Filter
Top Products
10.4.6. Setting Up SLB_SAT Rules
The key component in setting up SLB are IP rules that have SLB_SAT as the action. The steps that
should be followed for setting up such rules are:
1. Define an IP address object for each server for which SLB is to enabled.
2. Define an IP address group object which includes all these individual objects.
3. Define an SLB_SAT rule in the IP rule set which refers to this IP address group and where all
other SLB parameters are defined.
4. Define a further rule that duplicates the source/destination interface/network of the SLB_SAT
rule that permits the traffic through. This could be one rule or a combination of rules using the
actions:
• Allow
• NAT
Note: FwdFast rules should not be used with SLB
In order to function, SLB requires that the NetDefendOS state engine keeps track of
connections. FwdFast IP rules should not be used with SLB since packets that are
forwarded by these rules are under state engine control.
The table below shows the rules that would be defined for a typical scenario of a set of webservers
behind the NetDefend Firewall for which the load is being balanced. The Allow rule allows external
clients to access the webservers.
Rule Name Rule Type Src Interface Src Network Dest Interface Dest Network
WEB_SLB SLB_SAT any all-nets core ip_ext
WEB_SLB_ALW Allow any all-nets core ip_ext
If there are clients on the same network as the webservers that also need access to those webservers
then an NAT rule would also be used:
Rule Name Rule Type Src Interface Src Network Dest Interface Dest Network
WEB_SLB SLB_SAT any all-nets core ip_ext
WEB_SLB_NAT NAT lan lannet core ip_ext
WEB_SLB_ALW Allow any all-nets core ip_ext
Note that the destination interface is specified as core, meaning NetDefendOS itself deals with this.
The key advantage of having a separate Allow rule is that the webservers can log the exact IP
address that is generating external requests. Using only a NAT rule, which is possible, means that
webservers would see only the IP address of the NetDefend Firewall.
Example 10.3. Setting up SLB
In this example server load balancing is to be done between 2 HTTP webservers which are situated behind the
NetDefend Firewall. The 2 webservers have the private IP addresses 192.168.1.10 and 192.168.1.11
respectively. The default SLB values for monitoring, distribution method and stickiness are used.
A NAT rule is used in conjunction with the SLB_SAT rule so that clients behind the firewall can access the
webservers. An Allow rule is used to allow access by external clients.
10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management
478