Learn how to enable session resiliency for the VM-Series firewall
deployed in AWS.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- AWS account
- Amazon Machine Image (AMI) ID
- VM-Series License (PAYG or BYOL)
- VM-Series plugin
- Panorama
- Panorama plugin for AWS
|
Session resiliency allows the VM-Series firewall to maintain session
continuity during a failure event. The AWS Gateway Load Balancer (GWLB) a can detect
and deregister unhealthy VM-Series firewalls deployed in a horizontally scalable
cluster behind the GWLB. With session resiliency enabled, the GWLB can rehash
existing traffic sessions flowing toward an unhealthy VM-Series and redirect the
traffic to a healthy VM-Series firewall.
To maintain sessions failing over to healthy VM-Series firewalls, you must deploy a
Redis cache accessible to your VM-Series firewalls—
ElastiCache for Redis for AWS. The
Redis cache maintains session information. When your load balancer detects an
unhealthy VM-Series firewall, the load balancer rebalances traffic to a healthy
VM-Series firewall. The healthy VM-Series firewall accesses the Redis cache for
session information and continues to inspect and forward the existing traffic.
Your load balancer must meet the following requirements to support session
resiliency.
- According to AWS Gateway Load Balancer (GWLB) specifications, typical
failover events take 30 to 120 seconds to complete. To ensure
that connections persist despite these delays, both the client and server
nodes need to be configured with a TCP Retransmission Timeout (RTO) policy
capable of accommodating this latency.
- We recommend consulting your OS vendor’s documentation for specific tuning
parameters. The following example demonstrates how to adjust these settings
on a Windows-based environment.
| Health Check
Configuration |
| Cross-zone load balancing | Enabled |
| Target Group |
| Deregistration delay | 60 seconds |
| Healthy/Unhealthy threshold | 2 |
| Health check timeout | 2 seconds |
| Health check interval | 5 seconds |
Your ElastiCache for Redis instance must meet the following requirements to
support session resiliency on the VM-Series firewall.
Standard tier
Deploy the Redis cache in the same region and zone as your
VM-Series firewall instances.
Ensure that your firewall management interface will be able to
access your ElastiCache instance. For example, have both devices in the same
VPC.
When sizing your memory store for Redis, use the following guidelines.
Base the size of Redis cache on the maximum number of sessions
supported by your VM-Series firewall instance. See
Maximum Limits Based on Tier and
Memory to the maximum sessions for your firewall.
Each redis entry per session uses approximately 128 bytes.
Therefore, one VM-Series firewall that supports 10,000,000 sessions requires
approximately 1.3 GB of storage. And a cluster of 10 VM-Series firewalls
requires at least 13 GB.
Use the following formula to calculate the redis requirements.
(128 x <number of sessions>) x 10-9 = require
redis cache size per firewall
Session resiliency can't be enabled on existing VM-Series
firewall instances; only on newly deployed instances.
Enable session resiliency on the VM-Series firewall by passing the
configuration as part of a bootstrapping init-cfg.txt file or in the user data
field. Before you begin, make sure you have the following information.
| Field | Description |
|---|
|
|
plugin-op-commands=
set-sess-ress:True aws-gwlb-inspect:enable
|
Enables session resiliency. Enables the VM-Series firewall to process
traffic passing through a GWLB.
|
| redis-endpoint= | Provide the IP address or FQDN and port of your ElastiCache
Redis endpoint. |
| redis-auth= | (optional) The auth code your VM-Series firewall uses to
connect with the Redis endpoint. |
