Node state synchronization
The nodes of a Firewall Cluster periodically exchange synchronization messages to synchronize state data.
State synchronization is essential for the following features:
- Dynamic load balancing
- Transparent switchover of nodes in case of failure or maintenance
- Handling of related connections when a service (for example, FTP) opens multiple connections
Regular, timer-launched synchronization events are needed to synchronize state data and to avoid cutting connections in case of node failure. Timed synchronization events are divided into full and incremental sync messages.
| Type | Explanation |
|---|---|
| Full Sync Messages | Contain all connection data about the traffic handled by a node at the time when the message was sent. When new data is received, it replaces the existing data. Full sync requires more bandwidth and processing time. |
| Incremental Sync Messages | Contain only data on connections that were created or changed since the last full or incremental sync message. Incremental sync needs less bandwidth and processing time. Since the incremental changes are sent only once, the system might lose connections if the data is lost. While able to produce accurate data with frequent updates, incremental sync requires full sync to provide reliable synchronization data. |
By default, a combination of full and incremental sync messages is exchanged between nodes. This way, frequent updates on incremental changes and recurrent reports on existing connections are combined.
In cases where synchronization of connection information between nodes is causing a disturbance to specific traffic, you can disable synchronization for the traffic using rule options in the Policy. Disabling synchronization reduces the traffic volume on the active heartbeat interface, but it also prevents transparent failover of connections to other nodes.