WO2016150307A1

Movatterモバイル変換

Info

Publication number: WO2016150307A1
Application number: PCT/CN2016/076158
Authority: WO
Inventors: 李江
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2015-03-23
Filing date: 2016-03-11
Publication date: 2016-09-29
Anticipated expiration: 2017-09-23
Also published as: CN106161331A

Abstract

A firewall dual-machine hot spare method, device and system. The method comprises: determining, by a primary firewall, connection data required to be backed up; transmitting, by the primary firewall, the determined connection data required to be backed up to a spare firewall.

Description

Translated fromChinese

一种防火墙双机热备方法、装置及系统Firewall dual-system hot standby method, device and system

技术领域Technical field

本文涉及但不限于计算机技术，尤指一种防火墙双机热备方法、装置及系统。This document refers to, but is not limited to, computer technology, especially a firewall hot standby method, device and system.

背景技术Background technique

防火墙通常作为保护屏障设置在网络节点，如内部网和外部网之间，或专用网与公共网之间。Firewalls are often placed as protection barriers between network nodes, such as between intranets and extranets, or between private and public networks.

相关技术中，为了规避设置在网络节点的防火墙出现单点故障，通常在该网络节点处部署两个防火墙。通过将主防火墙中的连接数据全部同步备份到备用防火墙中，以使在主防火墙出现故障时，启用备用防火墙，实现全网通信。In the related art, in order to circumvent a single point of failure of a firewall set at a network node, two firewalls are usually deployed at the network node. By synchronizing all the connection data in the main firewall to the standby firewall, the backup firewall can be enabled to implement network-wide communication when the main firewall fails.

然而，相关技术通常是将主防火墙中的连接数据全部同步备份到备用防火墙的过程中，降低了备份连接数据的效率。However, the related technology generally synchronizes the connection data in the main firewall to the backup firewall, which reduces the efficiency of backing up the connection data.

发明内容Summary of the invention

以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.

本发明实施例提供了一种防火墙双机热备方法、装置及系统，提高了备份连接数据效率。The embodiment of the invention provides a firewall hot standby method, device and system, which improves the efficiency of backup connection data.

本发明实施例提供了一种防火墙双机热备方法，包括：The embodiment of the invention provides a firewall hot standby method, including:

主防火墙确定需要备份的连接数据；The main firewall determines the connection data that needs to be backed up;

主防火墙将确定出的需要备份的连接数据发送给备份防火墙。The main firewall sends the determined connection data that needs to be backed up to the backup firewall.

可选的，所述主防火墙确定需要备份的连接数据包括：Optionally, the master firewall determines that the connection data that needs to be backed up includes:

所述主防火墙在预先设置的需要备份的虚拟局域网VLAN标识中查找到接收到的连接数据中的VLAN标识，确定出所述接收到的连接数据需要进行备份。The primary firewall searches for the VLAN identifier in the received connection data in the pre-configured virtual local area network VLAN identifier that needs to be backed up, and determines that the received connection data needs to be backed up.

可选的，所述主防火墙将确定出的需要备份的连接数据发送给备份防火墙包括：Optionally, the primary firewall sends the determined connection data that needs to be backed up to the backup firewall.The wall includes:

所述主防火墙通过同步备份数据包将所述确定出的需要备份的连接数据发送给所述备份防火墙。The primary firewall sends the determined connection data that needs to be backed up to the backup firewall by synchronizing backup data packets.

可选的，所述主防火墙将确定出的需要备份的连接数据发送给备份防火墙包括：Optionally, the primary firewall sends the determined connection data that needs to be backed up to the backup firewall, including:

所述主防火墙将所述确定出的需要备份的连接数据按照优先级从高到低的顺序依次发送给备份防火墙。The primary firewall sends the determined connection data that needs to be backed up to the backup firewall in descending order of priority.

可选的，所述主防火墙将确定出的需要备份的连接数据发送给备份防火墙之前还包括：Optionally, before the primary firewall sends the determined connection data that needs to be backed up to the backup firewall, the method further includes:

所述主防火墙在预先设置的需要备份的VLAN标识、虚拟路由冗余协议VRRP组标识和Ha实例标识之间的对应关系中，查找所述接收到的连接数据中的VLAN标识对应的VRRP组标识和Ha实例标识；The main firewall searches for the VRRP group identifier corresponding to the VLAN identifier in the received connection data in the corresponding relationship between the VLAN ID to be backed up, the virtual router redundancy protocol VRRP group identifier, and the Ha instance identifier. And the Ha instance identifier;

所述主防火墙将确定出的需要备份的连接数据发送给备份防火墙包括：The primary firewall sends the determined connection data that needs to be backed up to the backup firewall, including:

所述主防火墙将所述确定出的需要备份的连接数据和查找到的VRRP组标识和Ha实例标识发送给备份防火墙。The primary firewall sends the determined connection data that needs to be backed up and the found VRRP group identifier and the Ha instance identifier to the backup firewall.

