The document discusses Palo Alto Networks Active/Active high availability configuration. It provides an overview of Active/Active HA, how packets are handled in an Active/Active cluster including new sessions, established sessions, and asymmetric flows. It also discusses deploying Active/Active HA in virtual wire and layer 3 modes, and configuring HA states, control links, data links, and the HA3 link. The document reviews monitoring, troubleshooting tools, and HA CLI commands.
This presentation is an overview of OpenFlow and why it is relevant in creating programmable networks. Included are details on the protocol and examples of how applications and services can benefit from this.
Presentation from October 2012 RTI Technical Road Show.
Agenda Highlights:
How the DDS standard fosters information sharing and interoperability across systems of systems while driving down development, integration, maintenance, upgrade and acquisition costs
The latest 5.0 release of RTI's DDS solution and future roadmap, including enhanced security, support for integration patterns common in C2 systems, FAA DO-178C Level A certification, and DDS standardization initiatives
RTI's new Open Community Source license, which provides free-of-charge access to RTI DDS and allows it to be freely shared across projects and organizations
This presentation is an overview of OpenFlow and why it is relevant in creating programmable networks. Included are details on the protocol and examples of how applications and services can benefit from this.
Presentation from October 2012 RTI Technical Road Show.
Agenda Highlights:
How the DDS standard fosters information sharing and interoperability across systems of systems while driving down development, integration, maintenance, upgrade and acquisition costs
The latest 5.0 release of RTI's DDS solution and future roadmap, including enhanced security, support for integration patterns common in C2 systems, FAA DO-178C Level A certification, and DDS standardization initiatives
RTI's new Open Community Source license, which provides free-of-charge access to RTI DDS and allows it to be freely shared across projects and organizations
Class lecture by Prof. Raj Jain on Introduction to OpenFlow. The talk covers Planes of Networking, Data vs. Control Logic, OpenFlow: Key Ideas, History of OpenFlow, Separation of Control and Data Plane, OpenFlow V1.0, Matching, Counters, Actions, Hardware OpenFlow Switches, Software OpenFlow Switches, Open vSwitch, Open vSwitch Features, OVSDB, OpenFlow V1.1, OpenFlow Hardware Implementation, OpenFlow V1.2, OpenFlow 1.3, OpenFlow V1.4, Implementation Issues, Current Limitations of OpenFlow, OpenFlow Current Activities, Introduction to OpenFlow, Planes of Networking, Data vs. Control Logic, OpenFlow: Key Ideas, History of OpenFlow, Separation of Control and Data Plane, OpenFlow V1.0, Matching, Counters, Actions, Hardware OpenFlow Switches, Software OpenFlow Switches, Open vSwitch, Open vSwitch Features, OVSDB, OpenFlow V1.1, OpenFlow Hardware Implementation, OpenFlow V1.2, OpenFlow 1.3, OpenFlow V1.4, Implementation Issues, Current Limitations of OpenFlow, OpenFlow Current Activities. Video recording available in YouTube.
SimArch: A Layered Architectural Approach to Reduce the Development Effort of...Daniele Gianni
Conference Presentation at the SESP Workshop (Simulation and EGSE for European Space Applications), September, 2009
Please visit
https://sites.google.com/site/simulationarchitecture/
for further information
PCE, OpenFlow, & the Centralized Control PlaneMetaswitch NTD
1) OpenFlow: One of a number of possible SDN approaches
2) SDN: Empowers the operator with reduced OPEX and CAPEX
3) PCE: Solves some real-world carrier problems
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel ArchitectureJim St. Leger
Venky Venkatesan presents information on the Data Plane Development Kit (DPDK) including an overview, background, methodology, and future direction and developments.
Pyretic - A new programmer friendly language for SDNnvirters
Managing a network requires support for multiple concurrent tasks, from routing and traffic monitoring, to access control and server load balancing. Software-Defined Networking (SDN) allows applications to realize these tasks directly, by installing packet-processing rules on switches. However, today's SDN platforms provide limited support for creating modular applications.
Join Bay Area Network Virtualization as Dr. Joshua Reich, Postdoctoral Research Scientist and Computing Innovation Fellow at Princeton University presents Pyretic - a new programmer-friendly domain-specific language embedded in Python that enables modular programming for SDN applications. Pyretic is part of the Frenetic Network Programming Language initiative sponsored by Princeton University and Cornell University, with support from the National Science Foundation, the Office of Naval Research, Google, Intel and Dell.
