Firewall Load Balancing

(1)

Firewall Load Balancing

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089

(2)

Table of Contents

Firewall Load Balancing...1

Table of Contents...2

1. Application Note topic – FWLB...3

2. How the DX-FWLB technically works ...4

3. How to configure the DX-FWLB ...7

3.1. How to configure the DX-FWLB for non-transparent firewalls...7

3.1.1. Sandwich mode ...8

3.1.2. 1 DX mode ...12

3.2. How to configure the DX-FWLB for non-transparent firewalls with many interfaces ...13

3.2.2. 1 DX mode ...23

3.3. How to configure the DX-FWLB for transparent firewalls ...24

3.3.2. 1 DX mode ...28

3.4. How to configure the DX-FWLB for transparent and non-transparent devices ...29

3.5. How to configure the DX-FWLB in an environment with multiple Internet accesses ...29

4. DX-FWLB status and stats / Troubleshooting...32

4.1. DX-FWLB status...32

4.2. DX-FWLB Group devices status...32

4.3. DX-FWLB stats...32

4.4. DX-FWLB sessions entries ...33

(3)

1.

Application Note topic – FWLB

The Firewall Load Balancing (FWLB) provides the load balancing and the high-availability of transparent and non-transparent firewalls. The DX supports both integrations:

• Sandwich mode

A DX behind each firewall interface • 1 DX mode

The same DX connected to all the firewalls interfaces

In addition, this feature provides the load balancing and the high-availability of other transparent devices such as IDP (Intrusion Detection and Prevention devices).

At last, the DX-FWLB capabilities allow the DX to be integrated in an environment with multiple Internet accesses. In such environment; the DX will all the time use the same path used by the clients initially to reply to them.

This Appnote describes:

• How the DX-FWLB technically works • How to configure the DX-FWLB

o for non-transparent firewalls

o for non-transparent firewalls with many interfaces o for transparent firewalls

o for transparent and non transparent devices o in an environment with multiple Internet accesses • DX-FWLB status and stats / Troubleshooting

(4)

2.

How the DX-FWLB technically works

The DX-FWLB provides mainly two new capabilities:

1. Load balance any traffic received to multiple devices (firewalls, IDP, routers, …)

The DX load balances any IP traffic.

When an IP packet reaches the DX; the DX checks if the packet matches a FWLB-VIP. Technical Note: If the packet matches multiple FWLB-VIP; the DX selects the more precise.

The DX-FWLB manages a FWLB table. The table is composed with "Sce-IP" + "Dest-IP" + "Device" + "Aging-Time"

When traffic matches one DX-FWLB-VIP; the DX checks if the "Sce-IP" + "Dest-IP" exists in its FWLB table.

If not; the DX selects one of the available device, creates a new entry and forwards the traffic to that device.

If an entry already exists; the DX updates the "Aging-Time" and forwards the traffic to the device mentioned in the entry.

(5)

2. Send the responses received to the same path used on the incoming traffic

Technical Note:

When traffic comes from one of the device; the DX checks if an entry exists in its FWLB table. If not; the DX creates a new entry and forwards the traffic to the destination.

If an entry already exists; the DX updates the "Aging-Time" and forwards the traffic to the destination.

When the server replies; it's similar to the above case. The DX checks if the "Sce-IP" + "Dest-IP" exists in its FWLB table; finds it and sends it to the device mentioned.

And 2 different DX-FWLB integrations can be done:

1. Sandwich mode

A DX behind each device interface.

(6)

2. 1 DX mode

The same DX connected to all the device interfaces Note: For DX high-availability that's a pair of DX.

.

Devices DX Important Note:

The DX-FWLB is available on every DX license and was added in the release 5.3.

The DX-FWLB can be mixed with all other DX features: • Clusters, Forwarder, Redirector, SLB, GSLB.

But the flowing features can't be used with any DX-FWLB mode: • Active/Active or ActiveN configuration

(7)

3.

How to configure the DX-FWLB

As explained in the introduction; the DX-FWLB provides load balancing and high-availability for different devices.

Here are the most popular devices with the DX-FWLB:

3

3....1

1

1....

