Skip to main content

Gatekeeper High Availability

Ensure Uninterrupted Network Segmentation

Xshield Gatekeeper offers robust high availability (HA) capabilities to ensure continuous operation and minimize downtime in case of appliance failure. This document provides an overview of the HA features and how they benefit your network security.

Why High Availability Matters

Network segmentation is critical for protecting sensitive data and maintaining operational continuity. In the event of a Gatekeeper appliance failure, HA ensures that your network remains segmented and protected. This prevents unauthorized access, data breaches, and service disruptions.  

Xshield Gatekeeper HA Modes

Xshield Gatekeeper supports two HA modes to cater to different deployment needs:

Active/Standby

  • In this mode, one Gatekeeper is designated as the primary and actively handles all traffic, while a second Gatekeeper acts as a hot standby.
  • The standby Gatekeeper continuously monitors the primary Gatekeeper's health. If the primary fails, the standby automatically takes over, ensuring minimal disruption to network traffic.  
  • This mode is ideal for deployments where simplicity and cost-effectiveness are priorities, and some downtime can be tolerated.

Active/Active

  • This mode utilizes multiple Gatekeepers to actively handle traffic, distributing the workload across the cluster. The smallest unit of workload that can be distributed across active/active gatekeepers is a VLAN.
  • Each Gatekeeper manages a portion of the network traffic, increasing overall capacity and redundancy. Each gatekeeper manages one or more VLANs
  • If one Gatekeeper fails, the remaining Gatekeepers seamlessly absorb its workload, ensuring uninterrupted service.
  • Active/Active mode provides higher availability and scalability, making it suitable for demanding environments with minimal downtime tolerance.

Key HA Features

  • Virtual Router Redundancy Protocol (VRRP): Xshield Gatekeeper utilizes VRRP to manage failover between appliances. VRRP uses keepalived to monitor the health of each Gatekeeper and automatically trigger failover when necessary.
  • LAN and WAN Virtual IPs: Virtual IP addresses are assigned to the Gatekeeper cluster, ensuring that traffic continues to flow to the active Gatekeeper(s) even during failover.
  • File Synchronization: Critical files, such as DHCP leases and asset cache, are synchronized between Gatekeepers, ensuring consistent operation and preventing data loss.
  • Policy Synchronization: All Gatekeepers in an HA setup share the same security policies, preventing inconsistencies and ensuring continuous protection during failover.
  • Load Sharing: In Active/Active mode, traffic is distributed across multiple Gatekeepers, maximizing resource utilization and improving performance.
  • Switch Failover: In the unlikely event that both Gatekeeper appliances fail, the system can also be configured to failover to a switch or gateway acting as a VRRP backup. This multi-layered approach to high availability ensures that your OT network remains protected and operational even in the face of hardware failures or other unforeseen issues.

Benefits of Xshield Gatekeeper HA

  • Minimized Downtime: Automatic failover ensures that your network segmentation remains intact, minimizing service interruptions and downtime.
  • Increased Capacity: Active/Active mode allows you to handle more traffic and devices, providing scalability for growing networks.
  • Simplified Management: HA configuration and monitoring are integrated into the Xshield management interface, making it easy to set up and manage.
  • Enhanced Network Security: Continuous operation ensures that your network remains protected even in the event of appliance failure.

Choosing the Right HA Mode

The choice between Active/Standby and Active/Active HA modes depends on your specific requirements:

  • Active/Standby: Suitable for deployments with limited budget and tolerance for some downtime.
  • Active/Active: Ideal for high-traffic environments requiring maximum uptime and scalability. Consult with your Xshield representative to determine the best HA mode for your organization.

By leveraging Xshield Gatekeeper's HA capabilities, you can ensure the continuous protection and availability of your critical network infrastructure