One of the prerequisites for information society is secure and
reliable communication among computing systems. Accordingly, network
security appliances become key components of infrastructure, not only
as security guardians, but also as reliable network components. Thus,
for both fault tolerance and high network throughput, multiple security
appliances are often deployed together in a group and managed via High-
Availability (HA) protocol.
In this paper, we present our experience of formally modeling and verifying
the HA protocol used for commercial network security appliances
through model checking. In addition, we applied a new debugging technique
to detect multiple bugs without modifying/fixing the HA model
by analyzing all counter examples. Throughout these formal analysis, we
could effectively detect several design flaws.