Firewall Load Balancing

Firewall Load Balancing Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net Page 1 --- Firewall Load Balancing June 2007

Table of Contents Firewall Load Balancing...1 Table of Contents...2 1. Application Note topic FWLB...3 2. How the DX-FWLB technically works...4 3. How to configure the DX-FWLB...7 3.1. How to configure the DX-FWLB for non-transparent firewalls...7 3.1.1. Sandwich mode...8 3.1.2. 1 DX mode...12 3.2. How to configure the DX-FWLB for non-transparent firewalls with many interfaces...13 3.2.1. Sandwich mode...13 3.2.2. 1 DX mode...23 3.3. How to configure the DX-FWLB for transparent firewalls...24 3.3.1. Sandwich mode...24 3.3.2. 1 DX mode...28 3.4. How to configure the DX-FWLB for transparent and non-transparent devices...29 3.5. How to configure the DX-FWLB in an environment with multiple Internet accesses...29 4. DX-FWLB status and stats / Troubleshooting...32 4.1. DX-FWLB status...32 4.2. DX-FWLB Group devices status...32 4.3. DX-FWLB stats...32 4.4. DX-FWLB sessions entries...33 4.5. DX-FWLB advanced settings...33 Page 2 --- Firewall Load Balancing June 2007

1. Application Note topic FWLB The Firewall Load Balancing (FWLB) provides the load balancing and the high-availability of transparent and non-transparent firewalls. The DX supports both integrations: Sandwich mode A DX behind each firewall interface 1 DX mode The same DX connected to all the firewalls interfaces In addition, this feature provides the load balancing and the high-availability of other transparent devices such as IDP (Intrusion Detection and Prevention devices). At last, the DX-FWLB capabilities allow the DX to be integrated in an environment with multiple Internet accesses. In such environment; the DX will all the time use the same path used by the clients initially to reply to them. This describes: How the DX-FWLB technically works How to configure the DX-FWLB o for non-transparent firewalls o for non-transparent firewalls with many interfaces o for transparent firewalls o for transparent and non transparent devices o in an environment with multiple Internet accesses DX-FWLB status and stats / Troubleshooting Page 3 --- Firewall Load Balancing June 2007

2. How the DX-FWLB technically works The DX-FWLB provides mainly two new capabilities: 1. Load balance any traffic received to multiple devices (firewalls, IDP, routers, ) The DX load balances any IP traffic. When an IP packet reaches the DX; the DX checks if the packet matches a FWLB-VIP. Technical Note: If the packet matches multiple FWLB-VIP; the DX selects the more precise. The DX-FWLB manages a FWLB table. The table is composed with "Sce-IP" + "Dest-IP" + "Device" + "Aging-Time" When traffic matches one DX-FWLB-VIP; the DX checks if the "Sce-IP" + "Dest-IP" exists in its FWLB table. If not; the DX selects one of the available device, creates a new entry and forwards the traffic to that device. If an entry already exists; the DX updates the "Aging-Time" and forwards the traffic to the device mentioned in the entry. Page 4 --- Firewall Load Balancing June 2007

2. Send the responses received to the same path used on the incoming traffic Technical Note: When traffic comes from one of the device; the DX checks if an entry exists in its FWLB table. If not; the DX creates a new entry and forwards the traffic to the destination. If an entry already exists; the DX updates the "Aging-Time" and forwards the traffic to the destination. When the server replies; it's similar to the above case. The DX checks if the "Sce-IP" + "Dest-IP" exists in its FWLB table; finds it and sends it to the device mentioned. And 2 different DX-FWLB integrations can be done: 1. Sandwich mode A DX behind each device interface. Note: For DX high-availability that's a pair of DX-internal and a pair of DX-external. Page 5 --- Firewall Load Balancing June 2007

2. 1 DX mode The same DX connected to all the device interfaces Note: For DX high-availability that's a pair of DX. Devices DX. Important Note: The DX-FWLB is available on every DX license and was added in the release 5.3. The DX-FWLB can be mixed with all other DX features: Clusters, Forwarder, Redirector, SLB, GSLB. But the flowing features can't be used with any DX-FWLB mode: Active/Active or ActiveN configuration Page 6 --- Firewall Load Balancing June 2007

