Load Balancing

NGFW supports load balancing for various services within the local network. Load balancing can be provided for:

  • Internal servers published to the Internet (DNAT)

  • Unpublished internal servers

  • Traffic forwarded to an external ICAP servers (server farm)

  • Traffic to servers published using a reverse proxy.

The load balancer distributes the incoming requests at the virtual server's IP address between the IP addresses of the real servers using various balancing methods. To configure load balancing, go to the Network policies ➜ Load balancing section and create balancing rules.

To create a balancing rule for TCP/IP servers, select Add TCP/IP load balancer and provide these settings:

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the balancing rule.

Description

A description of the balancing rule.

Virtual server IP address

Select one of the IP addresses assigned to network interfaces. If necessary, the administrator can assign additional IP addresses to the desired interface.

Port

The port for which load balancing is to be performed.

Protocol

The protocol (TCP or UDP) for which load balancing is to be performed.

Scheduler

There are four possible scheduler types that determine how load is distributed between the real servers:

  • Round robin: each new connection is passed to the next server in the list, which creates equal load on all servers.

  • Weighted round robin: works similar to Round robin but the load is distributed between the real servers according to their assigned weight factors, which allows each server's performance to be taken into account.

  • Least connections: a new connection is passed to the server which currently has the least number of connections.

  • Weighted least connections: works similar to Least connections but the load is distributed between the real servers according to their assigned weight factors, which allows each server's performance to be taken into account.

Real servers

Add a pool of real servers between which the traffic will be distributed. For each of the servers, provide these settings:

  • IP address of the server.

  • Port: the server's port the server port to which user requests will be forwarded.

  • Weight. This factor is used to distribute the load unequally between the real servers in the Weighted round robin and Weighted least connections modes. The greater the weight, the higher the server load.

  • Mode. There are three options:

    • Gateway: routing is used to forward the traffic to the virtual server

    • Masq: DNAT is used to forward the traffic to the virtual server

    • Masq with SNAT: similar to Masq, but with NGFW substituting the source IP address with its own.

Important! Since the load balancer does not change packets headers in the Gateway mode, the reverse traffic from the real server needs to be set up via routing. It means that the gateway address for the reverse traffic must be different from the NGFW address.

Fallback

The fallback mode is used when none of the real servers is available. To activate fallback, enable it and provide these settings:

  • IP address of the server.

  • Port of the server. the server port to which user requests will be forwarded.

  • Mode. There are three options:

    • Gateway: routing is used to forward the traffic to the virtual server

    • Masq: DNAT is used to forward the traffic to the virtual server.

    • Masq with SNAT: similar to Masq, but with NGFW substituting the source IP address with its own.

Monitoring

You can use monitoring to configure health checking for real servers. If a real server has failed a check, it is excluded from load balancing.

Aggregation mode

Real server monitoring mode. The available options are:

  • ping: check node availability using the ping utility.

  • connect: check node health by establishing a TCP connection on a certain port.

  • negotiate: check node health by sending a certain HTTP or DNS request and comparing the response against the expected one. To configure this mode, select the service type (HTTP or DNS) and specify the Request and Expected response strings. Here is an example for an HTTP request:

    • Request: /robots.txt

    • Expected response: Disallow: /bin/

    The request string here points to the real server path that will be used in the HTTP request. The expected response string contains a fragment of the response webpage.

Check interval

The time interval for the periodic health check.

Check timeout

The timeout for the response to a check.

Max failures

The number of failed health check attempts after which a real server will be considered unhealthy and excluded from load balancing.

Note The balancing rules have a higher priority than NAT/DNAT/routing rules and are applied before them.

An ICAP load balancer allows load distribution between external ICAP servers or server farm, such as an external antimalware server farm. This balancer can then be used in ICAP rules. To create an ICAP load balancer, select Add ICAP load balancer and provide these settings:

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the balancing rule.

Description

A description of the balancing rule.

ICAP profiles

Select ICAP profiles for the servers between which the load will be distributed. For more details on working with ICAP servers, see the Working with External ICAP Servers section.

A reverse proxy load balancer allows load distribution on the internal servers or server farm published using reverse proxy rules. This balancer can then be used in reverse proxy rules. To create a reverse proxy load balancer, select Add reverse proxy load balancer and provide these settings:

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the balancing rule.

Description

A description of the balancing rule.

Reverse proxy profiles

Select the reverse proxy profiles for the servers between which the load will be distributed. For more details on publishing resources using reverse proxy rules, see the HTTP/HTTPS Resource Publishing Using Reverse Proxy chapter.