Configure Server Load Balancing

To use the server load balancing feature your XTM device must have an XTM 5 Series, 8 Series, or XTM 1050 device and Fireware XTM with a Pro upgrade.

The server load balancing feature in Fireware XTM is designed to help you increase the scalability and performance of a high-traffic network with multiple public servers. With server load balancing, you can enable the XTM device to control the number of sessions initiated to as many as 10 servers for each firewall policy you configure. The XTM device controls the load based on the number of sessions in use on each server. The XTM device does not measure or compare the bandwidth that is used by each server.

You configure server load balancing as an SNAT action. The XTM device can balance connections among your servers with two different algorithms. When you configure server load balancing, you must choose the algorithm you want the XTM device to apply.

Round-robin

If you select this option, the XTM device distributes incoming sessions among the servers you specify in the policy in round-robin order. The first connection is sent to the first server specified in your policy. The next connection is sent to the next server in your policy, and so on.

Least Connection

If you select this option, the XTM device sends each new session to the server in the list that currently has the lowest number of open connections to the device. The XTM device cannot tell how many connections the server has open on other interfaces.

You can add any number of servers to a server load balancing action. You can also add a weight to each server to make sure that your most powerful servers are given the heaviest load.. By default, each server has a weight of 1. The weight refers to the proportion of load that the XTM device sends to a server. If you assign a weight of 2 to a server, you double the number of sessions that the XTM device sends to that server, compared to a server with a weight of 1.

When you configure server load balancing, it is important to know:

• You can configure server load balancing for any policy to which you can apply static NAT.
• If you apply server load balancing to a policy, you cannot set policy-based routing or other NAT rules in the same policy.
• The XTM device does not modify the sender, or source IP address, of traffic sent to these devices. While the traffic is sent directly from the XTM device, each device that is part of your server load balancing configuration sees the original source IP address of the network traffic.
• If you use server load balancing in an active/passive FireCluster configuration, real-time synchronization does not occur between the cluster members when a failover event occurs. When the passive backup master becomes the active cluster master, it sends connections to all servers in the server load balancing list to see which servers are available. It then applies the server load balancing algorithm to all available servers.
• If you use server load balancing for connections to a group of RDP servers, you must configure the firewall on each RDP server to allow ICMP requests from the XTM device.

Add a Server Load Balancing SNAT Action

Before you can configure a policy to use server load balancing, you must define the server load balancing in an SNAT action. After you define a Server Load Balancing SNAT action, you can use it in one or more policies.

1. Select Firewall > SNAT.
   The SNAT page appears.
2. Click Add.
   The Add SNAT page appears.

3. In the Name text box, type a name for this action. Optionally, type a Description.
   
4. Select the Server Load Balancing radio button to configure a Server Load Balancing SNAT action.
   

5. From the External IP address drop-down list, select the external IP address or alias you want to use in this server load balancing action.

For example, you can have the XTM device apply server load balancing for this action to packets received on only one external IP address. Or, you can have the XTM device apply server load balancing for packets received on any external IP address if you select the Any-External alias.

6. From the Method drop-down list, select the algorithm you want the XTM device to use for server load balancing: Round-robin or Least Connection.
7. Click Add to add the IP address of an internal server to this action.
   The Add Member dialog box appears.

8. In the Internal IP Address text box, type the IP address of the server to add.
9. In the Weight text box. select the weight for this server for load balancing.
10. If necessary, select the Set internal port to a different port check box. This enables port address translation (PAT).

This feature enables you to change the packet destination not only to a specified internal host but also to a different port. If you select this check box, type the port number or click the up or down arrow to select the port you want to use.

If you use static NAT in a policy that allows traffic that does not have ports (traffic other than TCP or UDP), the internal port setting is not used for that traffic.

11. Click OK.
    The server is added to the Server Load Balance Members for this action.

12. Click Add to add another server to this action.
13. To set sticky connections for your internal servers, select the Enable sticky connection check box and set the time period in the Enable sticky connection text box and drop-down list.

A sticky connection is a connection that continues to use the same server for a defined period of time. Stickiness makes sure that all packets between a source and destination address pair are sent to the same server for the time period you specify.

14. Click Save.

Add a Server Load Balancing SNAT Action to a Policy

1. Select Firewall > Firewall Policies. Select the policy you want to modify and click Edit.
   Or, add a new policy.
2. In the To section, click Add.
   The Add Member dialog box appears.
3. From the Member Type drop-down list, select Server Load Balancing.
   The list of server load balancing actions appears.

4. Select the server load balancing action to use. Click OK.
   The server load balancing action is added to the To section of the policy.
5. Click Save.

Edit or Remove a Server Load Balancing SNAT Action

To edit an SNAT action:

1. Select Firewall > SNAT.
   The SNAT page appears.
2. Select an SNAT action.
3. Click Edit.
   The Edit SNAT page appears.
4. Modify the SNAT action.
   When you edit an SNAT action, any changes you make apply to all policies that use that SNAT action.
5. Click Save.

To remove an SNAT action:

1. Select Firewall > SNAT.
   The SNAT page appears.
2. Select an SNAT action.
3. Click Remove.
   You cannot remove an SNAT action that is used by a policy. A confirmation dialog box appears.
4. Click Yes to confirm that you want to remove the SNAT action.

See Also 

Configure Static NAT

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base

© 2011 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.