| CPC H04L 63/0236 (2013.01) [H04L 61/2514 (2013.01); H04L 61/256 (2013.01); H04L 63/0263 (2013.01)] | 20 Claims |
|
1. A method comprising,
based on switchover from a first firewall to a second firewall in a first network, instructing an Internet gateway communicatively coupled to the first firewall and the second firewall over the first network to update an Internet Protocol (IP) address binding for a public IP address associated with the first and second firewalls to indicate a first private IP address of the second firewall;
initiating a first transition from an active state to a pseudo-active state for the first firewall, wherein, in the pseudo-active state, based on ingress of a first packet corresponding to a first session, the first firewall forwards the first packet along a data plane link to the second firewall;
initiating a second transition from a passive state to an active state for the second firewall, wherein, in the active state, the second firewall discards the first packet based, at least in part, on a determination of a first state of the first session indicated in the first packet; and
based on determining that an expected duration for updating the IP address binding has expired, initiating a third transition from the pseudo-active state to a passive state for the first firewall.
|