Differences between firewall hot standby and router dual-link backup

The packet forwarding mechanisms are different. For a router, service packets are forwarded packet by packet. The device looks up the routing table and interface-based ACL. Packets are forwarded only if corresponding match is found. After link switchover, subsequent packets are continuously forwarded. Each packet is independently processed. As a stateful firewall, the USG checks only first packets. If first packets are permitted, the USG creates a quintuple session connection accordingly. Then subsequent packets (including returned packets) matching this session entry are permitted. If link switchover occurs, subsequent packets cannot find correct session entries, resulting in service interruption. When NAT is configured for a router, similar problems may occur, because a new entry is created after NAT.

Scroll to top