4 Replies Latest reply on Jan 29, 2015 9:37 PM by totti10

    McAfee NGFW Dispatcher election process?


      Hi all,


      I have some questions about McAfee NGFW Cluster:

      1. How the dispatcher is elected in a Cluster?

      2. How the dispatcher process traffic:


            They said that Dispatcher decide what node will handle the traffic. So all the traffic must first come to the Dispatcher, then Dispatcher forward the traffic to other node for process that traffic, Right?

      3. We have different Dispatcher for each CVI, so how the Dispatcher for CVI2 know that traffic was process by other node, and distribute this reply packet to the right node?


      Thanks and Regards!

        • 1. Re: McAfee NGFW Dispatcher election process?



          1. Dispatcher is selected using internal process and operation. Details how this happens are not public.

          2. Yes, dispatcher node uses the CVI MAC address so all inbound traffic going through the NGFW cluster first come to dispatcher node. If dispatcher decides that connection is balanced to other node in the cluster, it forwards the packet to node that was selected to process the connection using the same interface that packet was received on. If you look at traffic captures with e.g. Wireshark, you can see same packet twice: first it comes from router MAC address to CVI MAC address, and then it is forwarded from CVI MAC to interface MAC of node that processes the connection.

          3. Cluster nodes know which node handles which connection based on state synchronization data.




          • 2. Re: McAfee NGFW Dispatcher election process?

            Hi Tero,


            Thanks for your answer.

            Can we know that which node is handling what traffic?



            • 3. Re: McAfee NGFW Dispatcher election process?

              Short answer: it is not possible to see which node will handle some given traffic.


              You can see which node is a dispatcher for a given interface since dispatcher will hold the CVI MAC (configured in SMC) on that interface.


              Simplified, when traffic comes in, src/dst ip pair (and possibly other data such as SPI) is used to calculate a load balancing hash value between 0 and 255. You can see which nodes are responsible for which hashes with command lbf_bitflip.


              Actually, different nodes know which node is responsible for each connection through the fact that they all do the same calculation for any incoming packets. Src a to dst b and src b to dst a on other interface (returning traffic) will yield same hash value, so same node will handle a connection both ways, without need for nodes do any negotiation.

              • 4. Re: McAfee NGFW Dispatcher election process?

                Great command ilindblo