodically broadcast its own system time to the slave node, updates its own time information from the time the node receiving the synchronization signal cluster. 上述的同步配置信号、同步负载信号、同步时间信号均可作为心跳信号的一部分,通过HA网口进行传递。 The above-described configuration synchronization signal, the synchronization signal load, time synchronization signal can be used as part of a heartbeat signal, HA passed through the network port.

控制层路径/网口监视功能模块用于监视集群节点是否失效或复活,并将失效或复活信息发送给心跳及负载分配功能模块。 Path control layer / network port monitoring means for monitoring whether a cluster or a node failure resurrection, the resurrection and send information to a failure or heart rate and load allocation module. 心跳及负载分配功能模块将失效或复活信息通过心跳信号发送向外广播给其它集群节点。 Heartbeat and load allocation module resurrection will fail or to other information broadcast by cluster nodes heartbeat sent out. 其它集群节点收到包含失效或复活信息的心跳信号后,主动更新节点状态表,并由主节点调节各节点的网络负载,通知其它节点接管重新分配的网络负载。 The other cluster node receives the heartbeat signal including failure information or the resurrection, the active node update the state table, the network load by adjusting the master node of each node, informs the receiver of the network load redistribution to other nodes. 其中,节点失效可以作为节点退出的一种形式,节点复活可以作为节点加入的一种形式。 Which can be used as a form of node failure exit node, the node can be used as a form of resurrection joining node.

控制层路径/网口监视功能模块用于监控节点的状态变化,即节点的失效和复活,具体包括:对链路层的网口的监控和对网络层的周边设备IP的监控。 State transition path control layer / network port monitoring module for monitoring a node, i.e., node failure and resurrection comprises: monitoring the network interface link layer monitor and the peripheral device on the IP network layer. 链路层的网口监控主要是检查防火墙设备的物理网口是否处于活动状态并连接到周边网络设备。 Monitoring network interface link layer is primarily physical network firewall device checks whether the port is active and connected to the network peripheral device. 防火墙管理员可以定义需要监控的网口,网口的状态会根据网口是否处于活动状态并连接到周边网络设备而成为Link Down状态和Link Up状态,这样,就可以根据网口的状态判断该防火墙节点是有效状态还是失效状态。 Firewall administrator can define the required monitoring of network ports, Ethernet port status and will be connected to the peripheral device and network status and become a Link Down Link Up state depending on whether the network interface is active, so that you can judge the state of the network port firewall node is a valid state or invalid state. 如果网口的监控结果是Link Down状态,则该防火墙节点将进入失效状态;如果网口的监控结果是Link Up状态,则该防火墙节点将从失效状态重新转变为有效状态。 If the results of the monitoring network port is Link Down state, then the firewall node will enter a failed state; if the results of the monitoring network port is Link Up state, then the firewall node will re-state into an effective state failure.

网络层的周边设备IP监控主要是向指定的IP地址以固定的间隔发送ARP请求,监控周边设备是否响应,并根据IP监控总故障数判断该防火墙节点是否失效或有效。 Monitoring network peripherals IP layer mainly transmits an ARP request at regular intervals to the specified IP address, whether the peripheral device in response to the monitoring, the firewall and the node is valid or invalid according to the total number of IP fault monitoring judgment. 如果一个防火墙节点的IP监控总故障数超过预先设置的该节点的故障切换临界值,则该防火墙节点将进入失效状态。 If an IP firewall monitoring node failure of the total number of failures exceeds a preset node switching threshold, the node will enter the failed state firewall. 如果监控IP总故障数不再超过故障切换临界值,则该防火墙节点将失效状态重新转变为有效状态。 If the total number of IP monitoring fault failover threshold is no longer exceeded, the firewall node failure condition back into an active state. 节点从失效状态转变为有效状态就是节点的复活。 Node transition from a failed state to the active state is the resurrection node.

另外,控制层还包含上层应用的状态同步模块,其中的状态同步主要是针对动态协议。 Further, the control layer further comprises a synchronization status of an upper layer application module, wherein the dynamic mainly for state synchronization protocol. 比如,客户机每次进行视频会议或访问FTP服务之前,需要动态地协商每次连接所采用的端口。 For example, each time a client for video conferencing or before accessing the FTP service, you need to dynamically negotiated ports used by each connection. 协商后的连接端口在控制层获得,并由处理的节点通过HA网口同步给其它节点。 To negotiate the connection port after the control layer is obtained by the processing by the HA node port synchronous network to other nodes.

转发层包含会话同步功能模块和数据转发模块。 Forwarding the session layer comprises synchronization modules and data forwarding module. 其中,会话同步功能模块用于进行会话的同步。 Wherein the session module is used for synchronization sync session. 防火墙节点在处理网络会话时,会建立相应的会话状态表来维护和处理该网络会话的所有数据帧。 Firewall node when processing network session, establishes the session state table corresponding to the network session processing, and maintaining all of the data frames. 为了防止集群中离线或失效的防火墙节点正在处理的网络会话全部丢失,节点之间需要进行高效率的链路层实时会话同步。 To prevent off-line or network session failed cluster node being processed firewall lost, the need for real-time link layer session efficient synchronization between nodes. 也就是说,一旦集群系统中任何节点有新的网络会话建立,该节点会将新的网络会话状态同步到集群系统中其它节点;一旦集群系统中任何节点有网络会话消失,该节点会将消失的网络会话同步到集群系统中其它节点。 That is, once any node in the cluster system has a new network session is established, the node will be a new network session state synchronization to other nodes in the cluster system; once there is any node in a network session disappeared cluster system, the node will disappear session synchronization to the network to other nodes in the cluster system.

各设备的转发层根据会话进行的程度以及通信的协议类型和集群的工作模式来确定会话状态信息的同步时机,并在该同步时机将会话状态信息同步到其它节点,以确保会话在节点间迁移时不中断。 Forwarding layer of each device to determine the synchronization timing of the session state information depending on the mode protocol type and the cluster extent session and the communication and the synchronization timing session state information synchronization to other nodes, to ensure that the session transfer between nodes do not interrupt. 同步的会话状态表内容主要包括源IP、源端口、目的IP、目的端口、协议、当前连接的状态以及其它信息,比如,作地址转换时转换后的IP地址。 The synchronization session state table of contents includes a source IP, source port, destination IP, destination port, protocol, and current connection state of other information, such as the IP address of the address translation conversion. 本实施例中,会话同步可以由数据流驱动,通过广播的形式将节点会话状态同步到其它节点,这样可以避免瞬时对设备处理能力的大量占用,同时又能最大限度地保证状态的同步。 In this embodiment, the synchronization session may be driven by a data stream, in the form of a broadcast session state synchronization node to other nodes, to avoid instantaneous intensive processing power of the device, while the maximum guarantee synchronization state.