本发明实施例还提出了一种防火墙双机热备方法，包括：The embodiment of the invention further provides a firewall hot standby method, comprising:

备份防火墙接收到来自主防火墙的需要备份的连接数据；The backup firewall receives the connection data that needs to be backed up from the autonomous firewall;

备份防火墙保存接收到的连接数据。The backup firewall saves the received connection data.

可选的，所述备份防火墙接收到来自主防火墙的需要备份的连接数据包括：Optionally, the backup firewall receives the connection data that needs to be backed up from the autonomous firewall, including:

所述备份防火墙接收到来自主防火墙的需要备份的连接数据，以及虚拟路由冗余协议VRRP组标识和Ha实例标识；The backup firewall receives the connection data that needs to be backed up from the autonomous firewall, and the virtual routing redundancy protocol VRRP group identifier and the Ha instance identifier;

所述备份防火墙保存接收到的连接数据包括：The backup firewall saves the received connection data including:

所述备份防火墙保存所述接收到的连接数据、VRRP组标识和Ha实例标识之间的对应关系。The backup firewall saves the correspondence between the received connection data, the VRRP group identifier, and the Ha instance identifier.

本发明实施例还提出了一种计算机可读存储介质，存储有计算机可执行指令，计算机可执行指令用于执行上述描述的任意一个方法。Embodiments of the present invention also provide a computer readable storage medium storing computer executable instructions for performing any of the methods described above.

本发明实施例还提供了一种防火墙双机热备装置，包括：The embodiment of the invention further provides a firewall hot standby device, comprising:

确定模块，设置为确定需要备份的连接数据；Determining a module, setting to determine connection data that needs to be backed up;

发送模块，设置为将确定出的需要备份的连接数据发送给备份防火墙。The sending module is configured to send the determined connection data that needs to be backed up to the backup firewall.

可选的，所述确定模块是设置为：Optionally, the determining module is configured to:

在预先设置的需要备份的虚拟局域网VLAN标识中查找到接收到的连接数据中的VLAN标识，确定出所述接收到的连接数据需要进行备份。The VLAN identifier in the received connection data is found in the pre-configured virtual local area network VLAN identifier that needs to be backed up, and it is determined that the received connection data needs to be backed up.

可选的，所述发送模块是设置为：Optionally, the sending module is configured to:

通过同步备份数据包将所述确定出的需要备份的连接数据发送给所述备份防火墙。The determined connection data that needs to be backed up is sent to the backup firewall by synchronizing the backup data packet.

将所述确定出的需要备份的连接数据按照优先级从高到低的顺序依次发送给备份防火墙。The determined connection data that needs to be backed up is sent to the backup firewall in order of priority from high to low.

可选的，还包括：Optionally, it also includes:

查找模块，设置为在预先设置的需要备份的VLAN标识、虚拟路由冗余协议VRRP组标识和Ha实例标识之间的对应关系中，查找所述接收到的连接数据中的VLAN标识对应的VRRP组标识和Ha实例标识；The locating module is configured to search for a VRRP group corresponding to the VLAN identifier in the received connection data, in a correspondence between the VLAN ID to be backed up, the virtual routing redundancy protocol VRRP group identifier, and the Ha instance identifier. Identification and Ha instance identification;

所述发送模块是设置为：The sending module is set to:

将所述确定出的需要备份的连接数据和查找到的VRRP组标识和Ha实例标识发送给备份防火墙。Sending the determined connection data that needs to be backed up and the found VRRP group identifier and the Ha instance identifier to the backup firewall.

本发明实施例还提出了一种防火墙双机热备装置，包括：The embodiment of the invention further provides a firewall hot standby device, comprising:

接收模块，设置为接收到来自主防火墙的需要备份的连接数据；a receiving module, configured to receive connection data that needs to be backed up by the autonomous firewall;

存储模块，设置为保存接收到的连接数据。The storage module is set to save the received connection data.

可选的，所述接收模块是设置为：Optionally, the receiving module is configured to:

接收到来自主防火墙的需要备份的连接数据，以及虚拟路由冗余协议VRRP组标识和Ha实例标识；Receiving the connection data that needs to be backed up from the autonomous firewall, and the virtual routing redundancy protocol VRRP group identifier and the Ha instance identifier;

所述存储模块是设置为：The storage module is set to:

保存所述接收到的连接数据、VRRP组标识和Ha实例标识之间的对应关系。The correspondence between the received connection data, the VRRP group identifier, and the Ha instance identifier is saved.

本发明实施例还提供了一种防火墙双机热备系统，包括：如上述所述的防火墙双机热备装置和如上述所述的另一防火墙双机热备装置。与相关技术相比，本发明实施例包括，主防火墙确定需要备份的连接数据；主防火墙将确定出的需要备份的连接数据发送给备份防火墙。实现了将主防火墙中需要备份的连接数据备份到备份防火墙中，从而减少了备份的数据量，并减少了备份时间，进而提高了备份的效率。本发明实施例的其它特征和优点将在随后的说明书中阐述，并且，部分地从说明书中变得显而易见，或者通过实施本发明而了解。本发明实施例的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。The embodiment of the invention further provides a firewall dual-system hot standby system, comprising: the firewall dual-system hot standby device as described above and another firewall dual-system hot standby device as described above. Compared with the related art, the embodiment of the present invention includes: the main firewall determines the connection data that needs to be backed up; and the main firewall sends the determined connection data that needs to be backed up to the backup firewall. The backup data that needs to be backed up in the primary firewall is backed up to the backup firewall, thereby reducing the amount of data to be backed up and reducing the backup time, thereby improving the efficiency of the backup. Other features and advantages of the embodiments of the invention will be set forth in the description in the description which The objectives and other advantages of the embodiments of the present invention can be realized and obtained by the structure of the invention.

在阅读并理解了附图和详细描述后，可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.

附图概述BRIEF abstract

图1为本发明异步数据传输方法一实施例的流程示意图；1 is a schematic flowchart of an embodiment of an asynchronous data transmission method according to the present invention;

图2为本发明实施例同步备份数据包的结构示意图；2 is a schematic structural diagram of a synchronous backup data packet according to an embodiment of the present invention;

图3为本发明防火墙双机热备方法再一实施例的流程示意图；3 is a schematic flowchart of still another embodiment of a firewall hot standby method according to the present invention;

图4为本发明防火墙双机热备装置一实施例的结构示意图；4 is a schematic structural diagram of an embodiment of a firewall dual-system hot standby device according to the present invention;

图5为本发明防火墙双机热备装置另一实施例的结构示意图。FIG. 5 is a schematic structural diagram of another embodiment of a firewall hot standby device according to the present invention.

本发明的实施方式Embodiments of the invention

下文中将结合附图对本发明的实施例进行详细说明。需要说明的是，在不冲突的情况下，本申请中的实施例及实施例中的特征可以相互任意组合。Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.

在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。并且，虽然在流程图中示出了逻辑顺序，但是在某些情况下，可以以不同于此处的顺序执行所示出或描述的步骤。The steps illustrated in the flowchart of the figures may be executed in a computer system such as a set of computer executable instructions. Also, although logical sequences are shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.

本发明实施例提供的防火墙双机热备方法可以应用于同一网络节点中设置的两个防火墙，即主防火墙与备份防火墙之间的数据同步时，也就是说，在主防火墙工作正常时，将备份数据与备份防火墙进行数据同步，即备份连接数据。本实施例提供的防火墙双机热备方法具体可以通过防火墙双机热备装置来执行，该防火墙双机热备装置可以集成在防火墙中，该防火墙双机热备装置可以采用软件和/或硬件的方式来实现。以下对本实施例提供的防火墙双机热备方法进行详细地说明。The dual-system hot standby method provided by the embodiment of the present invention can be applied to two firewalls set in the same network node, that is, data synchronization between the primary firewall and the backup firewall, that is, when the primary firewall works normally, The backup data is synchronized with the backup firewall, that is, the backup connectionReceive data. The firewall dual-system hot backup method provided in this embodiment may be implemented by using a firewall dual-system hot standby device, where the firewall dual-system hot standby device may be integrated into a firewall, and the firewall dual-system hot standby device may adopt software and/or hardware. The way to achieve it. The firewall hot standby method provided in this embodiment is described in detail below.

图1为本发明防火墙双机热备方法方法一实施例的流程示意图，如图1所示，该方法包括如下步骤：FIG. 1 is a schematic flowchart of a method for a dual-system hot standby method according to the present invention. As shown in FIG. 1 , the method includes the following steps:

步骤101、主防火墙确定需要备份的连接数据。Step 101: The main firewall determines connection data that needs to be backed up.

本步骤中，主防火墙确定需要备份的连接数据包括：In this step, the main firewall determines the connection data that needs to be backed up, including:

主防火墙在预先设置的需要备份的虚拟局域网(VLAN，Virtual Local Area Network)标识中查找到接收到的连接数据中的VLAN标识，确定出接收到的连接数据需要进行备份。The primary firewall searches for the VLAN ID in the received connection data in the virtual local area network (VLAN) that needs to be backed up, and determines that the received connection data needs to be backed up.

其中，接收到的连接数据中包括VLAN标识、源互联网协议(IP，Internet Protocol)地址、目的IP地址、源端口、目的端口、协议类型。The received connection data includes a VLAN identifier, an Internet Protocol (IP) address, a destination IP address, a source port, a destination port, and a protocol type.

步骤102、主防火墙将确定出的需要备份的连接数据发送给备份防火墙。Step 102: The main firewall sends the determined connection data that needs to be backed up to the backup firewall.

本步骤中，主防火墙可以通过同步备份数据包将确定出的需要备份的连接数据发送给备份防火墙。图2为同步备份数据包的结构示意图，如图2所示，同步备份数据包包括数据Ha数据包包头和一个或一个以上存储空间，每一个存储空间可以存储一个连接数据。In this step, the primary firewall can send the determined connection data to be backed up to the backup firewall by synchronizing the backup data packets. 2 is a schematic structural diagram of a synchronous backup data packet. As shown in FIG. 2, the synchronous backup data packet includes a data Ha packet header and one or more storage spaces, and each storage space can store one connection data.

本步骤中，主防火墙可以将确定出的需要备份的连接数据按照优先级从高到低的顺序依次发送给备份防火墙。In this step, the primary firewall may send the determined connection data that needs to be backed up to the backup firewall in descending order of priority.

其中，连接数据的优先级可以由管理员预先根据VLAN标识或协议类型设置在主防火墙中。The priority of the connection data may be set by the administrator in the main firewall according to the VLAN identifier or the protocol type.

一般情况下，同步备份数据包的大小不能超过一定的阈值，因此在发送连接数据时，如果同一级别的连接数据的总大小大于同步备份数据包的大小，可以将该级别的连接数据通过多个同步备份数据包来进行发送。In general, the size of the synchronous backup packet cannot exceed a certain threshold. Therefore, when the connection data is sent, if the total size of the connection data of the same level is larger than the size of the synchronous backup packet, the connection data of the level can be passed through multiple Synchronize backup packets for transmission.

可选的，步骤102之前还包括：主防火墙在预先设置的需要备份的VLAN标识、虚拟路由冗余协议(VRRP，Virtual Router Redundancy Protocol)组标识和Ha实例标识之间的对应关系中，查找接收到的连接数据中的VLAN标识对应的VRRP组标识和Ha实例标识；Optionally, before thestep 102, the main firewall is configured to receive and receive the preset relationship between the VLAN identifier to be backed up, the Virtual Router Redundancy Protocol (VRRP) group identifier, and the Ha instance identifier. The VRRP group identifier and the Ha instance identifier corresponding to the VLAN identifier in the connection data.

相应的，步骤102具体包括：主防火墙将确定出的需要备份的连接数据和查找到的VRRP组标识和Ha实例标识发送给备份防火墙。Correspondingly, thestep 102 includes: the main firewall sends the determined connection data to be backed up and the found VRRP group identifier and the Ha instance identifier to the backup firewall.

其中，查找到的VRRP组标识和Ha实例标识可以作为同步备份数据包的数据Ha数据包包头中的一个字段发送给备份防火墙。The found VRRP group identifier and the Ha instance identifier may be sent to the backup firewall as a field in the data Ha packet header of the synchronous backup data packet.

步骤102中，由于主防火墙中接收到的连接数据不是存储在内存中的，因此，在将需要备份的连接数据发送给备份防火墙之前，需要先将需要备份的连接数据存储到内存中，然后将内存中的需要备份的连接数据发送给备份防火墙。Instep 102, since the connection data received in the main firewall is not stored in the memory, before the connection data to be backed up is sent to the backup firewall, the connection data to be backed up needs to be stored in the memory, and then The connection data in the memory that needs to be backed up is sent to the backup firewall.

