What forms of High Availability are certified for use with Symantec Web Gateway (SWG) appliance?
While, as of version 5.2.2, SWG has no built-in HA (High Availability) or Load Balancing feature, Symantec Web Gateway it is currently certified with the following forms of High Availability:
A pair of SWG appliances may be deployed in conjunction with a pair of firewalls, with the firewalls in either active-active or active-passive failover modes. See Table 2-5 and Figure 2-5 within the Symantec Web Gateway 4.5 Implementation Guide.
In addition, Symantec Web Gateway has been tested with the following forms of High Availability with no issues observed:
A pair of SWG appliances may be deployed in conjunction with a pair of web proxies, with the web proxies in either active-active or active-passive failover modes.
It can rely on 3rd party Link Aggregation or Etherchannel load balancers.
To load balance SWG in inline mode, each host must function independently as a transparent bridge (OSI layer 2) with some requirements and caveats:
The traffic passing through must be synchronous. This means that a GET request or sequence of packets going through a specific SWG must continue to flow or stream along that same host.
The SWG hosts do not share traffic information to other SWGs on the network. For that reason, SWG only is aware of the traffic going through itself. This may affect some feature's behavior like botnet detection.
The traffic to be load-balanced will still be bound to the default gateway's IP address, upstream of the SWG WAN port. Load balancing is not applied to the SWG's inline IP address.
The Symantec Web Gateway 5.2 Implementation Guide can be found in the following location: