When Web Gateway appliances run as director and scanning nodes in a Central Management configuration, communication between the nodes uses the Virtual Router Redundancy Protocol (VRRP) and MWG Management Protocol.
Use of the protocols depends on the proxy settings that you have configured on the appliances that run as nodes. The protocols differ with regard to the activities of director and scanning nodes that are covered by them.
Virtual Router Redundancy Protocol
The Virtual Router Redundancy Protocol is used when you have configured Web Gateway as a proxy in transparent router mode or High Availability proxy mode.
Under this protocol, virtual IP addresses are assigned to active director nodes and backup director nodes. The protocol also determines which director node takes the active director role.
MWG Management Protocol
The MWG Management Protocol is used in Transparent Router and High Availability proxy mode. Under this protocol, scanning nodes are identified that are available for processing web traffic.
The node that takes the active director role sends out broadcast messages to the scanning nodes, using the IP address that you have configured as its source IP address under the Management IP option of the respective proxy settings.
The protocol lets scanning nodes that are available within the same network segment respond in regular intervals to the discovery messages of the director node.
The security features of the Virtual Router Redundancy Protocol and MWG Management Protocol are similar to that of the Address Resolution Protocol (ARP).
The Virtual Router Redundancy Protocol uses multicast with an IP address that is not routed beyond the local broadcast domain. MWG Management Protocol uses broadcast messages.
A malicious node on the same network segment might send VRRP messages and hence impersonate itself as the active director node holding the respective virtual IP address. If that node decides to drop all data packets it receives for the virtual IP address, network connectivity stops for the clients that are connected to Web Gateway.
Best practice: Use IP addresses from a protected network segment when configuring proxy settings according to the Virtual Router Redundancy Protocol and the MWG Management Protocol. This will prevent malicious nodes from impacting Web Gateway activities.