数据转发模块用于接收控制层下发的本节点处理数据包的hash值范围,并根据收到的数据包的信息计算数据包的hash值,将该本节点处理数据包的hash值范围与计算得到的hash值进行比较,然后根据比较结果将数据包丢弃或继续处理。 Means for forwarding data hash value scope of the node processing the packet sent by the receiving control layer and packet information hash value calculation based on the data packet received, the hash value calculation processing range of the packet node the resulting hash value is compared, and the comparison result data packet is discarded or continue processing. 比如,数据转发模块首先根据收到的数据包的五元组信息计算数据包的hash值,然后判断该hash值是否落在控制层分配的本节点处理的hash值范围内,如果是,则继续处理该数据包,否则将该数据包丢弃。 For example, according to the data forwarding module first hash value calculation pentad packet received information packet, and then determining the scope of the hash value of the hash value falls node controlling layer assignment process, if so, continues processing the data packet, otherwise the packet is discarded. 其中,数据包的五元组信息包括数据包的源IP地址、目的IP地址、源端口、目的端口和传输协议。 Wherein quintuple information packet includes a source IP address of packet, destination IP address, source port, destination port and transport.

与负载均衡模式相比,双机热备模式和链路冗余模式下,控制层的集群状态监控功能和转发层的会话状态同步功能与负载均衡模式是类似的,但对于双机热备模式,网络负载全部由主节点承担,从节点的退出或加入不影响网络负载的分配,当主节点退出时,从节点变成新的主节点接管全部网络流量即可;对于链路冗余模式,可以不区分主节点和从节点,也可以将首先加入集群的节点作为主节点,其次加入集群的节点作为从节点,该模式下所有的节点均处理流经自身的网络流量。 Compared to the load balancing mode, the hot standby redundancy mode and the link mode, the cluster state of the control layer session status monitoring, and synchronization with the load balancing mode is similar to the forwarding layer, but the hot standby mode network load borne by the master node, the leave or join the network load distribution does not affect the node when the master node exits from the node becomes the new master node can take over all the network traffic; for link redundancy mode, does not distinguish between the master node and slave node may be added to the first cluster node as a master node, followed by the addition of nodes in the cluster as the slave node, all nodes in this mode are processed network traffic flowing through itself.

或者也可以这样认为:对于双机热备模式,控制层将全部网络流量的hash值范围下发给主节点的转发层,不向从节点的转发层下发hash值范围或者下发的hash值范围为空;对于链路冗余模式,控制层将全部网络流量的hash值范围下发给每个节点的转发层。 Or may be such that: the thermal dual-standby mode, the control layer of the main layer distributed forwarding node in the hash value of the entire range of network traffic, not to send a hash value range from the lower layer of the forwarding node or a hash value issued empty range; for link redundancy mode, the control layer of each node sent the forwarding layer hash value range of all network traffic.

基于上述实现网络安全设备高可用性的系统,本发明实现网络安全设备高可用性的方法包括:控制层之间发送和接收心跳信号来监测整个防火墙集群的状态和网络拓扑的变化,根据集群的状态、集群节点的状态信息和预先配置的负载均衡算法重新分配负载hash值范围,并将集群的状态信息和节点处理的负载hash值范围等信息下发给转发层;转发层根据控制层下发的集群系统的状态信息和节点处理的负载hash值范围等信息对数据包进行处理,并发送会话状态同步信息给同一集群的其它节点的转发层。 High availability systems based on the above-described network security device, the method of the present invention achieves high availability network security device comprising: a transmission and reception control between layers heartbeat signal and to monitor changes in the state of the entire network topology firewall cluster, according to the state of the cluster, distributed forwarding layer state information of the cluster nodes and a pre-configured load balancing algorithm hash value ranges redistribute load, and the load information of the cluster of hash values ​​and node status information about the range of processing; forwarding layer delivered by the control layer according to the cluster load range of hash values ​​and node status information and other information processing system to process the packet, and transmits the synchronization session status information to other nodes in the forwarding layer of the same cluster.

上述方法具体可以包括:图2所示的控制层根据网络拓扑变化进行负载均衡的过程和图3所示的转发层对收到的数据包的处理过程。 The method described above may include: control layer shown in FIG perform load balancing process and the process of forwarding layer 3 shown in FIG receiving data packets according to the network topology changes.

如图2所示,控制层根据网络拓扑变化进行负载均衡的过程包括以下步骤: As shown, the control load balancing layer 2 network topology change process comprising the steps of:

步骤201、判断网络拓扑变化是节点加入还是节点退出,如果节点加入,则继续执行步骤204;如果节点退出,则继续执行步骤202;步骤202~203、判断当前退出的节点是否是主节点,如果是,则优先级最高的从节点成为新的主节点,并继续执行步骤207,否则直接执行步骤207。 Step 201, determine whether the network topology changes is a node is added or a node exit, if a node is added, proceed to step 204; if the node exit, proceed to step 202; step 202 to 203, determines the current exit node is a master node, if it is the highest priority from the node becomes the new primary node, and proceed to step 207, otherwise, perform step 207.

步骤204~206、当前加入的节点判断是否检测到其它设备的心跳信号,如果不是,则把自己设置成主设备,并接管网络全部流量,更新集群节点状态表信息;否则把自己设置成从设备,执行步骤207。 Step 204 ~ 206, determines whether the current node is added to the heartbeat detection device of the other, if not, the master device arranged to put their own, and take over all traffic on the network, the cluster nodes update state table information; otherwise, set itself as the slave , step 207.

步骤207、主节点重新分配负载,将分配的负载信息通知给从节点,并更新集群节点信息。 Step 207, the master node re-distribute the load, the load allocation information to the slave node, and to update the cluster node information. 集群节点状态表信息包括:节点ID、节点个数、节点优先级等。 Cluster node status table information comprises: a node ID, a node number, node priority.

上述方案中,不同的集群工作模式在具体处理时并不完全相同。 In the above embodiment, different operation modes in the specific cluster are not exactly the same process. 负载均衡模式下,其处理过程与上述过程基本相同。 Load balancing mode, its processing procedure is substantially the same as described above. 在节点退出时,如果是双机热备模式,则判断当前退出的节点是否是主节点,如果是,则优先级最高的从节点成为主节点,并接管网络全部流量,否则更新集群节点状态表信息。 When a node exit, if it is hot standby mode dual, it is determined whether the current exit node is the master, if so, the highest priority from the node becomes the master node, and take over all traffic on the network, or update the cluster node status table information. 如果是链路冗余模式,则直接更新集群节点状态表信息。 If the link redundancy mode, the node cluster directly update state table information.

在节点加入时,如果是双机热备模式,则当前加入的节点判断是否检测到其它设备的心跳信号,如果不是,则把自己设置成主设备,并接管网络全部流量;否则把自己设置成从设备,并更新集群节点状态表信息。 When a node is added, if the standby mode is a dual-heat, the addition of the current node determines whether the detected heartbeat signal other device, if not, the master device arranged to put their own, and take over all the network traffic; otherwise, set itself as the from the device, and update the cluster node status table information. 如果是链路冗余模式,则节点更新集群节点状态表信息,并主动处理流经自身的流量,这是由于该模式下的网络环境包含具有负载均衡功能的路由器或交换机,该模式下各节点所处理的负载范围已经由路由器或交换机分配好了。 If the link redundancy mode, the node cluster node update state table information, and actively processing traffic flowing through itself, since in this mode the network environment comprises a load balancing router or switch, each node in this mode the processing load range has been assigned by the router or switch as well.

如图3所示,转发层对接收到的数据包的处理过程包括以下步骤:步骤301~302、判断当前的集群工作模式是哪种工作模式:负载均衡模式、双机热备模式或链路冗余模式,如果是负载均衡模式,则执行步骤304;如果是双机热备模式,则转发层判断本节点的工作状态是否为有效处理状态,如果是处于备份状态,则执行步骤303,如果是处于工作状态,则继续执行步骤304;如果是链路冗余模式,则继续执行步骤306;步骤303、将该数据包丢掉,结束流程;步骤304~305、转发层根据收到的数据包的信息计算数据包的hash值,并判断计算得到的数据包的hash值是否落在本节点处理的hash值范围内,如果没有落在本节点处理的hash值范围内,则执行步骤303,如果落在本节点处理的hash值范围内,则继续执行步骤306;步骤306、对数据包继续进行处理。 3, the processing of the data received packet transfer layer comprises the following steps: Step 301 ~ 302, the current cluster is determined which operation mode is a mode of operation: load balancing mode, hot standby mode or link redundancy mode, if the load balancing mode, step 304 is performed; if it is dual-mode hot standby, the forwarding node layer according to the present operation state is determined whether the processing status is valid, if it is in the backup state, step 303, if is in working condition, proceed to step 304; if it is a redundant link mode, proceed to step 306; step 303, the packet is dropped, the flow ends; 304 ~ step 305, forwards received packets according to layer the hash value calculation information packet, and determines the range of hash values ​​within hash value calculated packet falls node processing, if the hash value does not fall within the scope of the present node processing, step 303 is executed, if fall within the scope of the hash value processing node, proceed to step 306; step 306, packet processing continues. 其中,对数据包继续进行处理可以包括对数据包进行安全规则匹配和将数据包转发等。 Wherein the data packets continue processing data packets may include a security rule matching the packet forwarding and the like.

下面分别以负载均衡模式、双机热备模式和链路冗余模式三种集群工作模式为例具体说明本发明系统及方法的工作原理。 The following load balancing mode, respectively, hot standby redundancy mode and the link mode three modes CLUSTER specifically describing the operating principle of the system and method of the present invention.

一、负载均衡模式:在负载均衡模式下,集群中所有节点的任意对应的业务网口IP和MAC地址都分别相同,各节点协同工作,对用户的负载进行均衡,不需要额外的负载均衡器。 A load balancing mode: In the load balancing mode, the cluster corresponding to any service network port IP and MAC addresses are the same for all nodes, the nodes work together, the user load balancing, no additional load balancer . 其中,优先级为1的防火墙是主节点,处于工作状态,根据负载均衡算法处理部分网络流量以及整个集群的控管;其它防火墙节点为从节点,也处于工作状态,与主节点一起分担网络流量。 Wherein, priority 1 is the master node of the firewall, in the working state, according to the load balancing algorithm Controls processing section and the entire cluster network traffic; firewall node from other nodes, but also in the operating state, the master node share the network with traffic . 一旦某一防火墙节点发生故障后,其负载可以根据负载均衡算法迅速切换到集群中其它防火墙上,保证网络正常通信。 Once a firewall node fails, the load can be quickly switched in accordance with the load balancing algorithm to the other firewall cluster, to ensure normal communication.

如图4所示,在负载均衡模式下,本发明实现防火墙高可用性的系统包括两个防火墙,分别为防火墙1和防火墙2。 As shown, the load balancing mode, the present invention is to achieve high availability firewall system 4 comprises two firewalls, firewalls, respectively 1 and 2 the firewall. 其中,外部Internet网络通过路由器和外部交换机与防火墙相连,受防火墙保护的内部网络信任区段通过内部交换机与防火墙相连。 Wherein the external Internet network through the router and connected to external switches and firewalls, trusted internal network segments connected through a firewall-protected internal switches and firewalls. 受防火墙保护的内部网络通常会包含几个信任区段,信任区段内包含若干个主机。 Internal network protected by a firewall usually contains several trust section, it contains a number of hosts in the trust sector. 不同的信任区段可以与同一内部交换机相连,也可以与不同内部交换机相连。 Different trust sections may be connected to the same internal switch may be connected to different internal switch. 路由器之间通过虚拟路由冗余协议(VRRP)进行信息交互,交换机之间通过Trunk口相连,防火墙之间通过心跳线相连。 Routers by Virtual Router Redundancy Protocol (VRRP) information interaction between the switches connected through Trunk port, connected through the firewall between the heartbeat.

本发明实现防火墙高可用性的方法包括:1、防火墙管理员预先对集群设备分别进行配置,将集群工作模式配置为负载均衡模式,并重新启动集群设备。 The method of the present invention is to achieve high availability firewall comprising: a firewall administrator in advance for each of the devices in a cluster configuration, the working mode to the cluster load balancing mode and cluster reboot the device.

2、当第一台设备启动时,第一台设备的控制层检测不到其它设备的心跳信号,则将把自身设置成主设备,接管全部的网络流量,并将该信息下发给转发层,让它处理全部流量。 2, when the first starting device, a control device of the first layer detects no heartbeat signals from other equipment, then the master device itself is arranged to take over all network traffic, and this information is sent to the forwarding layer and let it handle all the traffic.

3、当第二台设备启动时,第二台设备的控制层检测到主设备的心跳信号,则将自身设置成从设备,同时主设备控制层也检测到从设备的心跳信号,就重新进行负载分配,将自己承担的负载分一半给从设备,并通过同步负载信号通知从设备接管分得的流量。 3, when the second starting device, a control layer of the second device detects the heartbeat signal of the main device, will be provided from the device itself, while the main control device also detects the level of the heartbeat signal from the device, it is re load distribution, the load themselves divided half to the slave, and by synchronizing signal informs the receiver share the load of traffic from the device. 两台设备的控制层分别把负载变化后的本节点处理的hash值范围下发给各自的转发层,转发层分别根据计算得到的数据包的hash值和本节点处理的hash值范围内对数据包进行处理。 Two control layer of each device are sent to the forwarding layer under the scope of the hash value of the node processing load variation, according to the data forwarding layer are within the range of the hash value of a hash value calculated packet processing node and packet processing. 转发层之间通过同步网口互相同步自己的会话状态。 Forwarding between network interface layers are mutually synchronized by synchronizing its own session state.