Flameproof Vacuum Switch is designed as per IS2148 for Gas Gr. IIC Flameproof - CE Certification and approved by a leading European Lab – “BASEEFA” for ATEX & ICEEX certificates
Adjustable Range : 760 to 100 mm Hg Vacuum
Diaphragm : Teflon or, Neoprene
Pressure Housing MOC : Aluminium, Brass or, SS 316
Varies Ranges : from 0 to 150 mm Wc up to 0 to 600 Bar
Differential (Dead Band) : Fixed (Within 10% of set value)
Temperature Range : -10 to 80 Degree C (for high temperature use of impulse tube is advisable)
Accuracy : +/- 1% to 2% FS
No. of Switches : one no. or, two nos.
Type of Switches : Micro Switches - SPDT
Sensing Element : Diaphragm (PTFE or Neoprene or SS 316) or Piston
Enclosure : Dustproof IP 40, Weatherproof to IP 54 / IP 65 / IP 66, Flameproof
Class lecture by Prof. Raj Jain on Introduction to OpenFlow. The talk covers Planes of Networking, Data vs. Control Logic, OpenFlow: Key Ideas, History of OpenFlow, Separation of Control and Data Plane, OpenFlow V1.0, Matching, Counters, Actions, Hardware OpenFlow Switches, Software OpenFlow Switches, Open vSwitch, Open vSwitch Features, OVSDB, OpenFlow V1.1, OpenFlow Hardware Implementation, OpenFlow V1.2, OpenFlow 1.3, OpenFlow V1.4, Implementation Issues, Current Limitations of OpenFlow, OpenFlow Current Activities, Introduction to OpenFlow, Planes of Networking, Data vs. Control Logic, OpenFlow: Key Ideas, History of OpenFlow, Separation of Control and Data Plane, OpenFlow V1.0, Matching, Counters, Actions, Hardware OpenFlow Switches, Software OpenFlow Switches, Open vSwitch, Open vSwitch Features, OVSDB, OpenFlow V1.1, OpenFlow Hardware Implementation, OpenFlow V1.2, OpenFlow 1.3, OpenFlow V1.4, Implementation Issues, Current Limitations of OpenFlow, OpenFlow Current Activities. Video recording available in YouTube.
SimArch: A Layered Architectural Approach to Reduce the Development Effort of...Daniele Gianni
Conference Presentation at the SESP Workshop (Simulation and EGSE for European Space Applications), September, 2009
Please visit
https://sites.google.com/site/simulationarchitecture/
for further information
PCE, OpenFlow, & the Centralized Control PlaneMetaswitch NTD
1) OpenFlow: One of a number of possible SDN approaches
2) SDN: Empowers the operator with reduced OPEX and CAPEX
3) PCE: Solves some real-world carrier problems
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel ArchitectureJim St. Leger
Venky Venkatesan presents information on the Data Plane Development Kit (DPDK) including an overview, background, methodology, and future direction and developments.
Pyretic - A new programmer friendly language for SDNnvirters
Managing a network requires support for multiple concurrent tasks, from routing and traffic monitoring, to access control and server load balancing. Software-Defined Networking (SDN) allows applications to realize these tasks directly, by installing packet-processing rules on switches. However, today's SDN platforms provide limited support for creating modular applications.
Join Bay Area Network Virtualization as Dr. Joshua Reich, Postdoctoral Research Scientist and Computing Innovation Fellow at Princeton University presents Pyretic - a new programmer-friendly domain-specific language embedded in Python that enables modular programming for SDN applications. Pyretic is part of the Frenetic Network Programming Language initiative sponsored by Princeton University and Cornell University, with support from the National Science Foundation, the Office of Naval Research, Google, Intel and Dell.
Flameproof Vacuum Switch is designed as per IS2148 for Gas Gr. IIC Flameproof - CE Certification and approved by a leading European Lab – “BASEEFA” for ATEX & ICEEX certificates
Adjustable Range : 760 to 100 mm Hg Vacuum
Diaphragm : Teflon or, Neoprene
Pressure Housing MOC : Aluminium, Brass or, SS 316
Varies Ranges : from 0 to 150 mm Wc up to 0 to 600 Bar
Differential (Dead Band) : Fixed (Within 10% of set value)
Temperature Range : -10 to 80 Degree C (for high temperature use of impulse tube is advisable)
Accuracy : +/- 1% to 2% FS
No. of Switches : one no. or, two nos.
Type of Switches : Micro Switches - SPDT
Sensing Element : Diaphragm (PTFE or Neoprene or SS 316) or Piston
Enclosure : Dustproof IP 40, Weatherproof to IP 54 / IP 65 / IP 66, Flameproof
Flameproof Pressure Switches are designed as per IS2148 for Gas Gr. IIC Flameproof - CE Certification and approved by a leading European Lab – “BASEEFA” for ATEX & ICEEX certificates
Various Ranges : from 0 to 150 mm Wc upto 0 to 400 Bar
Differential (Dead Band) : Fixed (Within 10% of set value) Or, Adjustable
Sensing Element : Diaphragm (PTFE, Neoprene or, SS 316) or Piston
Enclosure : Flameproof to group IIC
Various Manifolds are necessary during the maintenance of the instruments like Pressure Gauges - Switches & Transmitters, DP Gauges - Switches and Transmitters.
We have various types of Three Valve Manifolds in SS 316, CS, Monel 400 and Hestelloy C material.
Type of Three Valve Manifolds are R type, T type and H type.
Mounting Bracket also can be provided for the manifolds.
A definitive guide to the brexit negotiations, By Sadaf AlidadSadaf Alidad
A look into “A Definitive Guide to the Brexit Negotiations” in Harvard Business Review, By Sadaf Alidad, MBA student of Alzahra University of Tehran (class assignment)
How to use the WAN Gateway feature of Apache Geode to implement multi-site and active-active failover, disaster recovery, and global scale applications.
CSC 451551 Computer Networks Fall 2016Project 4 Softwar.docxannettsparrow
CSC 451/551: Computer Networks Fall 2016
Project 4: Software Defined Networks
1 Introduction
In this assignment you will learn how to use the OpenFlow protocol to program an SDN controller in
a Mininet emulated network using POX. The following sections will first introduce you to the tools
you will need to complete the assignment, guide you on how to install and use then, and lastly outline
what you will have to do.
2 Software Definined Networks (SDN)
A Software Defined Network (SDN) is a network with a centralized controller that dictates the flow
of network traffic. Unlike convention networks where each individual router or switch decided how to
forward packets, in an SDN a centralized controller tells each router or switch how to forward packets.
In this assignment you will have to write your own SDN controller.
3 OpenFlow
OpenFlow proposes a way for researchers to run experimental protocols in the networks they use every
day. It is based on an Ethernet switch, with an internal flow-table, and a standardized interface to add
and remove flow entries. OpenFlow exploits the fact that most modern Ethernet switches and routers
contain flow-tables (typically built from TCAMs) that run at line-rate to implement firewalls, NAT,
QoS, and to collect statistics. An OpenFlow Switch consists of at least three parts:
a. a flow table, which keeps an entry for every flow and tells each switch how to process the flow.
b. a secure channel that connects the switch to a remote control process, namely the controller that
adds and removes flow entries from the flow table for different experiments allowing commands
and packets to be sent between a controller and the switch by using
c. a protocol, which provides an open and standard way for a controller to communicate with a
switch.
In the context of OpenFlow, a flow can be a TCP connection, or all packets from a particular MAC
address or IP address, or all packets with the same VLAN tag, or all packets from the same switch
port. Every flow entry in the flow table has 3 basic actions associated with it:
a. Forward the flows packets to a given port or ports, which means packets are to be routed through
the network.
b. Encapsulate and forward the flows packets to a controller, which either processes them or decides
if the flow needs to be added as a new entry to the flow table (i.e. if the packet is the first in a
new flow).
c. Drop the flows packets, which can be used for security issues, to curb denial-of-service attacks
and so on.
Read the OpenFlow whitepaper [1] and familiarize yourselves with the basic OpenFlow elements, before
continuing.
1
CSC 451/551: Computer Networks Fall 2016
4 Mininet & POX
Mininet is a python-based network emulation tool that you will use in this assignment to emulate
your own networks. Mininet has built in commands to create network topologies as well as an python
API to create your own custom topologies. For this assignment you will not need to learn how to
use.
Software Defined Networking is seeing a lot of momentum these days. With server virtualization solving the virtual machines problem, and large scale object storage solving the distributed storage challenge, SDN is seen as key in virtual networking.
