question about pivot mode

[tigerxxx]

at the "checkpoint security administration NGX 2 1.1" book (page 441) i have read something that i don't understand, and I'm hope someone could explain that.

"the router sends the packet to the pivot". (ok.)
"the pivot forwards the packet to the designated cluster member" (ok)
.....
"the packet is forwarded through the same interface from which it originally came". (??)

from what i understand, and from the figure at the book, it's looks like,
the pivot get the packet from the router, it decided to forward it to cluster member X, so it's not forward the packet direcly do that GW through the sync interface, but it send it back to the router, and than the router send it again to the PIVOT, and just than the PIVOT send it to the cluster member through the sync interface.

what's the point? why the pivot didn't send it from beggining direcly to the cluster member, why send it to the router again, and get it back again, and thatn send to the cluster member.

what is going on behind the scenes ?
thanks a lot!

[mcnallym]

My understanding of it saying that it forwards the packet to another gateway from the same interface is that if you imagine a pair of firewalls, eth1 is the internal, eth2 is the sync and eth3 the external.

A packet is received on eth1 of the pivot, it decides that cluster member 2 will deal with the connection. The pivot then forwards the packet to cluster member 2 back out via eth1 and cluster member 2 then deals with the connection. The synch network isn't used for forwarding connection packets to the other cluster members.

Hope this is clearer.

[tigerxxx]

yeah, but it was difficult to me to understand because anyway after the router get the packet again, he send it again to the PIVOT, and than the pivot send it to cluster member via SYNC INTERFACE.
so it's looks like unnecessary traffic.
i mean why to send the packet to the router from beggining, what the router does, that the pivot could'nt ? anyway it's come back to it, and it have to forward the packet via sync int, because the internal interface is connected directly to the router, and no other cluster member connected to the router, so the only option for the packet is to go thourgh the sync int to the cluster member.
am I wrong ?

[Dzenboy]

Yes, you are. Did you hear about switches? ;) Why not to use them to connect members of cluster? ;) Sync interface is used ONLY for updating dynamic state tables beetwen cluster members.