Tracking UTM high availability

Tested products range from facy to dead simple

The high-availability (HA) and scalability features in the enterprise UTM firewalls we tested range from very fancy to dead simple.

We believe that most network managers will go for the "dead simple" end of the spectrum on the theory that the more complicated it is, the more likely it is to fail.

We gave the highest scores to products that recovered within four seconds and took points off when products took more than a minute to restart traffic flows.

While most vendors -- SonicWall and WatchGuard were the exceptions -- also offer active/active HA in which two firewalls load-balance automatically between themselves, we tested active/passive HA in which a hot standby system takes over when the active node goes down.

The argument here is that any performance benefits achieved from an active/active configuration would pale in comparison to the guarantee that when a HA event occurs to an active/passive configuration, you'll still have just as good performance as before the event. Because a typical HA event might be a hardware failure that could take a box out for 24 to 72 hours, having the same performance before and after would be pretty important.

We made an exception to this rule, for Check Point firewalls, because we had four platforms running the same software, and we wanted to see whether there were differences in the different HA approaches. On Check Point's own hardware, we tested using Check Point's active/active and on Nokia hardware, we tested using Nokia's IPSO clustering.

Our tests showed that the HA features in Check Point's software running on all hardware platforms and on Juniper products fails over with no traffic blocked (by our four-second definition). We turned off a system and sessions kept flowing through both vendor's failover UTM firewall. This was true for the Check Point UTM-1 2050, Crossbeam C25, Nokia IP290, and both the Juniper ISG-1000 and SSG-520M firewalls.

The biggest key to nonstop success is the willingness to waste IP addresses. With Check Point HA, called ClusterXL, Nokia IPSO clustering and Juniper HA, each device has its own IP address, and the pair also has a third IP address as well as an additional (virtual) MAC address. When an HA event occurs, the remaining node takes over the HA IP and MAC addresses, assuring that no one outside of the cluster has to adjust and traffic can keep flowing as soon as the HA event is detected - always within our four second limit.

Contrast that configuration with those required of the Astaro ASG425a, the FortiGate 3600A, the SonicWall PRO 5060 and the WatchGuard Firebox X8500e. All these systems had much easier systems for setting up high availability, requiring only a single IP address for each LAN segment. However, that simplicity cost these implementations between eight and 72 seconds of zero data flow through the test bed when an HA even occurred. In most businesses, one minute of downtime after a hardware failure would be considered fantastic, but to get our highest score, systems had to detect the HA event and keep traffic flowing in less than four seconds.

Two products -- Nokia's IP290 and Astaro's ASG425a -- offer multinode clustering, which is a potential solution to the problem of losing a single node in a high-availability environment. With multinode clustering, you can keep adding devices into the cluster, making it (in theory) increasingly reliable and fast.

Although this seems like a particularly effective solution to high availability and scalability, remember that the entire cluster still can't go any faster than the 1Gbps physical Ethernet interfaces that feed it. With base throughput of greater than 1Gbps on a single node in half of the configurations we tested, there's not a lot of normal enterprise UTM firewall deployment architectures that would really take advantage of this feature.

Our adventures in HA had only two real glitches. The first was that we found the Astaro ASG 425a HA to be problematic and unreliable. For example, after we rebooted one node in an HA pair, the second node decided that it was the HA "master" and we had two different firewalls, each claiming to represent the cluster. That was a particularly frightening situation, because if you weren't looking for the HA status, you wouldn't realize that the systems were running independently, on the same IP address, with the potential for instability and loss of any configuration changes made while in this strange state.

The second HA glitch we found Nokia's IPSO clustering feature that was specifically related to load balancing and NAT. During testing we saw throughput of the load-sharing cluster go up when we shut one of the nodes off. We did our performance testing with NAT disabled to compensate for this problem. Nokia was researching this issue at press time.

Read related articles:
Check Point UTM management falters; Cisco, Juniper gain
UTM and IPv6: Do they mix?
UTM performance takes a hit
Juniper, Cisco all-in-1 devices hit on intrusion-prevention
VPN capabilities vary widely across UTM firewall devices
A closer look at UTM hardware architecture
UTMs require routing for flexibility's sake
Watts up with power consumption?
AV's place is not in the all-in-one security box

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Joel Snyder

Joel Snyder

Network World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?