Configure Server Load Balancing

Server load balancing requires Fireware with a Pro upgrade, and is not supported on Firebox T10, XTM 2 Series, and XTM 3 Series devices.

The server load balancing feature is designed to help you increase the scalability and performance of a high-traffic network with multiple servers. With server load balancing, you can enable the Firebox to control the number of sessions initiated to as many as 10 servers for each firewall policy you configure. The Firebox controls the load based on the number of sessions in use on each server. The device does not measure or compare the bandwidth that is used by each server.

You configure server load balancing as an SNAT action. The Firebox can balance connections among your servers with two different algorithms. When you configure server load balancing, you must choose the algorithm to use.

Round-robin

If you select this option, the Firebox distributes incoming sessions among the servers you specify in the policy in round-robin order. The first connection is sent to the first server specified in your policy. The next connection is sent to the next server in your policy, and so on.

Least Connection

If you select this option, the Firebox sends each new session to the server in the list that currently has the lowest number of open connections to the device. The Firebox cannot tell how many connections the server has open on other interfaces.

You can add any number of servers to a server load balancing action. You can also add a weight to each server to make sure that your most powerful servers are given the heaviest load. The weight refers to the proportion of load that the Firebox sends to a server. By default, each server has a weight of 1. If you assign a weight of 2 to a server, you double the number of sessions the Firebox sends to that server, compared to a server with a weight of 1.

You can optionally configure a source IP address in a server load balancing action. If you do not configure a source IP address in the server load balancing action, the Firebox does not modify the sender, or source IP address, of traffic sent to these devices. While the traffic is sent directly from the Firebox , each device that is part of your server load balancing configuration sees the original source IP address of the network traffic.

To monitor the availability of servers configured in a server load balancing SNAT action, the Firebox sends TCP SYN packets to each server. If a server does not respond, or if it responds with a TCP reset, the Firebox does not send load-balanced traffic to that server.

When you configure server load balancing, it is important to know:

  • You can configure server load balancing for any policy to which you can apply static NAT.
  • If you apply server load balancing to a policy, you cannot set policy-based routing or other NAT rules in the same policy.
  • If you use server load balancing in an active/passive FireCluster configuration, real-time synchronization does not occur between the cluster members when a failover event occurs. When the passive backup master becomes the active cluster master, it sends connections to all servers in the server load balancing list to see which servers are available. It then applies the server load balancing algorithm to all available servers.
  • If you use server load balancing for connections to a group of RDP servers, you must configure the firewall on each RDP server to allow ICMP requests from the Firebox.
  • You can configure a server load balancing SNAT action for traffic sent to an external or optional Firebox interface. Static NAT for an optional interface requires Fireware OS v11.8.1 and higher.

If your device uses Fireware v11.0-v11.3.x, the steps to configure Server Load Balancing are different. For more information, see Configure Server Load Balancing in the Fireware XTM WatchGuard System Manager v11.3.x Help.

When you add a server load balancing SNAT action, you can choose to specify a source IP address in the action. Then, when traffic that matches the parameters in your server load balancing SNAT action passes through the policies that manage the traffic on your Firebox, the source IP address is changed to the IP address that you specify. The same source IP address is used for all servers in the server load balancing action.

You can also enable port address translation (PAT) in a server load balancing SNAT action. When you enable PAT, you can change the packet destination to specify a different internal host and a different port.

When you define the parameters for the SNAT action, sticky connections are always enabled. A sticky connection is a connection that continues to use the same server for a defined period of time. Stickiness makes sure that all packets between a source and destination IP address pair are sent to the same server for the time period you specify. By default, the Firebox uses the default sticky connection setting of 8 hours. You can change the setting to a different number of hours. When a new connection from the same client is received, the expiration time of the connection is extended.

Add a Server Load Balancing SNAT Action

In Fireware Web UI, before you can configure a policy to use server load balancing, you must define the server load balancing details in an SNAT action.

In Policy Manager, you can create a server load balancing SNAT action and then add it to a policy, or you can create the server load balancing SNAT action from within the policy configuration.

Add a Server Load Balancing SNAT Action to a Policy

After you define a server load balancing SNAT action, you can use it in one or more policies.

Edit or Remove a Server Load Balancing SNAT Action

You can edit an SNAT action from the SNAT action list.

In Policy Manager, you can also edit an SNAT action when you edit a policy.

You can remove any SNAT action that is not used by a policy.

See Also 

Configure Static NAT

Give Us Feedback     Get Support     All Product Documentation     Technical Search