ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

ISG2000 HA Active\Active Dual ISP WAN links

10.02.08   |  
‎10-02-2008 08:23 PM
Is there a solution for a packet leaving one interface and returning on another interface with stateful inspection? Also, is there solution for a packet leaving on one firewall but returning through the second in Active\Active mode? Thank you.
ScreenOS Firewalls (NOT SRX)

Re: ISG2000 HA Active\Active Dual ISP WAN links

10.03.08   |  
‎10-03-2008 04:09 AM




If you want to run asymmetric traffic then you will need policies to allow both parts of the traffic and if it's TCP traffic then you would need to turn off syn-checking probably. This way however it just treats each flow as different sessions.


For the A/A cluster if you have datalink forwarding enabled then anything arriving at the inactive VSD will be forwarded over the link but this will only work for one direction. This is well explained in the C&E guide with a nice h shaped diagram, traffic comming into the wrong device will be forwarded over to the correct one but if you want return traffic to cross on the way back it will not work (cross vsd traffic using the data link).


Does that help?