How to configure the DX

How to configure the DX----FWLB for non

FWLB for non

FWLB for non----transparent firewall

FWLB for non

transparent firewall

transparent firewalls

ss

s

Multiple non-transparent firewalls are load balanced by the DX; who checks their availability too. This chapter covers the case with firewalls with 2 interfaces. Firewalls with more than two interfaces are covered in the following section.

DX-FWLB-VIP supports also firewalls with VPN and/or NAT.

(8)

3

3....1

1

1....1

1

1....

Sandwich mode

The configuration can be done in WebUI and CLI. This document covers only WebUI.

DX-External

• Enable DX-FWLB

(9)

• Create DX-FWLB-VIP for traffic from External to Any

o In "Services" – "Firewall Load Balancer" – "FWLB Groups" Create a "New FWLB Group" with the settings:

General:

• Name: External

• Listen Address / Port: 0.0.0.0:0 (0.0.0.0:0/0 means Any) • Listen Netmask: 0.0.0.0

• Listen Interface: ether0 (from what interface the external traffic reaches the DX-External)

• Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the external) Traffic received on DX-External external interface with destination Any hits the FWLB-VIP.

Target Hosts:

• Target Host Type: Non Transparent • FW1-ext IP

• FW2-ext IP • …

(10)

Health Checking:

• Health Check IP: The DX-Internal IP address (or floating VIP if DX-Internal in failover mode)

Note: The DX-External checks the firewall sending ping through it up to the DX-Internal. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the External to the DX-Internal.

Save:

DX-Internal

o In "Services" – "Firewall Load Balancer" – "Default FWLB Settings"

• Create DX-FWLB-VIP for traffic from Internal to Any

General:

• Name: Internal

• Listen Interface: ether1 (from what interface the internal traffic reaches the DX-Internal)

• Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Internal internal interface with destination Any hits the FWLB-VIP.

(11)

Target Hosts:

• Target Host Type: Non Transparent • FW1-int IP

• FW2-int IP • …

Load Balancing (the defaults settings are usually good):

Health Checking:

• Health Check IP: The DX-External IP address (or floating VIP if DX-External in failover mode).

Note: The Internal checks the firewall sending ping through it up to the DX-External. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-Internal to the DX-External.

(12)

3

3....1

1

1....2

2

2....

1 DX mode

DX

Same as "3.1.1 – DX-External"

Note about the health checking: In the 1 DX mode, the DX pings from its external interface; its opposite IP (or floating VIP). This ping will be sent through all firewalls.

Same as "3.1.1 – DX-Internal"

Note about the health checking: In the 1 DX mode, the DX pings from its external interface; its opposite IP (or floating VIP). This ping will be sent through all firewalls.

(13)

3

3....2

2

2....

How to co

nfigure the DX----FWLB

nfigure the DX

FWLB

FWLB for non

FWLB

for non

for non----transparent firewalls with

transparent firewalls with

many interfaces

In Sandwich mode; this requires a DX (or DX pair for DX availability) per firewall interface.

In 1 DX mode; this requires 1 single DX (or DX pair for DX availability) what ever the number of firewall interfaces.

DX-FWLB-VIP supports also firewalls with VPN and/or NAT.

3

3....2

2

2....1

1

1....

Sandwich mode

DX-External

(14)

• Create DX-FWLB-VIP for traffic from External to Internal

General:

• Name: External-Internal

• Listen Address / Port: 10.80.81.0:0 • Listen Netmask: 255.255.255.0

• Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the external) Traffic received on DX-External external interface with destination Internal hits the FWLB-VIP

Target Hosts:

(15)

Health Checking:

• Health Check IP: The DX-Internal IP address (or floating VIP if DX-Internal in failover mode)

Save:

• Create DX-FWLB-VIP for traffic from External to Management

General:

• Name: External-Management • Listen Address / Port: 10.80.82.0:0 • Listen Netmask: 255.255.255.0

• Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the external) Traffic received on DX-External external interface with destination Management hits the FWLB-VIP

(16)

Target Hosts:

Health Checking:

• Health Check IP: The Management IP address (or floating VIP if DX-Management in failover mode)

Note: The DX-External checks the firewall sending ping through it up to the DX-Management. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the External to the DX-Management.

