The goal of high availability computer network environments is to provide users and other entities with “always on” service. That is, high availability computer network environments should provide reliable, continuous operation service. To accomplish this, network devices in a high availability environment perform error detection and implement recoverability for detected errors. Unfortunately, network devices occasionally fail. For example, a software or hardware problem or a power fault within a security device may cause all or a portion of the security device to stop functioning.
When a network device fails, all network traffic flowing through the failed network device may cease. For an enterprise that depends on such network traffic, this may be unacceptable, even if this failure occurs only for a short time. To minimize the possibility of a failure causing all network traffic to cease, redundant hardware such as a backup controller or a separate backup network device may be installed. Thus, if the network device that has primary responsibility for performing the security services (i.e., the master device) fails, the backup device may be quickly substituted for the master device. In other words, the failing network device “fails over” to the backup device. A master device may also “switch over” to the backup device to go offline temporarily, e.g., to install software and/or firmware updates or to undergo other routine maintenance procedures. In general, failover is considered a form of switchover. After failing over or switching over to the backup device, the backup device becomes the master device. High availability clusters often include such primary and backup network devices.
An intrusion detection and prevention (IDP) device inspects application layer (that is, OSI Layer Seven) data to attempt to detect malicious traffic. In general, IDP devices execute one or more complex finite automata or algorithms, using the application layer data as input, to detect patterns and event sequences that are indicative of malicious traffic. This complex detection process often requires generation and maintenance of substantial state information that describes the current traffic patterns and events of the current application-layer session. The substantial state information often prohibits the effective use of high availability with respect to IDP devices.