Session Resiliency for the VM-Series on Public Clouds
Focus
Focus
What's New in the NetSec Platform

Session Resiliency for the VM-Series on Public Clouds

Table of Contents

Session Resiliency for the VM-Series on Public Clouds

You can enable session resiliency to help maintain sessions continuity for VM-Series firewalls deployed in a cluster on AWS and GCP.
Session resiliency allows the VM-Series firewall deployed in a cluster on AWS or GCP to maintain session continuity during a failure event. The AWS Gateway Load Balancer (GWLB) and GCP Network Load Balancer (NLB) can detect and deregister unhealthy VM-Series firewalls deployed in a horizontally scalable cluster behind. With session resiliency enabled, the GWLB and NLB can rehash existing traffic sessions flowing toward an unhealthy VM-Series and redirect the traffic to a healthy VM-Series firewall.
To maintain sessions failing over to healthy VM-Series firewalls, you must deploy a Redis cache accessible to your VM-Series firewalls— ElastiCache for Redis for AWS and Memorystore for Redis for GCP. The Redis cache maintains session information. When your load balancer detects an unhealthy VM-Series firewall, the load balancer rebalances traffic to a healthy VM-Series firewall. The healthy VM-Series firewall accesses the Redis cache for session information and continues to inspect and forward the existing traffic.
Traffic inspection of the rehashed traffic flows is Layer 4 only. The VM-Series firewall inspects traffic in new sessions up to Layer 7.
Enable session resiliency on the VM-Series firewall by passing the configuration as part of a bootstrapping init-cfg.txt file or in the user data field using the following new parameters.
op-command-modes=mgmt-interface-swap plugin-op-commands=set-sess-ress:True redis-endpoint=<redis-IP-address:port> redis-auth=<redis-auth-code> redis-certificate=
Session resiliency can't be enabled on existing VM-Series firewall instances; only on newly deployed instances.