Table of Contents
Advertisement
Note: FwdFast rules should not be used with SLB
In order to function, SLB requires that the NetDefendOS state engine keeps track of
connections. FwdFast IP rules should not be used with SLB since packets that are
forwarded by these rules are under state engine control.
The table below shows the rules that would be defined for a typical scenario of a set of web
servers behind the NetDefend Firewall for which the load is being balanced. Access across the
internet is via the wan interface which has the IP address wan_ip. The rules allow external clients
to access the web servers. The service is not listed.
Rule Name
Action
web_slb
SLB_SAT
web_slb_allow Allow
The SLB_SAT rule has any as the source interface in case any internal clients want to access the
server (an interface group could be used to precisely specify the allowed source interfaces). If the
accessing clients are on the same network as the web servers then an NAT rule for those clients
would also be needed as shown below:
Rule Name
Action
web_slb
SLB_SAT
web_slb_nat
NAT
web_slb_allow Allow
It is assumed here that internal clients also open connections to wan_ip in order to access the
web servers and so their connections are automatically routed to core.
In the IP rules, the destination interface is always specified as core, meaning NetDefendOS itself
deals with the connection. The key advantage of having a separate Allow rule is that the web
servers can log the exact IP address that is generating external requests. Using only a NAT rule,
which is possible, means that web servers would see only the IP address of the NetDefend
Firewall.
Tip: SLB Policy objects simplify setup
In the following example, multiple IP Rule objects are used to implement SLB. These can
be replaced instead by a single IP Policy object. Doing this is described in
Section 10.4.7, "SLB Policy".
Example 10.4. Setting up SLB with IP Rules
In this example, server load balancing is performed between two HTTP web servers situated
behind the NetDefend Firewall. These web servers have the private IPv4 addresses 192.168.1.10
and 192.168.1.11. Access by external clients is via the wan interface which has the IPv4 address
wan_ip.
The default SLB values for monitoring, distribution method and stickiness are used. A NAT rule is
used in conjunction with the SLB_SAT rule so that clients behind the firewall can access the web
servers.
An Allow rule is used to allow access by external clients. Note that this example is replicated, but
Src Interface
Src Network
any
all-nets
wan
all-nets
Src Interface
Src Network
any
all-nets
lan
lan_net
wan
all-nets
813
Chapter 10: Traffic Management
Dest Interface Dest Network
core
wan_ip
core
wan_ip
Dest Interface Dest Network
core
wan_ip
core
wan_ip
core
wan_ip
Service
http-all
http-all
Service
http-all
http-all
http-all
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
