Tuesday, February 7, 2023
HomeHealthCisco Safe Firewall on AWS: Construct resilience at scale with stateful firewall...

Cisco Safe Firewall on AWS: Construct resilience at scale with stateful firewall clustering


Organizations embrace the general public cloud for the agility, scalability, and reliability it presents when operating functions. However simply as organizations want these capabilities to make sure their functions function the place wanted and as wanted, in addition they require their safety does the identical. Organizations might introduce a number of particular person firewalls into their AWS infrastructure to supply this consequence. In principle, this can be a great determination, however in observe—this might result in uneven routing points. Advanced SNAT configuration can mitigate uneven routing points, however this isn’t sensible for sustaining public cloud operations. Organizations are searching for his or her long-term cloud methods by ruling out SNAT and are calling for a extra dependable and scalable resolution for connecting their functions and safety for always-on safety.

To resolve these challenges, Cisco created stateful firewall clustering with Safe Firewall in AWS.


Cisco Safe Firewall clustering overview

Firewall clustering for Safe Firewall Menace Protection Digital gives a extremely resilient and dependable structure for securing your AWS cloud setting. This functionality helps you to group a number of Safe Firewall Menace Protection Digital home equipment collectively as a single logical system, often known as a “cluster.”

A cluster gives all of the conveniences of a single system (administration and integration right into a community) whereas making the most of the elevated throughput and redundancy you’d count on from deploying a number of gadgets individually. Cisco makes use of Cluster Management Hyperlink (CCL) for forwarding uneven site visitors throughout gadgets within the cluster. Clusters can go as much as 16 members, and we use VxLAN for CCL.

On this case, clustering has the next roles:

Determine 1 Cisco Safe Firewall Clustering Overview

The above diagram explains site visitors circulate between the shopper and the server with the insertion of the firewall cluster within the community. Beneath defines the roles of clustering and the way packet circulate interacts at every step.


Clustering roles and tasks 

Proprietor: The Proprietor is the node within the cluster that originally receives the connection.

    • The Proprietor maintains the TCP state and processes the packets. 
    • A connection has just one Proprietor. 
    • If the unique Proprietor fails, the brand new node receives the packets, and the Director chooses a brand new Proprietor from the obtainable nodes within the cluster.

Backup Proprietor: The node that shops TCP/UDP state info obtained from the Proprietor in order that the connection might be seamlessly transferred to a brand new proprietor in case of failure.

Director: The Director is the node within the cluster that handles proprietor lookup requests from the Forwarder(s). 

    • When the Proprietor receives a brand new connection, it chooses a Director based mostly on a hash of the supply/vacation spot IP deal with and ports. The Proprietor then sends a message to the Director to register the brand new connection. 
    • If packets arrive at any node aside from the Proprietor, the node queries the Director. The Director then seeks out and defines the Proprietor node in order that the Forwarder can redirect packets to the right vacation spot. 
    • A connection has just one Director. 
    • If a Director fails, the Proprietor chooses a brand new Director.

Forwarder: The Forwarder is a node within the cluster that redirects packets to the Proprietor. 

    • If a Forwarder receives a packet for a connection it doesn’t personal, it queries the Director to hunt out the Proprietor 
    • As soon as the Proprietor is outlined, the Forwarder establishes a circulate, and redirects any future packets it receives for this connection to the outlined Proprietor.

Fragment Proprietor: For fragmented packets, cluster nodes that obtain a fraction decide a Fragment Proprietor utilizing a hash of the fragment supply IP deal with, vacation spot IP deal with, and the packet ID. All fragments are then redirected to the Fragment Proprietor over Cluster Management Hyperlink.  


Integration with AWS Gateway Load Balancer (GWLB)

Cisco introduced help for AWS Gateway Load Balancer (Determine 2). This characteristic allows organizations to scale their firewall presence as wanted to fulfill demand (see particulars right here).

Determine 2 Cisco Safe Firewall and AWS Gateway Load Balancer integration


Cisco Safe Firewall clustering in AWS

Constructing off the earlier determine, organizations can benefit from the AWS Gateway Load Balancer with Safe Firewall’s clustering functionality to evenly distribute site visitors on the Safe Firewall cluster. This permits organizations to maximise the advantages of clustering capabilities together with elevated throughput and redundancy. Determine 3 exhibits how positioning a Safe Firewall cluster behind the AWS Gateway Load Balancer creates a resilient structure. Let’s take a more in-depth take a look at what’s going on within the diagram.

Determine 3 Cisco Safe Firewall clustering in AWS

Determine 3 exhibits an Web consumer trying to entry a workload. Earlier than the consumer can entry the workload, the consumer’s site visitors is routed to Firewall Node 2 for inspection. The site visitors circulate for this instance consists of:

Consumer -> IGW -> GWLBe -> GWLB -> Safe Firewall (2) -> GLWB -> GWLBe -> Workload

Within the occasion of failure, the AWS Gateway Load Balancer cuts off current connections to the failed node, making the above resolution non-stateful.

Not too long ago, AWS introduced a brand new characteristic for his or her load balancers often known as Goal Failover for Current Flows. This characteristic allows forwarding of current connections to a different goal within the occasion of failure.

Cisco is an early adaptor of this characteristic and has mixed Goal Failover for Current Flows with Safe Firewall clustering capabilities to create the business’s first stateful cluster in AWS.

aws TeamJiX
Determine 4 Cisco Safe Firewall clustering rehashing current circulate to a brand new node

Determine 4 exhibits a firewall failure occasion and the way the AWS Gateway Load Balancer makes use of the Goal Failover for Current Flows characteristic to change the site visitors circulate from Firewall Node 2 to Firewall Node 3. The site visitors circulate for this instance consists of:

Consumer -> IGW -> GWLBe -> GWLB -> Safe Firewall (3) -> GLWB -> GWLBe -> Workload



Organizations want dependable and scalable safety to guard always-on functions of their AWS cloud setting. With stateful firewall clustering capabilities from Cisco, organizations can defend their functions whereas sustaining cloud advantages akin to agility, scalability, and reliability.

Cisco Safe Firewall Menace Protection Digital is on the market within the AWS market, offering options like firewalling, software visibility & management, IPS, URL filtering, and malware protection. Cisco presents versatile choices for firewall licensing, akin to pay-as-you-go (PAYG) and bring-your-own-license (BYOL). To study extra about how Cisco Safe Firewall clustering capabilities will help defend your AWS functions, see our extra sources, take a look at our 30-day free trial, or converse to your Cisco gross sales consultant.


Extra Assets 

Cisco Safe Firewall Clustering within the Cloud

Constructing a Scalable Safety Structure on AWS with Cisco Safe Firewall and AWS Gateway Load Balancer

Introducing AWS Gateway Load Balancer Goal Failover for Current Flows

Safe Firewall for Public Cloud webpage

We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safe on social!

Cisco Safe Social Channels






Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Verified by MonsterInsights