Concept of synchronization

As of version 4 of SNS, traffic is synchronized within a cluster through the Kernel To Kernel (K2K) streaming protocol over UDP port 44242.

Synchronization in real time

Objects that need to be synchronized in real time (TCP and UDP connection tables, IPState connection tables [GRE / ESP], SCTP associations, host tables, etc.) are continuously sent from the active firewall to the passive firewall and statuses are synchronized on the fly.

This means that you no longer need to wait for the firewalls to swap for these tables to be integrated into the kernel of the passive firewall; connections will be there all the time in a larval state, i.e., they can be enabled when a swap occurs. So, since links between filter rules and connections are already set up in the kernel of the passive firewall, recovery time is shorter and performance is enhanced.

Part of the reason for the better performance is that the K2K protocol removes bulk updates.

Synchronization upon request

When an administrator changes the configuration of the active firewall, these changes are not immediately replicated on the passive firewall, which may need to restart in order to apply these changes in the cluster.

In such cases, the administrator may manually synchronize the firewalls at a chosen moment in one of two ways:

  • Either by clicking on the icon that appears in the upper banner of the cluster’s administration interface,
  • Or by using the CLI command (Configuration > System > CLI console): HA SYNC.
    For more details on this command, refer to the CLI SERVERD Commands Reference Guide.