如果有第三台设备加入,同样地,如果第三台设备的控制层检测到主设备的心跳信号,则将自身设置为从设备,同时主设备控制层也检测到第三台设备的存在,则主设备重新进行负载分配,把自己承担的负载的三分之一和第二台设备承担的负载的三分之一分配给第三台设备,并通过同步负载信号通知第二台设备按照新的负载分配范围承载负载,通知第三台设备接管分得的流量。 If a third device was added, in the same manner, if the control device of the third layer detects the heartbeat signal of the main device, it will be provided from the device itself, while the main control device layer can also detect the presence of a third device, master device re-load distribution, and the third one-third of a second dispensing device themselves load to the load borne by a third device, and informs the second load signal by synchronizing the device with the new load distribution range of the load bearer, the notification apparatus to take over a third share of the flow. 同时,每台设备把自己承载的负载范围的变化情况下发给各自的转发层,转发层分别根据计算得到的数据包的hasn值和本节点处理的hash值范围内对数据包进行处理。 At the same time, each device to send a respective forward lower layer changes its own bearer load range, according to the forwarding layer are the hash value within the range hasn value calculated packet processing node and the data packet processing. 转发层之间同步各自处理的会话状态。 Forwarding between each layer sync session state. 如果有更多的集群设备加入,其工作原理与上述过程是类似的。 If there are more devices to join a cluster, it works with the above-mentioned process is similar.

4、当有一台集群设备失效或退出时,如果该集群设备是从设备,则主设备重新进行负载分配,自动把失效设备的负载重新分配给工作中的设备。 4, when there is an equipment failure or out of the cluster, the cluster if the load device is dispensed from the device, the master device again, the load of equipment failure automatically reassigned to work equipment. 如果失效的设备是主设备,则优先级最高的从设备升为主设备。 If the failed device is a master device, then the highest priority device from the main device l. 新的主设备进行负载分配,把失效主设备的负载重新分配给剩下的设备。 The new master distributes the load, the load master device failure reassigned to the rest of the device. 每台设备的控制层各自向自身对应的转发层下发重新分配的本节点处理的hash值范围,转发层分别根据计算得到的数据包的hash值和本节点处理的hash值范围内对数据包进行处理。 the scope of the hash value of each node process each device control layer made reallocated to the corresponding forward under its own layer, the forwarding layer are the hash value of the hash value of the range of the calculated data packet and this node processing the packet in accordance with for processing. 类似地,转发层进行会话状态同步。 Similarly, the session layer is forwarding state synchronization.

可见,每台网络中的设备只处理一部分数据,进行动态的负载分摊,不需要额外的负载均衡器。 Be seen, each network device processes only a portion of the data, dynamic load-sharing, no additional load balancer.

二、双机热备模式:在双机热备模式下,集群中所有节点的任意对应的业务网口IP和MAC地址都分别相同。 Second, dual-hot standby mode: in the hot standby mode dual-cluster corresponding to any service network port IP and MAC addresses for all nodes are the same. 其中优先级为1的防火墙为主节点,处于工作状态,负责处理所有的网络数据流以及整个集群的控管;其它防火墙节点为从节点,处于热备份状态,不处理网络数据,但处理主节点广播发出的同步状态表信号。 Wherein the priority of the master node 1 is the firewall, in the working state, is responsible for handling all network traffic Controls and the entire cluster; firewall node from other nodes in hot standby state, the network does not process the data, but the master node processing broadcast synchronization state signal sent table. 一旦主节点发生故障,优先级次之的从节点升为主节点,接管原来主节点的工作,保证网络正常通信。 Once the primary node fails, the second highest priority node from the master node l, take over the original master node, to ensure the normal communication.

如图5所示,在双机热备模式下,本发明实现防火墙高可用性的系统包括两个防火墙,分别为防火墙1和防火墙2。 5, in a dual-mode hot standby, the present invention is to achieve high availability firewall system comprises two firewalls, firewalls, respectively 1 and 2 the firewall. 其中,外部Internet网络的数据包通过路由器到达交换机,交换机将数据包发送给防火墙,进行处理后再发送回交换机,交换机将数据包发送给受防火墙保护的内部网络信任区段的用户。 Wherein the external Internet network packet arrives at a router switch, the switch will send packets to the firewall, be sent back after the treatment switch, the switch sends the packet to the user trusted internal network segments protected by a firewall. 防火墙之间通过心跳线相连。 Connected through the firewall between the heartbeat. 本发明实现防火墙高可用性的方法包括:1、防火墙管理员预先对集群设备分别进行配置,将集群工作模式配置为双机热备模式,并重新启动集群设备。 The method of the present invention is to achieve high availability firewall comprising: a firewall administrator in advance cluster devices are arranged, will be configured to heat the cluster operation mode dual-standby mode, and restart the cluster device.

2、当第一台设备启动时,第一台设备的控制层检测不到其它设备的心跳信号,则把自己设置成主设备,将全部的网络流量分配给自身,并通知转发层自己为主设备,让它处理全部流量。 2, when the first starting device, a control device of the first layer detects no heartbeat signals from other devices, the master device arranged to put their own, all network traffic allocated to itself, and notifies the forwarding layer mainly own equipment and let it handle all the traffic. 转发层处理全部流量,并把自己处理的会话的状态同步出去。 Session layer processing status forwarding all traffic, and deal with their own out of sync.

3、当第二台设备启动时,第二台设备控制层检测到主设备的心跳信号,则把自己设置成从设备,将自身设置为备份状态,并通知转发层自己为从设备。 3, when the second starting device, a second device layer detects a heartbeat signal controlling master device, slave device arranged to put their own, it sets itself backup status, and notifies the forwarding layer itself as a slave device. 第二台设备的转发层不处理网络流量,并将主设备发送来的会话状态保存在自己的会话状态表中。 A second layer forwarding device does not handle the network traffic, and transmitted to the master session state stored in its own session state table.

4、当有一台集群设备失效时,如果该集群设备是从设备,则不影响主设备对数据包的处理;如果该集群设备是主设备,则从设备变为主设备,接管所有的网络流量。 4, when there is an equipment failure cluster, the cluster if the device is a slave device, the master device will not affect the processing of the data packet; if the cluster device is a master device, becomes the master device from the devices, over all network traffic . 由于会话状态已事先同步,所以会话可以不间断地迁移。 Because the session state has previously synchronized, so the conversation uninterrupted migration.

三、链路冗余模式:链路冗余模式主要应用在已经具有负载均衡功能的路由器或交换机的网络环境中,或者应用在通过生成树协议(STP)、开放最短路径优先协议(OSPF)或增强内部网关路由协议(EIGRP)等协议自动选择路径的网络环境中。 Third, link redundancy mode: link redundancy mode is mainly applied in a network environment already having a router or switch load balancing function, or by application of the Spanning Tree Protocol (the STP), Open Shortest Path First (OSPF) or enhanced interior gateway routing protocol (EIGRP) protocol automatically select the network environment and the like path. 集群中所有节点都处于工作状态,负责处理流经自身节点的网络数据流。 All nodes in the cluster are in working condition, it is responsible for handling flow through the self-node network traffic. 一旦链路冗余模式下的任何一条链路的防火墙节点发生故障,另外一条链路的防火墙节点会接管失效链路的会话,保证网络正常通信。 Once the firewall node any link in a link redundancy mode fails, the other nodes of a link firewall session will take over the failed link, to ensure normal communication.

如图6所示,在链路冗余模式下,本发明实现防火墙高可用性的系统包括两个防火墙,分别为防火墙1和防火墙2,防火墙之间通过心跳线相连。 6, in a link redundancy mode, the present invention is to achieve high availability firewall system comprises two firewalls, firewalls respectively 1 and 2 firewall, connected through the firewall between the heartbeat. 网络本身通过EIGRP协议自动选择网络链路或通过路由的设定选路,网络中任何一个设备的失效都不会导致连接的中断。 The network itself is automatically selected by the network link by setting EIGRP routing protocol or routing, network failure of any one device will not cause an interrupt connection.

本发明实现防火墙高可用性的工作的方法包括:1、防火墙管理员预先对集群设备分别进行配置,将集群工作模式配置为链路冗余模式,并重新启动集群设备。 The method of the present invention is to achieve high availability operation firewall comprising: a firewall administrator in advance for each of the devices in a cluster configuration, the working mode to the cluster link redundancy mode, and restart the cluster device.

2、两台集群设备启动之后分别把自身设置成工作状态,两台集群设备的控制层分别把本节点的状态信息和集群工作模式下发给转发层,转发层对收到的所有数据包进行处理。 2, after the two cluster devices themselves are set to start operation, the control layer of two cluster devices are sent to the forwarding node layer according to the present state of the operation mode information and the cluster layer forwarding all packets will be received deal with. 转发层之间互相同步会话状态。 Forwarding state between each synchronization session layer.

3、当一台集群设备失效后,选路协议会自动选择另外一条路径,由于另外一条路径的防火墙上有失效路径防火墙上的全部状态信息,所以连接可以不间断地迁移。 3, when a cluster of equipment failure, the routing protocol will automatically select another path, because all the information on the failed path state firewall on the firewall of another path, the connection can be continuously migrate.

本发明提供的实现网络安全设备高可用性的系统及方法还可用于VPN,交换机,路由器,服务器集群等其它需要高可用性的设备集群中,其工作原理与防火墙高可用性的实现原理是类似的。 The present invention provides a method and system for implementing high availability of network security devices may also be used for other needs of the VPN device cluster for high availability, switches, routers, server farms and the like, it works with high availability firewall implementation principle is similar.

总之,以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 In summary, the above descriptions are merely preferred embodiments of the present invention but are not intended to limit the present invention, any modifications within the spirit and principle of the present invention, the, equivalent replacement, or improvement, should be included in the present within the scope of the invention.

Claims (20)

