Security features do not work in Asymmetric Routing scenario
Asymmetric routing is any situation in which the Client-to-Server packet goes through one cluster member, while the Server-to-Client packet goes through another. In such scenarios, the following features in the Web Intelligence may not work correctly:
- Header Spoofing
- Directory listing
- Error Concealment
- ASCII only response
- Send error page
Also, various features in the IPS Software Blade, App Control, and URL Filtering may not work correctly.
To make these features to work correctly, Chain Forwarding should be enabled. Chain forwarding transfers packets related to an ongoing connection to the correct cluster member handling this connection.
Permanently set the value of the fwha_perform_chain_forward global variable to 1 on all cluster members. Refer to sk26202 for details on changing the kernel global parameters on all platforms.
Note:
- Performance may be degraded.
- The Sticky Decision Function (SDF) must be disabled when Chain Forwarding is enabled (relevant only in ClusterXL Load Sharing modes).
After the procedure is completed, the aforementioned features will operate correctly in asymmetric routing scenarios.
Related Solution:
sk26202 - Changing the kernel global parameters on all platforms .