In this talk we don't try to define SDN but rather dive straight into what in our opinion is the core enabled of SDN: the virtual switch OVS.
OVS can help manage VLAN for guest network isolation, it can re-route any traffic at L2-L4 by keeping forwarding tables controlled by a remote controller (Openfow controller). We show these few OVS capabilities and highlight how they are used in CloudStack and Xen.
Xen Summit presentation of CloudStack and Software Defined Networks. OpenVswitch is the default bridge in Xen and supported in XenServer and Xen Cloud Platform
This is the outline and notes for a two-day Network session that was part of a workshop held January 26 - February 2, 2015 with representatives from the Information and Communication Technologies Department and Library Department at St. Paul Hospital Millennium Medical College in Addis Ababa, Ethiopia. This session was facilitated by Bob Riddle and Kathleen Ludewig Omollo.
The workshop documents are shared at http://slideshare.net/tag/sphmmc-ict-2015.
HDFS on Kubernetes—Lessons Learned with Kimoon KimDatabricks
There is growing interest in running Apache Spark natively on Kubernetes (see https://github.com/apache-spark-on-k8s/spark). Spark applications often access data in HDFS, and Spark supports HDFS locality by scheduling tasks on nodes that have the task input data on their local disks. When running Spark on Kubernetes, if the HDFS daemons run outside Kubernetes, applications will slow down while accessing the data remotely.
This session will demonstrate how to run HDFS inside Kubernetes to speed up Spark. In particular, it will show how Spark scheduler can still provide HDFS data locality on Kubernetes by discovering the mapping of Kubernetes containers to physical nodes to HDFS datanode daemons. You’ll also learn how you can provide Spark with the high availability of the critical HDFS namenode service when running HDFS in Kubernetes.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
11. Active/Active HA Overview
What is High Availability Active/Active?
• With A/A deployment, both HA peers are active and
processing traffic.
• A/A HA is supported only in the virtual-wire and Layer 3
modes beginning with PAN-OS 4.0.
• Such deployments are most suited for scenarios involving
asymmetric routing.
• Deployment also can be to allow dynamic routing protocols
(OSPF, BGP) to maintain active status across both peers.
• In addition to the HA1 and HA2 links used in A/P, A/A
deployments require a dedicated HA3 link. HA3 link is
used as packet forwarding link for session setup and
asymmetric traffic handling.
Page 11 |
12. Which to use - A/P or A/A?
What Active/Active is NOT designed for:
• A/A does NOT load balance. Load sharing can be done via
sending of traffic across each peer, but there is no load-
balancing mechanism.
• A/A will not increase performance or allow greater
capacity. At no point should traffic loads go beyond
capacity of a single stand-alone system as failover could
cause single system to become overloaded causing
possible outage.
Note: Unless Active/Active asymmetric flow or dynamic
routing capability is a requirement, for most deployments
Active/Passive is better option as it is more simple to deploy.
Page 12 |
13. HA Peer Connection
• Same HA1 and HA2 links as A/P.
• Add HA3, any free dataplane port with interface mode
„HA‟.
- All packet forwarding between the two devices uses HA3 link.
•HA3 •HA2
•HA1
Page 13 |
15. Active/Active Packet Handling
In Active/Active cluster, the packet handling can be
distributed between the two peers. There are two important
functions that are handled by devices in a cluster
• Session ownership
• Session setup
Page 15 |
16. Session Ownership
• Session owner device can be either the firewall that
receives the first packet of a new session or the device in
an ACTIVE-PRIMARY state.
• This device is responsible for all layer 7 processing, i.e.
app-id, content-id, and threat scanning for this session.
• This device is also responsible for generating all traffic
logs for the session.
Page 16 |
17. Session Setup
• Session setup device is responsible for layer2 through
layer4 processing required for setting up a new session.
• Address translation is performed by session setup device.
• Session setup device is determined by configuring
“session setup load sharing” options.
• Separation of session owner and session setup devices is
necessary to avoid race conditions that can occur in
asymmetrically routed environments
Page 17 |
18. Packet Flow
In order to understand packet flow within a cluster, we will
discuss three different scenarios
1. New session
2. Established session
3. Asymmetric packet flow
Page 18 |
19. Session Setup
1. Packet arrives at one of the
devices
2. Receiving device has no
session for the packet, and
assumes ownership of the Session owner
Session setup device
Will be L7 owner
session
3. Computed hash/modulo
determines device is not
responsible for session-
setup, and forwards packet to
peer device over HA3 link
4. Session is setup and session
info and packet are returned to
session owner
5. Original device forwards 0010100010
101001001
packet out appropriate
interface
Page 19 |
20. Packet Flow: New Session
The sequence of steps involved in setting up
a session is listed below
1. End host sends packet to device-A.
2. Firewall examines the contents of the
packet to match it to an existing session.
3. If there is no session match, Dev-A
determines that it has received the first
packet for a new session. Therefore Dev-
A becomes the session owner.
4. Dev-A uses the configured session setup
load sharing options to identify the
session setup device. In this example we
assume the setup function is performed
by Dev-B
5. Using the HA-3 link, Dev-A sends the first
packet it received to Dev-B.
6. Dev-B sets up the session and returns the
packet to Dev-A for layer 7 processing if
any.
7. Dev-A then forwards the packet out via
the egress interface to the destination
Page 20 |
21. Established session
1.Packet arrives at one of
the devices
2.Receiving device has
session for the packet Session owner
Layer 7 processing
and owns the session
3. Packet is processed and
sent out via the
appropriate egress
interface
0010100010
101001001
Page 21 |
22. Packet Flow: Existing Session
The sequence of steps for an existing session
is listed below
1. End host sends packet to Dev-A.
2. Firewall examines the contents of the
packet to match the packet to an existing
session.
3. If there is a session match, Dev-A
processes the packet and sends the
packet out via the egress interface to the
destination
Page 22 |
23. Established Session – Packet Arriving at non
session owner device
1.Packet arrives at one of
the devices
0010100010
101001001
2.Receiving device has a
session for the packet but Session owner
Layer 7 processing
it is owned by peer device
3.Receiving device
forwards packet over the
HA3 link to the owner for
processing
4.Owner processes packet
1. In vwire packet is sent back to
receiving device
2. In L3 if owner has route to
destination, packet is forwarded
out
Page 23 |
24. Packet Flow: Asymmetric Flow - L3
The sequence of steps for an assymetric
packet flow
1. Dev-B receives a packet.
2. Receiving device has a session for the
packet but it is owned by peer device,
Dev-A.
3. Dev-B forwards packet over the HA3 link
to the Dev-A for processing.
4. In layer3 deployment , Dev-A processes
packet and forwards it to destination if it
has the route.
Page 24 |
25. Packet Flow: Asymmetric Flow – V-Wire
The sequence of steps for an assymetric
packet flow
1. Dev-B receives a packet.
2. Receiving device has a session for the
packet but it is owned by peer device,
Dev-A.
3. Dev-B forwards packet over the HA3 link
to the Dev-A for processing.
4. In Vwire deployment in order to preserve
the forwarding path, Dev-A processes the
packet and returns to Dev-B, to be
transmitted out the egress interface to the
destination.
Page 25 |
27. Deployment: V-Wire
• Simplest solution to implement high
availability
• Firewalls are installed between L3
devices. These are often used in
conjunction with dynamic routing
protocols which will fail traffic over to the
other cluster member if needed.
Note: Implementing A/A HA in v-wire
mode in a layer2 sandwich will result in
switching loops if Spanning Tree Protocol
is not enabled on the switches. It is
recommended to deploy A/A in v-wire in a
layer3 topology.
Page 27 |
28. Deployment: Layer 3
Layer3 deployment supports virtual IP addressing, NAT,
and use of dynamic routing protocols for redundancy.
Active/Active cluster can be deployed in several different
scenarios in layer3 mode as described below
• Floating IP
• ARP load sharing
• Mixed mode (combine both floating IP and ARP load
share)
Page 28 |
29. Deployment: L3 Floating IP
• Floating IP can move between HA devices when a link
failure or device failure occurs.
• Interface on device in cluster that owns floating IP
responds to ARP requests with a virtual MAC.
• Floating IPs are recommended when VRRP-like
functionality is required.
• Floating IPs can be used for VPNs and source NAT
allowing for persistent connections when a failure
occurs.
• Each interface on firewall has its own IP and a floating
IP. Interface IP remains local to the device but floating IP
address can move between the devices.
• End hosts are configured to use floating IP as default
gateway allowing traffic to be load balanced within the
cluster.
• External load balancers can also be used to load
balance traffic between firewalls within the cluster.
• If failover occurs, gratuitous ARP is sent out by the
functional device. Once device recovers, floating IP and
VMAC will move back to the original device.
Page 29 |
30. Deployment: L3 ARP Load Sharing
• HA pair to share an IP address and provide gateway
services.
• All hosts are configured with single gateway IP. ARP
requests for gateway IP are responded to with a virtual
MAC address from a single device in the pair.
• Each device will have unique virtual MAC address
generated for the shared IP.
• The device that responds to ARP request is determined
by computing hash or modulo of source IP of the ARP
request.
• Once end host receives ARP response from device, it
caches the MAC address and all traffic from host is
routed via the firewall that responded with VMAC. Life
time of ARP cache is dependent on end host OS.
• ARP load-sharing should be used only when a Layer 2
separation exists between firewalls and end hosts.
• If link or device failure, floating IP and VMAC moves over
to the functional device. Gratuitous ARP is sent out by
the functional device.
Page 30 |
31. Deployment: L3 Mixed Mode
• It is possible to have some of interfaces configured with
floating IPs and some with shared IPs for ARP loading
sharing.
• Cluster can be configured with ARP load sharing IPs,
configured for hosts on the LAN segment, and floating IP
configured on upstream WAN edge routers.
Page 31 |
32. Agenda
• Overview
• Packet Handling
• Deployments
• HA States
• Configuration
• Monitoring
• Troubleshooting
• Special Case, Wrap-Up
Page 32 |
33. Active/Active Configuration
• First step, set the HA mode to active-active.
Device > High Availability; Setup
• ID: HA group ID. Both devices must have the same group ID. HA group-ID is used to calculate virtual MAC.
• Mode: Choose active-active from the drop down list.
• Device-id: Select unique device from drop down list (0 or 1). Device-ID remains local to the device and does not
transition between devices during failover. This field is also used to calculate VMAC.
• Peer HA IP Address: IP address of HA1 control link on peer device.
• Backup Peer HA IP Address: IP address of backup control link on peer device. This field is optional.
• Enable Config Sync: Enabled by default, required to synchronize configuration between devices in cluster.
Page 33 |
34. HA Control and Data Links
• Same as Active/Passive
•PA-1 •PA-2
•Control
Link
•Data
Link
Page 34 |
35. HA3 Link
Used for packet forwarding between session owner and
session setup device.
• HA3 link is L2 link and uses MAC-in-MAC encapsulation.
• Aggregate interfaces can be configured as HA3 link (4000
and 5000 series only) for redundancy of HA3 link.
• Interface mode must be HA to use as HA3 link.
Note: Because of overhead associated with encapsulation on HA3 link,
switch ports connecting HA3 link must be configured to support jumbo
frames.
Page 35 |
36. Configuring ARP Load Sharing
Device > High Availability > Virtual Address
• Click on “Add” to add a new virtual address.
• From interface drop down list choose appropriate interface, and click
“Add”.
• Choose Type to “arp-load-sharing”. In this example we choose “ip-
modulo” as ARP Load Sharing Type.
Page 36 |
37. Configuring Floating IP
Device > High Availability > Virtual Address
•
• Click “Add” to add a new virtual address.
• From interface drop down list choose appropriate interface, and click
“Add”.
• Choose Type to be “floating”. Device priority determines which device
will own the floating IP address.
• Configure two floating IP address, one for each device, with different
priorities as shown above. Address with lower numeric value will have
highest priority.
Page 37 |
38. Monitoring
Settings are same for Active/Passive and Active/Active:
• Heartbeat polling
• Link monitoring
• Path monitoring
Page 38 |
39. Configuring Link Monitoring
• Device > High Availability; Link Monitoring
“Any” or “All” failure
conditions will
cause failover
Page 39 |
40. Configuring Path Monitoring
• Device > High Availability; Path Monitoring
“Any” or “All” failure
conditions will
cause failover
“Vwire”, “VLAN”, “VR”
Page 40 |
42. Troubleshooting
• CLI show commands:
admin@PA-2(active-primary)> show high-availability ?
> all Show high-availability information
> control-link Show control-link statistic information
> dataplane-status Show dataplane runtime status
> flap-statistics Show high-availability preemptive/non-functional
flap statistics
> interface Show high-availability interface information
> link-monitoring Show link-monitoring state
> path-monitoring Show path-monitoring statistics
> state Show high-availability state information
> state-synchronization Show state synchronization statistics
> transitions Show high-availability transition statistic
information
> virtual-address Show Active-Active virtual address status
• Logs:
- less mp-log ha_agent.log
- show log system
Note: For HA issues, be sure to always get data from BOTH peers as
issues may be on either device.
Page 42 |
43. HA CLI Commands
• Force configuration and session synchronization to peer
admin@student1> request high-availability sync-to-remote
• Fail HA master to peer and make system ineligible to be
master
admin@student1> request high-availability state suspend
• Re-enable HA on suspended system
admin@student1> request high-availability state functional
• Show HA status
admin@student1> show high-availability state
admin@student1> show high-availability link / path -monitoring
44. Troubleshooting Sessions
Session flow from host 172.35.2.4 to host 10.1.1.250.
admin@PA-2(active-primary)> show session all filter destination-port 23
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
19485 telnet ACTIVE FLOW NS 172.35.2.4[56484]/trust-l3/6 (10.1.1.101[57558])
vsys1 10.1.1.250[23]/untrust-l3 (10.1.1.250[23])
From session table, we see that host 172.35.2.4 is translated to IP
10.1.1.101, floating IP on PA-2 which is device-id 1
admin@PA-2(active-primary)> show session id 19485 | match HA
session synced from HA peer : False
session owned by local HA A/A : True
PA-2 is session owner.
Page 44 |
45. Global Counter
Show counter global for Active/Active related packets.
admin@PA-2(active-primary)> show counter global filter aspect aa delta yes
Global counters:
Elapsed time since last sampling: 24.406 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
ha_aa_session_setup_peer 1 0 info ha aa Active/Active: setup session on
peer device
ha_aa_pktfwd_rcv 1 0 info ha aa Active/Active: packets received
from peer device
ha_aa_pktfwd_xmt 1 0 info ha aa Active/Active: packets forwarded
to peer device
--------------------------------------------------------------------------------
Total counters shown: 3
--------------------------------------------------------------------------------
Page 45 |
46. Viewing Floating IPs
• “show high-availability virtual-address” can be used to
view all configured floating IP addresses.
admin@PA-1(active-primary)> show high-availability virtual-address
Total interfaces with virtual address configured: 2
Total virtual addresses configured: 4
-----------------------------------------------------------------------------
Interface: ethernet1/2 Virtual MAC: 00:1b:17:00:01:11
10.1.1.100 Active:yes Type:floating
10.1.1.101 Active:no Type:floating
-----------------------------------------------------------------------------
Interface: ethernet1/1 Virtual MAC: 00:1b:17:00:01:10
172.35.2.100 Active:yes Type:arp-load-sharing
-----------------------------------------------------------------------------
Page 46 |
47. Manual failover
Same as A/P except will determine Primary/Secondary.
• GUI:
• CLI (on active peer):
request high-availability state suspend
request high-availability state functional
Page 47 |
48. Logs and Packet Captures
• All traffic logs are logged by session owner.
• When session owner fails, peer device will become
session owner and will handle logging.
• If preempt is enabled and should failed device recover
before session ends, it will take back ownership of the
session and handle logging.
Page 48 |
50. PA-200 – A/P HA-Lite
Supports limited A/P functionality “HA-Lite”
Uses MGMT port as HA1 link for heartbeats and config sync
No HA2 or HA3 link supported, no session sync
Page 50 |
51. For More Information
• Active/Passive HA Tech Note:
https://live.paloaltonetworks.com/docs/DOC-1160
• Active/Active HA Tech Note:
https://live.paloaltonetworks.com/docs/DOC-1756
• Designing Networks with Palo Alto Networks firewalls:
https://live.paloaltonetworks.com/docs/DOC-2561
Page 51 |
52. THANK YOU !!
•Upcoming TechConnect Webinars:
•Go to www.paloaltonetworks.com/partner site to register.
Page 52 |
Editor's Notes
Non-func due to monitored object failure
Note: When session owner fails, peer device will become session owner. Existing sessions will fail over to the functional device and no layer 7 processing will be available for these sessions. When a device recovers from a failure, all sessions that were owned by the device before failure will revert back to the original device.