1.一种网络安全设备,用于组成具有高可用性的集群系统;其特征在于,该网络安全设备包含控制层和转发层;所述控制层用于监控集群状态变化,进行节点配置信息的同步,根据集群状态变化进行负载分配,并将集群状态变化信息和负载分配信息下发给转发层;所述转发层用于根据控制层下发的信息对数据包进行处理,更新会话状态信息,并进行会话状态信息的同步。 Synchronizing the control layer for monitoring a change in status of the cluster, a node configuration information; CLAIMS 1. A network security device for composing a high-availability cluster system; wherein the network security device comprising a control layer and a forwarding layer , changes according to the load distribution state of the cluster, and the cluster layer distributed forwarding state change information and the information of the load distribution; the layer for forwarding the data packet according to the information delivered by the control layer, updates the session state information, and a session state information synchronization.
2.根据权利要求1所述的网络安全设备,其特征在于,所述控制层包括;心跳及负载分配功能模块和路径/网口监视功能模块;所述路径/网口监视功能模块用于监视网络安全设备节点的状态变化,并将包含节点状态变化的信号发送给心跳及负载分配功能模块;所述心跳及负载分配功能模块用于发送和接收心跳信号以监控集群状态变化,进行节点配置信息的同步,接收路径/网口监视功能模块发送来的包含节点状态变化的信号,根据集群状态变化和节点状态进行负载分配,并将负载分配信息下发给转发层。 The network security apparatus according to claim 1, wherein said control layer comprises; heartbeat and load sharing function module and the path / network port monitoring module; the path / network port monitoring module for monitoring signal state changes in network security device node, and node status comprises a change is transmitted to the heartbeat module and load distribution function; load distribution function of the heartbeat and means for transmitting and receiving a heartbeat signal to monitor the state change of the cluster, a node configuration information synchronization, receive path / network port monitoring module includes a signal transmitted node status change, the state of load distribution in accordance with change of the cluster and node status, and the load distribution information distributed to the forwarding layer.
3.根据权利要求2所述的网络安全设备,其特征在于,所述控制层进一步包括用于同步上层应用会话状态信息的上层应用同步状态功能模块。 The network security apparatus according to claim 2, wherein the control layer further comprises an upper layer for application synchronization session state information state synchronization function block upper layer applications.
4.根据权利要求1、2或3所述的网络安全设备,其特征在于,所述转发层包含:会话同步功能模块和数据转发模块;所述数据转发模块用于接收控制层下发的负载分配信息,根据数据包信息和负载分配信息对数据包进行处理,并将会话状态信息发送给会话同步功能模块;所述会话同步功能模块用于接收数据转发模块发送来的会话状态信息,并将包含会话状态信息的会话状态同步信号发送出去。 4. The network security device of claim 2 or claim 3, wherein said forwarding layer comprises: a session synchronization module and a data forwarding module; delivered by the data forwarding means for receiving a load control layer allocation information, according to the packet information and load distribution processing the data packet information, and the session state information to a synchronization module session; means for the session synchronization session state information transmitted to the receiving data forwarding module, and session state information contains session state synchronization signal transmitted.
5.根据权利要求1、2或3所述的网络安全设备,其特征在于,所述控制层包含专用的高可用性网口。 The network security device of claim 2 or claim 3, characterized in that, the high availability control layer includes a dedicated network port.
6.根据权利要求1所述的网络安全设备,其特征在于,所述转发层包含用于转发数据包的普通数据网口和用于同步状态信息的同步网口,同步网口为专用同步网口或普通数据网口。 The network security apparatus according to claim 1, wherein said forwarding includes means for forwarding the packet layer of the network port and for normal data synchronization network port synchronous state information, the synchronization dedicated network port synchronous network mouth or general data network port.
7.一种实现网络安全设备高可用性的系统,包括一个以上作为集群系统中集群节点的网络安全设备;其特征在于,每个网络安全设备包含控制层和转发层;所述控制层用于监控集群状态变化,根据集群状态变化进行负载分配,并将集群状态变化信息和负载分配信息下发给转发层;所述转发层用于根据控制层下发的信息对数据包进行处理,并更新会话状态信息;所述每个网络安全设备的控制层之间通过彼此发送和接收心跳信号进行心跳通信,进行节点配置信息的同步;所述每个网络安全设备的转发层之间通过彼此发送和接收会话状态同步信号进行会话状态同步。 A high availability of the network security device system, comprising more than one network security device as a cluster node in the cluster system; wherein each network security device comprising a control layer and a forwarding layer; the control layer for monitoring cluster state change, the state of the cluster changes according to load sharing, distributed forwarding information and the layer information and the cluster load distribution state change; the layer for forwarding the data packet according to the information delivered by the control layer, and updates the session state information; a control layer between each of the network security device performs heartbeat communication with one another through transmission and reception of a heartbeat signal, the synchronization configuration information node; forwarding layer between each of said network security device by transmitting and receiving one another session state synchronization session state synchronization signal.
8.根据权利要求7所述的实现网络安全设备高可用性的系统,其特征在于,所述网络安全设备的控制层包括:心跳及负载分配功能模块和路径/网口监视功能模块;所迷路径/网口监视功能模块用于监视网络安全设备节点的状态变化,并将包含节点状态变化的信号发送给心跳及负载分配功能模块;所述心跳及负载分配功能模块用于发送和接收心跳信号以监控集群状态变化,进行节点配置信息的同步,接收路径/网口监视功能模块发送来的包含节点状态变化的信号,根据集群状态变化和节点状态进行负载分配,并将负载分配信息下发给转发层。 8. The network security system of high availability device according claim 7, wherein said network layer security control apparatus comprising: a heartbeat and load sharing function module and the path / network port monitoring module; path of the fan state change / network port monitoring module for monitoring a network security device node, and comprising transmitting signals to a node status change heartbeat and load sharing function module; load distribution function of the heartbeat and means for transmitting and receiving signals in a heartbeat monitoring state changes cluster, a node configuration synchronization, receive path / network port monitoring module comprises a node status change signal transmitted, distributes the load and dependent on a cluster node state change state and the load distribution information is sent forward Floor.
9.根据权利要求8所述的实现网络安全设备高可用性的系统,其特征在于,所述网络安全设备的控制层进一步包括用于同步上层应用会话状态信息的上层应用同步状态功能模块。 9. The network security device of claim 8, wherein high availability systems, wherein the control layer of the network security device further includes an upper layer application of functional modules for synchronization state synchronization session state information to the upper layer application.
10.根据权利要求7、8或9所述的实现网络安全设备高可用性的系统,其特征在于,所述网络安全设备的转发层包含:会话同步功能模块和数据转发模块;所述数据转发模块用于接收控制层下发的负载分配信息,根据数据包信息和负载分配信息对数据包进行处理,并将会话状态信息发送给会话同步功能模块;所述会话同步功能模块用于接收数据转发模块发送来的会话状态信息,并将包含会话状态信息的会话状态同步信号发送出去。 10. The high availability network security system of claim 7, 8 or apparatus according to claim 9, wherein said forwarding network layer security device comprising: a session synchronization modules and data forwarding module; the data forwarding module load distribution for receiving information delivered by the control layer and packet information in accordance with the load allocation information to process the packet, and the session state information to a synchronization module session; the session synchronization function means for receiving data forwarding module session state information is transmitted, and the session state information containing session state synchronization signal transmitted.
