-----Original Message-----
Subject: RE: [fw-wiz] Info Request: Looking for alternatives in HA/Load
balancingfirewalls that are also scalable and modular. . .

> I'd say that's really implementation specific. I can see why this would be

the case, but
> that really depends on the actual solution.

I'm not so sure it's all that specific. I can conceive of somewhat extreme
circumstances where load balancing multiple firewalls is more cost-effective
than buying a pair of firewalls capable of handling the load independently.
This would require an initial throughput requirement in excess of 4Gbps and
the need to scale up to more than 4x that quickly. However in this case, we
know from one of Keith's earlier post that load-balancing is a customer
requirement, not a technical requirement.

Load-balancing done by firewalls has an overhead cost due to copying state
table entries back and forth that has to be factored in to throughput
calculations. This is especially an issue for firewalls tracking large
numbers of connections. Load-balancing done outside the firewalls
complicates matters even more, and depending on the specific combination of
firewall and load balancer can lead to intermittent failures for certain
types of traffic or blind spots in policy enforcement.


firewall-wizards mailing list