(17)

DX-Internal

• Create DX-FWLB-VIP for traffic from Internal to External

General:

• Name: Internal-External

• Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Internal internal interface with destination External hits the FWLB-VIP

Target Hosts:

(18)

Health Checking:

Note: The Internal checks the firewall sending ping through it up to the DX-External. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-Internal to the DX-External.

Save:

• Create DX-FWLB-VIP for traffic from Internal to Management

General:

• Name: Internal-Management • Listen Address / Port: 10.80.82.0:0 • Listen Netmask: 255.255.255.0

• Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Internal Internal interface with destination Management hits the FWLB-VIP

(19)

Target Hosts:

Health Checking:

• Health Check IP: The Management IP address (or floating VIP if DX-Management in failover mode).

Note: The Internal checks the firewall sending ping through it up to the DX-Management. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the Internal to the DX-Management.

(20)

DX-Management

• Create DX-FWLB-VIP for traffic from Management to External

General:

• Name: Management-External

• Listen Interface: ether1 (from what interface the internal traffic reaches the DX-Management)

• Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Management management interface with destination External hits the FWLB-VIP

Target Hosts:

• Target Host Type: Non Transparent • FW1-mgt IP

• FW2-mgt IP • …

(21)

Health Checking:

Note: The DX-Management checks the firewall sending ping through it up to the DX-External. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the Management to the DX-External.

Save:

• Create DX-FWLB-VIP for traffic from Management to Internal

General:

• Name: Management-Internal • Listen Address / Port: 10.80.81.0:0 • Listen Netmask: 255.255.255.0

• Listen Interface: ether1 (from what interface the internal traffic reaches the DX-Management)

• Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Management management interface with destination Internal hits the FWLB-VIP

(22)

Target Hosts:

• Target Host Type: Non Transparent • FW1-mgt IP

• FW2-mgt IP • …

Health Checking:

• Health Check IP: The DX-Internal IP address (or floating VIP if DX-Internal in failover mode).

Note: The DX-Management checks the firewall sending ping through it up to the DX-External. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the Management to the DX-External.

(23)

3

3....2

2

2....2

2

2....

1

1 DX mode

DX mode

DX

Same as "3.2.1 – DX-External" • Enable DX-FWLB

• Create DX-FWLB-VIP for traffic from External to Management

• Create DX-FWLB-VIP for traffic from Internal to External

• Create DX-FWLB-VIP for traffic from Internal to Management

• Create DX-FWLB-VIP for traffic from Management to External

Same as "3.1.1 – DX-Management"

• Create DX-FWLB-VIP for traffic from Management to Internal

(24)

3

3....3

3

3....

3

How to configure the DX

How to configure the DX----FWLB

FWLB for transparent

FWLB

for transparent

for transparent firewalls

firewalls

Multiple transparent firewalls are load balanced by the DX; who checks their availability too.

This chapter covers the case with firewalls with 2 interfaces. For firewalls with more than two interfaces; that's a similar case detailed in the above section.

Note: In transparent firewalls; the firewalls have no IP address and act as a bridge.

3

3....3

3

3....1

1

1....

Sandwich mode

(25)

DX-External

General:

• Name: External

• Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the external) Traffic received on DX-External external interface with destination Any hits the FWLB-VIP

Target Hosts:

• Target Host Type: Transparent • DX-Internal-FW1 IP

• DX-Internal-FW2 IP • …

(26)

Health Checking (the defaults settings are usually good):

Save:

DX-Internal

(27)

General:

• Name: Internal

• Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Internal internal interface with destination Any hits the FWLB-VIP

Target Hosts:

• Target Host Type: Transparent • DX-Internal-FW1-IP

• DX-Internal-FW2-IP • …

(28)

Note: The Internal checks the firewall sending ping through it up to the DX-Internal. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-External to the DX-Internal.

Save:

3

3....3

3

3....2

2

2....

1 DX mode

(29)

3

3....4

4

4....

How to configure the D

X----FWLB

X

FWLB

FWLB for transparent

FWLB

for transparent

for transparent and non

and non

and

non----transparent

transparent

transparent devices

devices

As with non-transparent and transparent firewalls; the DX can provide load balancing and high availability of any transparent device and the configuration will be the same; as IDP, VPN, …

The configuration is strictly identical to the chapter "How to configure the DX-FWLB for non-transparent firewalls" for devices acting as a router and "How to configure the DX-FWLB for transparent firewalls" for devices actions as a bridge.

