How Does State Synchronization Work?

[BarryStiefel]

How Does State Synchronization Work?



Check Point syncs the "changes" every 50-100 milliseconds (depending on version). In addition, it takes at least 55ms for FireWall?-1 to "process" those updates. If there are a lot of changes within that period of time, there will be lots of traffic between the two hosts. A dedicated network connection should be used between the firewalls participating in state synchronization (preferably 100ms Full Duplex Ethernet or better).

In FireWall-1 4.1 and earlier, state sync uses a TCP connection between the gateways. In NG, a layer-2 protocol is used that looks vaguely like UDP traffic, but is not.

State Synchronization is not meant to solve the problem of asymmetric routing. This is where a connection request comes in one firewall and goes out another. State Synchronization can not process the updates fast enough in many cases, thus causing connections to fail or, in the case of TCP, be severely delayed. Under no circumstances should FireWall-1 be used in an asymmetric routing situation.

The sync process itself can be very CPU intensive, particularly for busy sites doing HTTP (which is generally transitory in nature anyway).

-- PhoneBoy - 11 Jan 2004

FAQForm FAQs.Class: MiscellaneousFAQs FAQs.OS: FAQs.Version: