Справочник Пользователя для SonicWALL 5.8.1
High Availability
1140
SonicOS 5.8.1 Administrator Guide
Active/Active DPI Overview
This section provides an introduction to the Active/Active DPI feature. Active/Active DPI
requires Stateful High Availability and is supported on SonicWALL E-Class NSA appliances.
This section contains the following subsections:
requires Stateful High Availability and is supported on SonicWALL E-Class NSA appliances.
This section contains the following subsections:
•
•
•
What is Active/Active DPI?
The High Availability feature on versions of SonicOS Enhanced prior to 5.5 uses an active-idle
model that requires the active firewall to perform all Deep Packet Inspection (DPI), firewall,
NAT, and other processing, while the idle firewall is not utilized until failover occurs. In an
active/active model, both firewalls share the processing.
model that requires the active firewall to perform all Deep Packet Inspection (DPI), firewall,
NAT, and other processing, while the idle firewall is not utilized until failover occurs. In an
active/active model, both firewalls share the processing.
As a first step towards complete Active/Active High Availability, DPI services are migrated to
an Active/Active model, referred to as Active/Active DPI. The following DPI services are
affected:
an Active/Active model, referred to as Active/Active DPI. The following DPI services are
affected:
•
Gateway Anti-Virus (GAV)
•
Anti-Spyware
•
Intrusion Protection (IPS)
•
Application Firewall
When Active/Active DPI is enabled on a Stateful HA pair, these DPI services can be processed
concurrently with firewall, NAT, and other modules on both the active and idle firewalls.
Processing of all modules other than DPI services is restricted to the active unit.
concurrently with firewall, NAT, and other modules on both the active and idle firewalls.
Processing of all modules other than DPI services is restricted to the active unit.
Benefits of Active/Active DPI
The benefits of the Active/Active DPI feature include the following:
•
Both the firewalls in the HA pair are utilized to derive maximum throughput
•
GAV, IPS, Anti-Spyware, and Application Firewall services are the most processor
intensive, and concurrent processing of these services on the idle firewall while the active
firewall performs other processing provides the most throughput gain
intensive, and concurrent processing of these services on the idle firewall while the active
firewall performs other processing provides the most throughput gain
How Does Active/Active DPI Work?
To use the Active/Active DPI feature, the administrator must configure an additional interface
as the HA Data Interface. Certain packet flows on the active unit are selected and offloaded to
the idle unit on the HA data interface. DPI is processed on the idle unit and then the results are
returned to the active unit over the same interface. The remaining processing is performed on
the active unit.
as the HA Data Interface. Certain packet flows on the active unit are selected and offloaded to
the idle unit on the HA data interface. DPI is processed on the idle unit and then the results are
returned to the active unit over the same interface. The remaining processing is performed on
the active unit.
After configuring Stateful High Availability on the appliances in the HA pair, connecting and
configuring the HA data interface is the only additional configuration required to enable Active/
Active DPI.
configuring the HA data interface is the only additional configuration required to enable Active/
Active DPI.