举例来讲，在配置时对一些需要备份的连接数据配置到虚拟局域网1(Virtual Local Area Network简称VLAN)里；不需要备份的连接数据配置到vlan2里。在vlan1里绑定虚拟路由冗余协议(Virtual Router Redundancy Protocol，简称VRRP)组标识(id，Identifier)，并关联到连接数据中。这样在同步数据的时候可以只同步vlan1的连接数据，减少了需要同步的数据总量，从而提高了同步效率。这样可以尽可能的保证重要的连接在主备切换时做到平滑切换。For example, in the configuration, some connection data that needs to be backed up is configured in Virtual Local Area Network (VLAN); the connection data that does not need to be backed up is configured in vlan2. The virtual router redundancy protocol (VRRP) group identifier (id, Identifier) is bound to the connection data in vlan1. In this way, when the data is synchronized, only the connection data of vlan1 can be synchronized, which reduces the total amount of data that needs to be synchronized, thereby improving the synchronization efficiency. This ensures that important connections are smoothly switched between active and standby switching as much as possible.

举例来讲，第一组连接数据组的优先级低，第二组连接数据的优先级中，第三组连接数据组的优先级高。可以在第一组连接数据中配置http协议类型，第二组连接数据组中配置qq等即时通讯协议，第三组连接数据中配置视频会议协议。这样当这些协议的连接状态发生改变时，会对连接的协议类型进行自动识别，根据配置把不同的协议放入到不同优先级的连接数据组中，然后依照优先级从高到低的顺序进行备份。这样可以尽可能的保证视频会议等重要的连接在主备切换时做到平滑切换。For example, the priority of the first group of connection data groups is low, and among the priorities of the second group of connection data, the priority of the third group of connection data groups is high. The http protocol type can be configured in the first group of connection data, the instant messaging protocol such as qq is configured in the second group connection data group, and the video conference protocol is configured in the third group connection data. In this way, when the connection status of these protocols changes, the protocol type of the connection is automatically identified, and different protocols are put into the connection data groups of different priorities according to the configuration, and then the priority is performed in descending order. Backup. In this way, it is possible to ensure that important connections such as video conferencing can be smoothly switched between active and standby switching.

需要说明的是，该连接数据包括主防火墙与内部网或外部网的连接数据，也可以是配置信息。It should be noted that the connection data includes connection data between the main firewall and the internal network or the external network, and may also be configuration information.

在本实施例中，主防火墙确定需要备份的连接数据，将需要备份的连接数据发送给备份防火墙。实现了将主防火墙中需要备份的连接数据备份到备份防火墙中，从而减少了备份的数据量，并减少了备份时间，进而提高了备份的效率。In this embodiment, the main firewall determines the connection data that needs to be backed up, and sends the connection data that needs to be backed up to the backup firewall. The backup data that needs to be backed up in the primary firewall is backed up to the backup firewall, thereby reducing the amount of data to be backed up and reducing the backup time, thereby improving the efficiency of the backup.

参见图3，本发明实施例还提出了一种防火墙双机热备方法，包括：Referring to FIG. 3, an embodiment of the present invention further provides a firewall hot standby method, including:

步骤300、备份防火墙接收到来自主防火墙的需要备份的连接数据。Step 300: The backup firewall receives the connection data that needs to be backed up from the autonomous firewall.

步骤301、备份防火墙保存接收到的连接数据。Step 301: The backup firewall saves the received connection data.

可选的，步骤300中，备份防火墙接收到来自主防火墙的需要备份的连接数据，以及VRRP组标识和Ha实例标识。Optionally, instep 300, the backup firewall receives the connection data that needs to be backed up from the autonomous firewall, and the VRRP group identifier and the Ha instance identifier.

相应地，步骤301中，备份防火墙保存接收到的连接数据、VRRP组标识和Ha实例标识之间的对应关系。Correspondingly, instep 301, the backup firewall saves the correspondence between the received connection data, the VRRP group identifier, and the Ha instance identifier.

在本实施例中，备份防火墙仅接收到需要备份的连接数据，从而减少了备份的数据量，并减少了备份时间，进而提高了备份的效率。In this embodiment, the backup firewall only receives the connection data that needs to be backed up, thereby reducing the amount of backup data and reducing the backup time, thereby improving the efficiency of the backup.

参见图4，本发明实施例提出了一种防火墙双机热备装置，包括：Referring to FIG. 4, an embodiment of the present invention provides a firewall hot standby device, including:

本发明实施例的装置中，所述确定模块是设置为：In the apparatus of the embodiment of the present invention, the determining module is configured to:

本发明实施例的装置中，所述发送模块是设置为：In the apparatus of the embodiment of the present invention, the sending module is configured to:

本发明实施例的装置中，还包括：The device of the embodiment of the present invention further includes:

所述发送模块是设置为：The sending module is set to:

参见图5，本发明实施例还提出了一种防火墙双机热备装置，包括：Referring to FIG. 5, an embodiment of the present invention further provides a firewall hot standby device, including:

本发明实施例的装置中，所述接收模块是设置为：In the apparatus of the embodiment of the present invention, the receiving module is configured to:

所述存储模块是设置为：The storage module is set to:

本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件(例如处理器)完成，所述程序可以存储于计算机可读存储介质中，如只读存储器、磁盘或光盘等。可选地，上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地，上述实施例中的各模块/单元可以采用硬件的形式实现，例如通过集成电路来实现其相应功能，也可以采用软件功能模块的形式实现，例如通过处理器执行存储与存储器中的程序/指令来实现其相应功能。本发明不限于任何特定形式的硬件和软件的结合。One of ordinary skill in the art will appreciate that all or a portion of the above steps may be performed by a program to instruct related hardware, such as a processor, which may be stored in a computer readable storage medium, such as a read only memory, disk or optical disk. Wait. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program in a storage and a memory by a processor. / instruction to achieve its corresponding function. The invention is not limited to any specific form of combination of hardware and software.

虽然本发明所揭露的实施方式如上，但所述的内容仅为便于理解本发明而采用的实施方式，并非用以限定本发明。任何本发明所属领域内的技术人员，在不脱离本发明所揭露的精神和范围的前提下，可以在实施的形式及细节上进行任何的修改与变化，但本发明的专利保护范围，仍须以所附的权利要求书所界定的范围为准。While the embodiments of the present invention have been described above, the described embodiments are merely for the purpose of understanding the invention and are not intended to limit the invention. Any modification and variation in the form and details of the embodiments may be made by those skilled in the art without departing from the spirit and scope of the invention. The scope defined by the appended claims shall prevail.

工业实用性Industrial applicability

上述方案减少了备份的数据量，并减少了备份时间，进而提高了备份的效率。The above solution reduces the amount of data backed up and reduces the backup time, thereby improving the efficiency of backup.

Claims

Translated fromChinese

一种防火墙双机热备方法，包括：A firewall hot standby method includes:

根据权利要求1所述的方法，其中，所述主防火墙确定需要备份的连接数据包括：The method according to claim 1, wherein the master firewall determines connection data that needs to be backed up, including:

根据权利要求1所述的方法，其中，所述主防火墙将确定出的需要备份的连接数据发送给备份防火墙包括：The method of claim 1, wherein the primary firewall sends the determined connection data that needs to be backed up to the backup firewall, including:

根据权利要求1所述的方法，所述主防火墙将确定出的需要备份的连接数据发送给备份防火墙之前还包括：The method according to claim 1, wherein the main firewall further includes: before sending the determined connection data that needs to be backed up to the backup firewall:

根据权利要求6所述的方法，其中，所述备份防火墙接收到来自主防火墙的需要备份的连接数据包括：The method according to claim 6, wherein the backup firewall receives connection data that needs to be backed up from the autonomous firewall, including:

一种防火墙双机热备装置，包括：A firewall hot standby device includes:

根据权利要求8所述的装置，其中，所述确定模块是设置为：The apparatus of claim 8 wherein said determining module is configured to:

根据权利要求8所述的装置，其中，所述发送模块是设置为：The apparatus of claim 8 wherein said transmitting module is configured to:

根据权利要求8所述的装置，还包括：The apparatus of claim 8 further comprising:

所述发送模块是设置为：The sending module is set to:

根据权利要求13所述的装置，其中，所述接收模块是设置为：The apparatus of claim 13 wherein said receiving module is configured to:

所述存储模块是设置为：The storage module is set to:

一种计算机可读存储介质，存储有计算机可执行指令，计算机可执行指令用于执行权利要求1～5任意一项所述的方法。A computer readable storage medium storing computer executable instructions for performing the method of any one of claims 1 to 5.

一种计算机可读存储介质，存储有计算机可执行指令，计算机可执行指令用于执行权利要求6～7任意一项所述的方法。A computer readable storage medium storing computer executable instructions for performing the method of any one of claims 6-7.