Session Setup

The session setup firewall performs the Layer 2 through Layer 4 processing necessary to set up a new session. The session setup firewall also performs NAT using the NAT pool of the session owner. You determine the session setup firewall in an active/active configuration by selecting one of the following session setup load sharing options.
Session Setup Option
Description
IP Modulo
The firewall distributes the session setup load based on parity of the source IP address. This is a deterministic method of sharing the session setup.
IP Hash
The firewall uses a hash of the source and destination IP addresses to distribute session setup responsibilities.
Primary Device
The active-primary firewall always sets up the session; only one firewall performs all session setup responsibilities.
First Packet
The firewall that receives the first packet of a session performs session setup.
  • If you want to load-share the session owner and session setup responsibilities, set session owner to First Packet and session setup to IP modulo. These are the recommended settings.
  • If you want to do troubleshooting or capture logs or pcaps, or if you want an active/active HA pair to function like an active/passive HA pair, set both the session owner and session setup to Primary device so that the active-primary device performs all traffic processing. See Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall.
The firewall uses the HA3 link to send packets to its peer for session setup if necessary. The following figure and text describe the path of a packet that firewall FW1 receives for a new session. The red dotted lines indicate FW1 forwarding the packet to FW2 and FW2 forwarding the packet back to FW1 over the HA3 link.
HA_active_active_new_session.png
  • The end host sends a packet to FW1.
  • FW1 examines the contents of the packet to match it to an existing session. If there is no session match, FW1 determines that it has received the first packet for a new session and therefore becomes the session owner (assuming Session Owner Selection is set to First Packet).
  • FW1 uses the configured session setup load-sharing option to identify the session setup firewall. In this example, FW2 is configured to perform session setup.
  • FW1 uses the HA3 link to send the first packet to FW2.
  • FW2 sets up the session and returns the packet to FW1 for Layer 7 processing, if any.
  • FW1 then forwards the packet out the egress interface to the destination.
The following figure and text describe the path of a packet that matches an existing session:
HA_active_active_existing_session.png
  • The end host sends a packet to FW1.
  • FW1 examines the contents of the packet to match it to an existing session. If the session matches an existing session, FW1 processes the packet and sends the packet out the egress interface to the destination.

Related Documentation