11.根据权利要求7、8或9所述的实现网络安全设备高可用性的系统,其特征在于,所述网络安全设备的控制层之间通过设定的专用高可用性网口相连。 11. The network security device according to claim 7, 8 or 9, wherein high availability systems, wherein high availability networks connected through a dedicated set of interface between the control layer of the network security device.
12.根据权利要求7所述的实现网络安全设备高可用性的系统,其特征在于,所述网络安全设备的转发层之间通过设定的专用同步网口或普通数据网口相连。 12. The network security device as claimed in claim 7, said high availability system, wherein the set are connected by dedicated synchronization network port or network port between an ordinary data forwarding layer of the network security device.
13.根据权利要求7、8、9或12所述的实现网络安全设备高可用性的系统,其特征在于,所述网络安全设备为防火墙。 13. The network security device of claim 8, 9 or claim 12 high availability systems, wherein said network security device is a firewall.
14.一种实现网络安全设备高可用性的方法,适用于由一个以上网络安全设备作为集群节点组成的集群系统,集群系统中包含一个主节点和至少一个从节点,每个集群节点包含控制层和转发层;其特征在于,该方法包括:控制层监控集群状态变化,根据集群状态信息进行负载分配,并将集群状态信息和负载分配信息下发给转发层;转发层根据控制层下发的集群状态信息和负载分配信息对数据包进行处理,并将会话状态信息发送给同一集群系统的其它集群节点以进行会话状态同步。 14. A method for high availability network equipment to achieve security for cluster, cluster by one or more network security device as a cluster of nodes comprising a master node and at least one slave node, each cluster node and a control layer comprising forwarding layer; characterized in that, the method comprising: monitoring cluster control layer changes state, load distribution according to the cluster state information, and sent to the forwarding layer state information and the cluster load distribution information; forwarding layer delivered by the control layer according to the cluster load distribution information and status information to process the packet, and the session state information to other nodes in the same cluster in a cluster system for state synchronization session.
15.根据权利要求14所述的实现网络安全设备高可用性的方法,其特征在于,所述控制层监控集群状态变化并进行负载分配的过程包括以下步骤:A.根据集群状态变化确定集群系统当前的主节点、节点的个数以及集群节点的工作状态;B.主节点根据集群工作模式和集群节点信息分配负载,将分配的负载信息通知给从节点,并更新集群节点信息。 15. The process of high availability of the network security device implemented method according to claim 14, wherein said monitor control layer and the cluster state change load distribution comprises the steps of: A cluster system is determined according to the current state of the cluster changes. master node, the number of nodes and the status of the cluster node;. the master node cluster B and cluster nodes operating mode information distribution load, the load allocation information to the slave node, and to update the cluster node information.
16.根据权利要求15所述的实现网络安全设备高可用性的方法,其特征在于,所述步骤A包括:判断集群网络拓扑变化是节点加入还是节点退出,如果是节点加入,则判断当前加入节点是否检测到心跳信号,如果不是,则将把当前加入节点设置为主节点,然后执行所述步骤B,否则将把当前加入节点设置为从节点,然后执行所述步骤B;如果是节点退出,则判断当前离开的节点是否是主节点,如果是,则将优先级最高的从节点设置为主节点后,然后执行所述步骤B;否则直接执行所述步骤B。 16. The network security device according to claim 15, the method requires high availability, wherein said step A comprises: determining a network topology change or addition of a node cluster node is withdraw, if a node is added, it is determined whether the current node is added detecting whether the heartbeat signal, if not, the addition of the current node as the primary node, and then perform the step B, and otherwise, will be added to the current node is set to the node, then performing the step B; if the node is withdraw, it is judged whether the current node is the master node to leave, if it is, then the highest priority from the node as the primary node, and then perform the step B; otherwise, directly executing the step B.
17.根据权利要求15或16所述的实现网络安全设备高可用性的方法,其特征在于,步骤B中,所述主节点根据集群工作模式分配负载包括:集群工作模式为负载均衡模式时,如果集群系统中仅包含主节点,则主节点将全部负载的hash值范围分配给自身,如果集群系统中包含主从节点,则主节点按照预先设定的负载分配算法分配负载hash值范围;集群工作模式为双机热备模式时,将全部负载的hash值范围分配给主节点;集群工作模式为链路冗余模式时,将全部负载的hash值范围分配给每个节点。 17. The high availability of the network security device of claim 15 or claim 16, wherein, in step B, the master node comprising a load distribution operation mode Cluster: cluster working mode is the load balancing mode, if only main cluster node, the hash value range assigned master node of the entire load to itself, if the cluster contains a primary slave node, the master node in accordance with a predetermined load distribution algorithm assigned hash value of the load range; cluster work hot standby mode is the dual-mode, the entire load range of the hash value is assigned to the master node; assign a hash value range of a cluster link redundancy mode is the working mode, the entire load to each node.
18.根据权利要求14所述的实现网络安全设备高可用性的方法,其特征在于,所述转发层对收到的数据包进行处理的过程包括以下步骤:a.判断节点的状态是否为工作状态,如果不是,则将收到的数据包丢掉,否则执行步骤b;b.转发层根据收到的数据包的信息计算数据包的hash值,并判断该数据包hash值是否落在本节点处理的hash值范围内,如果不是,则将该数据包丢掉;否则对数据包继续进行处理。 18. The network security device 14 high availability method as claimed in claim, wherein the receiving layer during processing of the data packet comprises the steps of forwarding:. A state judgment whether or not the operating state of the node If not, the received packets lost, otherwise step b;. b the hash value calculation forwarding layer packet received information packet, and determines that the hash value falls packet processing node hash value within the range, and if not, the packet is discarded; otherwise continue processing packets.
19.根据权利要求18所述的实现网络安全设备高可用性的方法,其特征在于,在所述步骤a之前,该方法进一步包括:确定集群系统当前的集群工作模式,如果当前的集群工作模式为负载均衡模式,则直接执行步骤b;如果当前集群工作模式为双机热备模式,则继续执行步骤a;如果当前集群工作模式为链路冗余模式,则对数据包继续进行处理。 19. The method of claim 18 high-availability network security device as claimed in claim, wherein, prior to said step a, the method further comprising: determining a current mode of the cluster cluster system, if the current operation mode to the cluster load balancing mode, the process directly to step B; if the current hot standby cluster operation mode is dual-mode, proceed to step a; if the current operation mode is the cluster link redundancy mode, the data packets continue processing.
20.根据权利要求18或19所述的实现网络安全设备高可用性的方法,其特征在于,步骤b中,所述对数据包继续进行处理为:对数据包进行安全规则匹配或转发数据包。 20. The method of claim 18 or 19 high-availability network security device as claimed in claim, wherein step (b), the packet processing continues as follows: the data packet or forward the security rule matching the packet.
CN 200410070804 2004-07-20 2004-07-20 Network safety equipment and assemblied system and method for implementing high availability CN1317853C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200410070804 CN1317853C (en) 2004-07-20 2004-07-20 Network safety equipment and assemblied system and method for implementing high availability

