Whether the heartbeat interfaces of the firewall must be directly connected

It depends. The heartbeat interface can be directly connected or connected through an intermediate device, such as a switch or router. Direct connection is recommended.

When the heartbeat interface is connected through an intermediate device, you need to configure the remote parameter to specify the peer heartbeat interface IP address. This is because:

If you do not configure the remote parameter, the heartbeat packet sent from the NGFW is encapsulated with VRRP. VRRP packets are multicast packets, and certain switches and routers send packets of this type to themselves for processing, occupying their CPU resources. Heartbeat packets on the NGFW increase as services increase, overloading the switch and router CPUs and affecting their processing of other multicast packets (such as OSPF packets). The restrictions of the switch and router on VRRP packets also cause NGFW heartbeat packets to be discarded, causing the NGFW status to be unstable.

After you configure the remote parameter, the NGFW encapsulates heartbeat packets into UDP packets. The switch and router do not send UDP packets to themselves for processing. Therefore, the switch and router performance and network services are not affected.

Scroll to top