Security features do not work in Asymmetric Routing scenario

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk32403
Product	Security Gateway, ClusterXL, IPS / Web Intelligence, Application Control, URL Filtering
Version	NGX R60, NGX R61, NGX R62, NGX R65, R70, R71, R75, R76, R77, R77.10, R77.20, R77.30
Platform / Model	All
Date Created	01-Jan-2007
Last Modified	18-Jul-2015

Symptoms

Several security features in Web Intelligence do not work in Asymmetric Routing scenarios.

Cause

Asymmetric routing is any situation in which the Client-to-Server packet goes through one cluster member, while the Server-to-Client packet goes through another. In such scenarios, the following features in the Web Intelligence may not work correctly:

Header Spoofing
Directory listing
Error Concealment
ASCII only response
Send error page

Also, various features in the IPS Software Blade, App Control, and URL Filtering may not work correctly.

Solution

To make these features to work correctly, Chain Forwarding should be enabled. Chain forwarding transfers packets related to an ongoing connection to the correct cluster member handling this connection.

Permanently set the value of the fwha_perform_chain_forward global variable to 1 on all cluster members. Refer to sk26202 for details on changing the kernel global parameters on all platforms.

Note:

Performance may be degraded.
The Sticky Decision Function (SDF) must be disabled when Chain Forwarding is enabled (relevant only in ClusterXL Load Sharing modes).

After the procedure is completed, the aforementioned features will operate correctly in asymmetric routing scenarios.

Related Solution:
sk26202 - Changing the kernel global parameters on all platforms .

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating