A firewall inspects message traffic in network environments typically for the purpose of enforcing firewall security policies. Firewalls comprise hardware and/or software that function to prevent non-secure traffic from traversing from one system or network to another. Firewalls also inspect traffic for cost and regulatory compliance. Often, to improve reliability and responsiveness, firewalls are implemented as clusters of processors (e.g., servers). A cluster comprises an array of processors, such as servers or the like, that share common tasks, such as enforcing rules of the firewall policy. The cluster appears as a single firewall to the systems/networks connected on either end.
Firewalls act as filters either preventing or allowing the passage of message traffic, often in the form of IP packets, in accordance with rules. While a simple policy based on the source and destination IP of message traffic can be applied on a per packet basis, a more advanced policy requires a context to be evaluated. For example, more advanced policies could allow a packet to pass only if a specific packet has previously passed, or only if an entire connection is enabled based on a previous connection. This type of policy inspection capability is typically referred to as “stateful inspection” and the context that is maintained is referred to as the “state”.
Sharing the state between members of a cluster of firewall processors is difficult and problematic. Existing solutions typically duplicate the IP stack and all the state that is attached to the IP level processing. The drawback of this solution is that it does not handle states that apply to higher level protocols.