NSRP (NetScreen Redundancy Protocol)

To function properly as a network firewall, a security device must be placed at the single point through which all interzone traffic must pass. When a single device is responsible for handling all interzone traffic, it becomes vital that the traffic flow remain uninterrupted, even in the event of a device or network failure.

To ensure a continuous traffic flow, you can cable and configure two security devices in a redundant cluster, with one device acting as a master and the other as its backup. The master propagates all its network and configuration settings and the current session information to the backup. Should the master fail, the backup is promoted to master and takes over the traffic processing.

There are two types of configuration for device redundancy:

• active/active Both devices in a redundant cluster are active, sharing the traffic distributed between them by routers with load-balancing capabilities. Using the NetScreen Redundancy Protocol (NSRP), you define two virtual security devices (VSD) groups, each with its own virtual security interfaces (VSIs). For example, Device A is the master of VSD group 0 and the backup of VSD group 1. Device B is the master of VSD group 1 and the backup of VSD group 0. Each physical device is actively processing traffic while backing up the other device.

• active/passive The master is active, handling all firewall and VPN activities, and the backup is passive[1], waiting to take over when the master steps down. Using NSRP, you create one VSD group. Device A is the master and device B is the backup.

Configuring an NSRP Cluster

Before two security devices can provide redundant network connectivity, you must group them in the same NSRP cluster.

To Configure your Security Device in a Redundant Cluster