Instances of Application-level Gateway are groups of services that can be controlled together. A PNS firewall can run multiple instances of the Application-level Gateway process. The main benefits of multiple firewall instances are the following:
Administration
A typical firewall handles many types of traffic, many different protocols. These protocols might have different administrative requirements. Inbound traffic is usually handled differently from outbound traffic. For these reasons, using multiple firewall instances can make administration more transparent.
Availability
If an error (for example, misconfiguration) occurs and the firewall instance stops responding, no traffic can pass the firewall. However, an error usually affects a single instance; the other ones are still functional, so only the traffic handled by the crashed instance stops. Instances can be controlled (started, restarted, stopped) individually from each other. This is important, because stopping or restarting an instance stops all traffic handled by the instance.
Consider the following example. A firewall uses two instances:
Instance_Afor all e-mail related traffic (the POP3, IMAP, and the SMTP protocols) andInstance_Bfor everything else (HTTP, and so on). IfInstance_Astops because of an error, or is stopped by the administrator, no e-mails can be sent or received. However, all other network traffic is working.Performance
Separate firewall instances have separate processes and separate sets of threads, significantly increasing the performance on multiprocessor systems (SMP or HyperThreading).
Logging
Log settings are effective on the instance level; different instances can log in differently. For example, if higher than average logging level is required for a type of traffic, it might worth to create an instance for this traffic and customize logging only for this instance.
| Note |
|---|
|
Although creating instances is beneficial, the number of instances that can run on a system is limited. Each instance is a separate process and requires its own space in the system memory — quickly consuming the limited physical resources of the computer. More instances do not necessarily make configuration tasks easier, and complex configuration increases the chance of human errors. Keep instance number relatively low unless you have a solid reason to use many instances. |
Instances usually handle traffic based on the protocol used by the traffic, the direction of the traffic, or a special characteristic of the traffic (for example, requires authentication). It is common practice to define an instance for all inbound traffic that handles all services accessible from the Internet, and another one for all traffic that the clients of intranet are allowed to use. Consider creating a separate instance for:
special services, for example, mission-critical traffic;
traffic accessing critical locations, for example, your servers;
traffic that requires outband authentication.
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu
