Chapter 5: Firewall Load Balancing

Cisco Press

This chapter introduces the reader to firewall load-balancing (FWLB) concepts, technology, and designs. We will talk about motivations behind FWLB solutions, different types of firewalls, and how to load balance them. Reference design options and configurations will be discussed.

At the end of the chapter, we discuss a case study that implements FWLB in a network with multiple secure segments using Cisco's module-based load balancer for the Catalyst 6500 (Cat6500), the Content Switching Module (CSM). Details of the CSM and Catalyst 6500 configurations are included together with an explanation of various key commands.

Reasons for and Benefits of FWLB

In today's data centers, the security of the network, servers and application is a key concern. Together with VPN concentrators, Secure Socket Layer (SSL) offload devices, and intrusion detection devices, firewalls are a vital component of secure data center infrastructures. Firewalls are used not just to protect against malicious or unauthorized access from the public segment but also across multiple demilitarized zones (DMZ) and server segments. When a firewall accepts a packet from one segment, it sends the packet through to the other segment. A firewall can modify a packet before passing it through or can send it through unaltered. When a firewall rejects a packet, it usually drops the packet and logs the dropped packet as an event. After a session is established and a flow of packets begins, a firewall can monitor each packet in the flow or allow the flow to continue unmonitored, depending on the policies configured on that firewall.

There are several motivations behind load-balancing firewalls, the key ones being scalability, redundancy, and manageability.


Firewalls are physical devices that exist between network segments, typically in a routed design. They perform stateful inspection of sessions going through them from one segment to the other. Firewalls block or permit sessions based on configured security policies and rules. A firewall has limited resources in terms of link speed, memory, and processor power. These factors determine the capacity and capability of the device in terms of session scalability and raw packet-switching performance.

FWLB is necessary when multiple parallel firewalls are deployed to overcome performance limitations in terms of throughput, session rate, and session capacity. FWLB allows you to scale firewall protection by distributing traffic across multiple firewalls on a per-connection basis. In a load-balanced solution, all packets between a pair of IP addresses for a particular session, in either direction, traverse the same firewall. The firewall then allows or denies transmission of individual packets across its interfaces.


One of the primary reasons for FWLB is high availability of the secure path provided by the firewall. Typical firewalls, like Cisco Private Internet Exchange (PIX) firewall, do provide redundancy capability in active/backup fashion. In these scenarios, one firewall is functional and active while the other is in silent mode. Both the firewalls share an interface IP address, thus enabling continuance of traffic flow in case of a device failure.

FWLB takes the firewall redundancy to the next level by load balancing traffic to a group of active and functional firewalls. A firewall failure is detected within seconds by the load balancer, which takes that specific firewall out of rotation. As long as a single firewall within the load-balanced group is functional, the secure path stays connected.

1 2 3 Page 1
Page 1 of 3
SD-WAN buyers guide: Key questions to ask vendors (and yourself)