•
|
NAT load balancing is configured on the Advanced tab of the Add/Edit NAT Policy dialog:
NOTE: This tab can only be activated when a group is specified in one of the drop-down fields on the General tab of a NAT Policy. Otherwise, the NAT policy defaults to Sticky IP as the NAT method.
|
SonicOS offers the following advanced configuration options:
•
|
Sticky IP – Source IP always connects to the same Destination IP (assuming it is alive). This method is best for publicly hosted sites requiring connection persistence, such as Web applications, Web forms, or shopping cart applications. This is the default mechanism, and is recommended for most deployments.
|
•
|
Round Robin – Source IP cycles through each live load-balanced resource for each connection. This method is best for equal load distribution when persistence is not required.
|
•
|
Block Remap/Symmetrical Remap – These two methods are useful when you know the source IP addresses/networks (e.g. when you want to precisely control how traffic from one subnet is translated to another).
|
•
|
Random Distribution – Source IP connects to Destination IP randomly. This method is useful when you wish to randomly spread traffic across internal resources.
|
2
|
Optionally, force the appliance to only do IP address translation and no port translation for the NAT policy, select the Disable Source Port Remap checkbox.
|
1
|
Optionally, select Enable Probing. When checked, the firewall uses one of two methods to probe the addresses in the load-balancing group, using either a simple ICMP ping query to determine if the resource is alive, or a TCP socket open query to determine if the resource is alive. Per the configurable intervals, the firewall can direct traffic away from a non-responding resource, and return traffic to the resource after it has begun to respond again.
|
When Enable Probing is selected, the following options become available:
•
|
•
|
Probe type — Select the probe type, such as TCP, from the drop-down menu. The default is TCP.
|
•
|
Port – Specify the port. The default is 80.
|
•
|
Reply time out – Specify the maximum length of time before a time out. The default is 3 seconds.
|
•
|
Deactivate host after n missed intervals – Specify the maximum number of intervals that a host can miss before being deactivated. The default is 3.
|
•
|
Reactivate host after n successful intervals – Specify the minimum number of successful intervals before a host can be reactivated. The default is 3.
|
•
|
Enable Port Probing – Select to enable port probing.
|
•
|
RST Response Counts as Miss – Select to count RST responses as misses. The option is selected by default.
|
The following are not available at present:
The following describes how the firewall applies the load balancing algorithms:
•
|
Round Robin - Source IP connects to Destination IP alternately
|
•
|
Random Distribution - Source IP connects to Destination IP randomly
|
•
|
Sticky IP - Source IP connects to same Destination IP
|
•
|
Block Remap - Source network is divided by size of the Destination pool to create logical segments
|
•
|
Symmetrical Remap - Source IP maps to Destination IP (for example, 10.1.1.10 -> 192.168.60.10.)
|
192.168.0.2 to 192.168.0.4
Translated Destination = 10.50.165.0/30 (Network)
Stickyt IP Formula yields offset of 0.
Destination remapping to 10.50.165.1.
192.168.0.2 to 192.168.0.4
Translated Destination = 10.50.165.1 -10.50.165.3 (Range)