The session setup firewall performs the Layer 2 through
Layer 4 processing necessary to set up a new session. The session
setup firewall also performs NAT using the NAT pool of the session
owner. You determine the session setup firewall in an active/active
configuration by selecting one of the following session setup load
sharing options.
Session Setup Option
Description
IP Modulo
The firewall distributes the session setup
load based on parity of the source IP address. This is a deterministic
method of sharing the session setup.
IP Hash
The firewall uses a hash of the source and
destination IP addresses to distribute session setup responsibilities.
Primary Device
The active-primary firewall always sets
up the session; only one firewall performs all session setup responsibilities.
First Packet
The firewall that receives the first packet
of a session performs session setup.
If you want to load-share the session
owner and session setup responsibilities, set session owner to First
Packet and session setup to IP modulo. These are the recommended settings.
The firewall uses the HA3 link to send packets to its peer for
session setup if necessary. The following figure and text describe
the path of a packet that firewall FW1 receives for a new session.
The red dotted lines indicate FW1 forwarding the packet to FW2 and
FW2 forwarding the packet back to FW1 over the HA3 link.
The end host sends a packet
to FW1.
FW1 examines the contents of the packet to match it to an
existing session. If there is no session match, FW1 determines that
it has received the first packet for a new session and therefore becomes
the session owner (assuming Session Owner Selection is
set to First Packet).
FW1 uses the configured session setup load-sharing option
to identify the session setup firewall. In this example, FW2 is
configured to perform session setup.
FW1 uses the HA3 link to send the first packet to FW2.
FW2 sets up the session and returns the packet to FW1 for
Layer 7 processing, if any.
FW1 then forwards the packet out the egress interface to
the destination.
The following figure and text describe the path of a packet that
matches an existing session:
The end host sends a packet
to FW1.
FW1 examines the contents of the packet to match it to an
existing session. If the session matches an existing session, FW1
processes the packet and sends the packet out the egress interface
to the destination.