Support User Manuals

SonicWALL 5.8.1 Microscope & Magnifier User Manual

Open as PDF

of 1490

High Availability

1140

SonicOS 5.8.1 Administrator Guide

Active/Active DPI Overview

This section provides an introduction to the Active/Active DPI feature. Active/Active DPI

requires Stateful High Availability and is supported on SonicWALL E-Class NSA appliances.

This section contains the following subsections:

• “What is Active/Active DPI?” on page 1140

• “Benefits of Active/Active DPI” on page 1140

• “How Does Active/Active DPI Work?” on page 1140

What is Active/Active DPI?

The High Availability feature on versions of SonicOS Enhanced prior to 5.5 uses an active-idle

model that requires the active firewall to perform all Deep Packet Inspection (DPI), firewall,

NAT, and other processing, while the idle firewall is not utilized until failover occurs. In an

active/active model, both firewalls share the processing.

As a first step towards complete Active/Active High Availability, DPI services are migrated to

an Active/Active model, referred to as Active/Active DPI. The following DPI services are

affected:

• Gateway Anti-Virus (GAV)

• Anti-Spyware

• Intrusion Protection (IPS)

• Application Firewall

When Active/Active DPI is enabled on a Stateful HA p

air, these DPI services can be processed

concurrently with firewall, NAT, and other modules on both the active and idle firewalls.

Processing of all modules other than DPI services is restricted to the active unit.

Benefits of Active/Active DPI

The benefits of the Active/Active DPI feature include the following:

• Both the firewalls in the HA pair are utilized to derive maximum throughput

• GAV, IPS, Anti-Spyware, and Application Firewall services are the most processor

intensive, and concurrent processing of these services on the idle firewall while the active

firewall performs other processing provides the most throughput gain

How Does Active/Active DPI Work?

To use the Active/Active DPI feature, the administrator must configure an additional interface

as the HA Data Interface. Certain packet flows on the active unit are selected and offloaded to

the idle unit on the HA data interface. DPI is processed on the idle unit and then the results are

returned to the active unit over the same interface. The remaining processing is performed on

the active unit.

After configuring Stateful High Availability on the appliances in the HA pair, connecting and

configuring the HA data interface is the only additional configuration required to enable Active/

Active DPI.

previous next