3

3....5

5

5....

How to configure the DX

How to configure the DX----FWLB

FWLB

FWLB in an environment with multiple

FWLB

in an environment with multiple

Internet accesses

In Datacenters with multiple Internet accesses; the DX usually has to reply to the clients via the same path. The DX-FWLB capabilities reply to such requirement.

Internet

DX Routers/FWs

64.50.21.0/24.1 .1 72.41.35.0/24

(30)

DX

General:

• Name: Internal

• Listen Interface: ether1 (from what interface the internal traffic reaches the DX) • Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the

interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Internal internal interface with destination Any hits the FWLB-VIP

Target Hosts:

• Target Host Type: Transparent • Router/FW1-int IP

• Router/FW2-int IP • …

(31)

Note: The DX checks the router/firewall sending ping to it.

(32)

4.

DX-FWLB status and stats / Troubleshooting

4

4....1

1

1....

DX

DX----FWLB status

FWLB status

This can be done via CLI only.

In CLI: "show fwlb status"

dx-107-1% show fwlb status FWLB: up (failover: Master)

4

4....2

2

2....

DX

DX----FWLB

FWLB Group

FWLB

Group

Group devices

devices

devices status

status

This can be done via CLI only.

In CLI: "show fwlb group <group-name> target host all"

dx-107-1% show fwlb group 84 target host all Target Host: 20.80.80.40 Weight: 1 Max Connections: 0 Status: up Target Host: 20.80.80.41 Weight: 1 Max Connections: 0 Status: up

4

4....3

3

3....

DX

DX----FWLB stats

FWLB stats

The stats are available per FWLB group. This can be done via CLI only.

In CLI: "show fwlb group <group-name> stats"

dx-107-1% show fwlb group 84 stats

--- FWLB Basic stats for group 84

--- Bytes from Firewall : 14,650,048 (13.97 MB) Packets from Firewall : 19,718 (19.71 K) Bytes to Firewall : 899,844 (878.75 KB) Packets to Firewall : 19,170 (19.17 K) Total Active sessions : 0

(33)

4

4....4

4

4....

DX

DX----FWLB sessions entries

FWLB sessions entries

The FWLB sessions entries are available per group. This can be done via CLI only.

In CLI: "show fwlb group <group-name> session"

dx-107-1% show fwlb group 84 session Total sessions: 2

Session Table

DIRECTION: 1 - Forward; 2 - Reverse; 3 - Both

SRC IP DST IP SERVER DIR IDLE ====================================================================== 172.24.90.145 10.80.84.252 20.80.80.40 3 0 172.24.146.37 10.80.84.252 20.80.80.41 3 2 ======================================================================

4

4....5

5

5....

DX

DX----FWLB advanced settings

FWLB advanced settings

The default settings are good in most of the cases; but they may need some tuning in specific customer environments.

Timeouts

The DX-FWLB configuration has 2 default timeout values (under "Services" – "Firewall Load Balancer" – "FWLB Groups":

• Sticky Timeout • Session Timeout

The Sticky Timeout is to be sure the same client (whatever its destination) will be managed by the same device. That may be a requirement to help monitoring. By default we keep track of the clients stickiness for 2 hours of inactivity. For specific customer requirement; this value can be modified in the range [1-43200 min (30 days)].

The Session Timeout is to be sure the FWLB sessions entries table won't be filled up with old useless entries. By default the entries with no activity for 30 minutes (1800 seconds) will be removed from the FWLB table. For specific customer requirement; this value can be modified in the range [1-604800 sec (7 days)]. Of course smaller is the value; smaller the FWLB table will be. And higher is the value; bigger the FWLB table will be. So don't forget to validate any change with your Juniper representative to see if there is no scalability concern.

(34)

Health Check intervals

The DX FWLB validates the devices health at different intervals depending if the device is up or down (under "Services" – "Firewall Load Balancer" – "FWLB Groups") and the device status will change after N retry.

By default the values are:

• Check Interval when Taget Host is Up: 20 sec by default (range [1-172800 sec]) • Check Interval when Taget Host is Down: 10 sec by default(range [1-172800 sec]) • Retry to change device status from up to down: 3 by default (range [1-1000 sec])