CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation Summary

The "Foundation Summary" provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this summary provides a convenient way to review the day before the exam.

Failover enables you to connect a second PIX Firewall unit to your network to protect your network should the first unit go offline. If you use stateful failover, you can maintain operating state for TCP connections during the failover from the primary unit to the standby unit.

Failover is triggered by some of the following events:

• Loss of power

• The standby unit is forced by an administrator to be active

• Cable errors

• Memory exhaustion

• Failover communication loss

Failover requires you to purchase a second PIX Firewall unit, sold as a failover unit, that works only as a failover unit. You need to ensure that both units have the same software version (which should be the version with unrestricted licensing), activation key type, Flash memory, and the same RAM. After you configure the primary unit and attach the necessary cabling, the primary unit automatically copies the configuration over to the standby unit.

If a failure is due to a condition other than a loss of power on the other unit, failover begins a series of tests to determine which unit failed. This series of tests begins when hello messages are not heard for two consecutive 15-second intervals (the interval length depends on how you set the failover poll command). Hello messages are sent over both network interfaces and the failover cable. Failover uses the following tests to determine the other unit's availability:

• Link up/down

• Network activity

• Address Resolution Protocol

• Ping

The stateful failover feature passes per-connection stateful information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Most end-user applications do not have to reconnect to maintain the communication session.