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200410070804 CN1317853C (en) 2004-07-20 2004-07-20 Network safety equipment and assemblied system and method for implementing high availability

Publications (2)

Publication Number Publication Date
CN1725702A CN1725702A (en) 2006-01-25
CN1317853C true CN1317853C (en) 2007-05-23

Family

ID=35924954

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200410070804 CN1317853C (en) 2004-07-20 2004-07-20 Network safety equipment and assemblied system and method for implementing high availability

Country Status (1)

Country Link
CN (1) CN1317853C (en)

Families Citing this family (51)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7675854B2 (en) 2006-02-21 2010-03-09 A10 Networks, Inc. System and method for an adaptive TCP SYN cookie with time validation
US7716378B2 (en) 2006-10-17 2010-05-11 A10 Networks, Inc. System and method to associate a private user identity with a public user identity
US8584199B1 (en) 2006-10-17 2013-11-12 A10 Networks, Inc. System and method to apply a packet routing policy to an application session
US8312507B2 (en) 2006-10-17 2012-11-13 A10 Networks, Inc. System and method to apply network traffic policy to an application session
CN101488966A (en) * 2009-01-14 2009-07-22 深圳市同洲电子股份有限公司 Video service system
CN101557317B (en) 2009-05-26 2011-06-29 杭州华三通信技术有限公司 Active dialogue backup system, equipment and method in dual-server hot-backup network
US9960967B2 (en) 2009-10-21 2018-05-01 A10 Networks, Inc. Determining an application delivery server based on geo-location information
CN101909067A (en) * 2010-08-26 2010-12-08 北京天融信科技有限公司 Antivirus method and system for secure gateway cluster
US9215275B2 (en) 2010-09-30 2015-12-15 A10 Networks, Inc. System and method to balance servers based on server load status
US9609052B2 (en) 2010-12-02 2017-03-28 A10 Networks, Inc. Distributing application traffic to servers based on dynamic service response time
CN102201936A (en) * 2011-05-30 2011-09-28 中兴通讯股份有限公司 Control method and system for network device entrance message and network device
CN102281190B (en) * 2011-07-01 2014-06-11 杭州斯凯网络科技有限公司 Networking method for load balancing apparatus, server and client access method
US8763106B2 (en) * 2011-09-08 2014-06-24 Mcafee, Inc. Application state sharing in a firewall cluster
US8897154B2 (en) 2011-10-24 2014-11-25 A10 Networks, Inc. Combining stateless and stateful server load balancing
CN102394936B (en) * 2011-11-11 2013-11-20 青岛海信传媒网络技术有限公司 Cluster system nondestructive business maintenance method
US9386088B2 (en) 2011-11-29 2016-07-05 A10 Networks, Inc. Accelerating service processing using fast path TCP
CN102437960B (en) * 2011-12-21 2014-08-27 福建星网锐捷网络有限公司 Detection processing method and system of cluster mode, and network equipment
US9094364B2 (en) 2011-12-23 2015-07-28 A10 Networks, Inc. Methods to manage services over a service gateway
CN102571960A (en) * 2012-01-12 2012-07-11 浪潮(北京)电子信息产业有限公司 Method and device for monitoring high-availability cluster state
US10044582B2 (en) 2012-01-28 2018-08-07 A10 Networks, Inc. Generating secure name records
US9118618B2 (en) 2012-03-29 2015-08-25 A10 Networks, Inc. Hardware-based packet editor
CN102724065B (en) * 2012-05-22 2016-02-17 长沙中联消防机械有限公司 A network communication system comprising a construction equipment and the system
US8782221B2 (en) 2012-07-05 2014-07-15 A10 Networks, Inc. Method to allocate buffer for TCP proxy session based on dynamic network conditions
CN102769626B (en) * 2012-07-26 2015-11-18 北京神州绿盟信息安全科技股份有限公司 One kind of session information synchronization method, apparatus and system
WO2014019157A1 (en) * 2012-08-01 2014-02-06 华为技术有限公司 Communication path processing method and apparatus
US10021174B2 (en) 2012-09-25 2018-07-10 A10 Networks, Inc. Distributing service sessions
US9843484B2 (en) 2012-09-25 2017-12-12 A10 Networks, Inc. Graceful scaling in software driven networks
WO2014052099A2 (en) 2012-09-25 2014-04-03 A10 Networks, Inc. Load distribution in data networks
US10002141B2 (en) 2012-09-25 2018-06-19 A10 Networks, Inc. Distributed database in software driven networks
EP2811691B1 (en) 2012-10-12 2016-09-14 Huawei Technologies Co., Ltd. Method and device for synchronizing network data flow detection status
US9106561B2 (en) 2012-12-06 2015-08-11 A10 Networks, Inc. Configuration of a virtual service network
US9338225B2 (en) 2012-12-06 2016-05-10 A10 Networks, Inc. Forwarding policies on a virtual service network
CN103001832B (en) * 2012-12-21 2016-02-10 曙光信息产业(北京)有限公司 Method and apparatus for detecting nodes in a distributed file system
US9531846B2 (en) 2013-01-23 2016-12-27 A10 Networks, Inc. Reducing buffer usage for TCP proxy session based on delayed acknowledgement
US9900252B2 (en) 2013-03-08 2018-02-20 A10 Networks, Inc. Application delivery controller and global server load balancer
US9992107B2 (en) 2013-03-15 2018-06-05 A10 Networks, Inc. Processing data packets using a policy based network path
US10027761B2 (en) 2013-05-03 2018-07-17 A10 Networks, Inc. Facilitating a secure 3 party network session by a network device
US10038693B2 (en) 2013-05-03 2018-07-31 A10 Networks, Inc. Facilitating secure network traffic by an application delivery controller
CN104468151B (en) * 2013-09-13 2017-09-29 华耀(中国)科技有限公司 Tcp holding system and method of switching a PTT session
US10230770B2 (en) 2013-12-02 2019-03-12 A10 Networks, Inc. Network proxy layer for policy-based application proxies
US9942152B2 (en) 2014-03-25 2018-04-10 A10 Networks, Inc. Forwarding data packets using a service-based forwarding policy
US9942162B2 (en) 2014-03-31 2018-04-10 A10 Networks, Inc. Active application response delay time
US9906422B2 (en) 2014-05-16 2018-02-27 A10 Networks, Inc. Distributed system to determine a server's health
US9986061B2 (en) 2014-06-03 2018-05-29 A10 Networks, Inc. Programming a data network device using user defined scripts
US9992229B2 (en) 2014-06-03 2018-06-05 A10 Networks, Inc. Programming a data network device using user defined scripts with licenses
US10129122B2 (en) 2014-06-03 2018-11-13 A10 Networks, Inc. User defined objects for network devices
US10268467B2 (en) 2014-11-11 2019-04-23 A10 Networks, Inc. Policy-driven management of application traffic for providing services to cloud-based applications
CN104618199A (en) * 2014-12-26 2015-05-13 珠海格力电器股份有限公司 Node access automatic identifying method and device based on CAN (controller area network) communication and air conditioner
CN106453120B (en) * 2015-08-05 2019-06-07 北京网御星云信息技术有限公司 A kind of dynamic cluster method and system
US10243791B2 (en) 2015-08-13 2019-03-26 A10 Networks, Inc. Automated adjustment of subscriber policies
CN106411589A (en) * 2016-09-29 2017-02-15 北京神州绿盟信息安全科技股份有限公司 Method and apparatus for realizing high availability

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1179047A (en) * 1996-10-01 1998-04-15 国际商业机器公司 Load balancing in distributed enterprise computer environment
US6011781A (en) * 1997-03-19 2000-01-04 Advanced Micro Devices, Inc. Multipoint access protocol utilizing a point-to-point methodology
CN1512729A (en) * 2002-12-31 2004-07-14 联想(北京)有限公司 Method for network equipment self adaption load equalization

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1179047A (en) * 1996-10-01 1998-04-15 国际商业机器公司 Load balancing in distributed enterprise computer environment
US6011781A (en) * 1997-03-19 2000-01-04 Advanced Micro Devices, Inc. Multipoint access protocol utilizing a point-to-point methodology
CN1512729A (en) * 2002-12-31 2004-07-14 联想(北京)有限公司 Method for network equipment self adaption load equalization

Also Published As

Publication number Publication date
CN1725702A (en) 2006-01-25

Similar Documents

Publication Publication Date Title
CN101888332B (en) A method for providing fast reroute and forwarding data units
US8416692B2 (en) Load balancing across layer-2 domains
US6763479B1 (en) High availability networking with alternate pathing failover
US6728780B1 (en) High availability networking with warm standby interface failover
KR101248040B1 (en) Softrouter separate control network
CN100456694C (en) Method and apparatus for providing network connector
JP4361270B2 (en) Clustering vpn devices using network flow switch
RU2530338C2 (en) Prepared connection based on state of communication lines of providers (plsb) with routed redundancy
US6392990B1 (en) Method for implementing interface redundancy in a computer network
US9059940B2 (en) System and method for transport control protocol in a multi-chassis domain
JP5801383B2 (en) Virtual cluster exchange
US20120076048A1 (en) Load sharing and redundancy scheme
CN104917676B (en) Protocol processing method and a router for migration
US8339940B2 (en) Multi-active detection method and stack member device
US7864665B2 (en) Methods and systems for detecting IP route failure and for dynamically re-routing VoIP sessions in response to failure
JP4796184B2 (en) Edge node redundant system
US20060291378A1 (en) Communication path redundancy protection systems and methods
US8166187B2 (en) Distributed IP gateway based on sharing a MAC address and IP address concurrently between a first network switching device and a second network switching device
CN100407671C (en) Network communication method for network load balancing functionality
EP1989835B1 (en) A technique for efficiently and dynamically maintaining bidirectional forwarding detection on a bundle of links
US7859992B2 (en) Router redundancy in data communication networks
US6628649B1 (en) Apparatus and methods providing redundant routing in a switched network device
US20060092950A1 (en) Architecture and method having redundancy in active/active stateful devices based on symmetric global load balancing protocol (sGLBP)
US7872965B2 (en) Network resource teaming providing resource redundancy and transmit/receive load-balancing through a plurality of redundant port trunks
US7609619B2 (en) Active-active data center using RHI, BGP, and IGP anycast for disaster recovery and load distribution

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
C56 Change in the name or address of the patentee

Owner name: BEIJING LEADSEC TECHNOLOGY CO.,LTD.

Free format text: FORMER NAME: LENOVO NET DEFENSE TECHNOLOGY (BEIJING) CO., LTD.

EXPY Termination of patent right or utility model