3. How to configure the DX-FWLB As explained in the introduction; the DX-FWLB provides load balancing and high-availability for different devices. Here are the most popular devices with the DX-FWLB: 3.1. How to configure the DX-FWLB for non-transparent firewalls Multiple non-transparent firewalls are load balanced by the DX; who checks their availability too. This chapter covers the case with firewalls with 2 interfaces. Firewalls with more than two interfaces are covered in the following section. DX-FWLB-VIP supports also firewalls with VPN and/or NAT. Note: In non-transparent firewalls; the firewalls have an IP address and act as a router. Page 7 --- Firewall Load Balancing June 2007

3.1.1. Sandwich mode The configuration can be done in WebUI and CLI. This document covers only WebUI. DX-External Enable DX-FWLB o In "Services" "Firewall Load Balancer" "Default FWLB Settings" Page 8 --- Firewall Load Balancing June 2007

Create DX-FWLB-VIP for traffic from External to Any o In "Services" "Firewall Load Balancer" "FWLB Groups" Create a "New FWLB Group" with the settings: General: Name: External Listen Address / Port: 0.0.0.0:0 (0.0.0.0:0/0 means Any) Listen Netmask: 0.0.0.0 Listen Interface: ether0 (from what interface the external traffic reaches the DX- External) Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the external) Traffic received on DX-External external interface with destination Any hits the FWLB-VIP. Target Hosts: Target Host Type: Non Transparent FW1-ext IP FW2-ext IP Load Balancing (the defaults settings are usually good): Page 9 --- Firewall Load Balancing June 2007

Health Checking: Health Check IP: The DX-Internal IP address (or floating VIP if DX-Internal in failover mode) Note: The DX-External checks the firewall sending ping through it up to the DX-Internal. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-External to the DX- Internal. Save: DX-Internal Enable DX-FWLB o In "Services" "Firewall Load Balancer" "Default FWLB Settings" Create DX-FWLB-VIP for traffic from Internal to Any o In "Services" "Firewall Load Balancer" "FWLB Groups" Create a "New FWLB Group" with the settings: General: Name: Internal Listen Address / Port: 0.0.0.0:0 (0.0.0.0:0/0 means Any) Listen Netmask: 0.0.0.0 Listen Interface: ether1 (from what interface the internal traffic reaches the DX- Internal) Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Internal internal interface with destination Any hits the FWLB-VIP. Page 10 --- Firewall Load Balancing June 2007

Target Hosts: Target Host Type: Non Transparent FW1-int IP FW2-int IP Load Balancing (the defaults settings are usually good): Health Checking: Health Check IP: The DX-External IP address (or floating VIP if DX-External in failover mode). Note: The DX-Internal checks the firewall sending ping through it up to the DX- External. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-Internal to the DX-External. Save: Page 11 --- Firewall Load Balancing June 2007

3.1.2. 1 DX mode The configuration can be done in WebUI and CLI. This document covers only WebUI. DX Enable DX-FWLB Same as "3.1.1 DX-External" Create DX-FWLB-VIP for traffic from External to Any Same as "3.1.1 DX-External" Note about the health checking: In the 1 DX mode, the DX pings from its external interface; its opposite IP (or floating VIP). This ping will be sent through all firewalls. Create DX-FWLB-VIP for traffic from Internal to Any Same as "3.1.1 DX-Internal" Note about the health checking: In the 1 DX mode, the DX pings from its external interface; its opposite IP (or floating VIP). This ping will be sent through all firewalls. Page 12 --- Firewall Load Balancing June 2007

3.2. How to configure the DX-FWLB for non-transparent firewalls with many interfaces In Sandwich mode; this requires a DX (or DX pair for DX availability) per firewall interface. In 1 DX mode; this requires 1 single DX (or DX pair for DX availability) what ever the number of firewall interfaces. DX-FWLB-VIP supports also firewalls with VPN and/or NAT. 3.2.1. Sandwich mode The configuration can be done in WebUI and CLI. This document covers only WebUI. DX-External Enable DX-FWLB o In "Services" "Firewall Load Balancer" "Default FWLB Settings" Page 13 --- Firewall Load Balancing June 2007

Create DX-FWLB-VIP for traffic from External to Internal o In "Services" "Firewall Load Balancer" "FWLB Groups" Create a "New FWLB Group" with the settings: General: Name: External-Internal Listen Address / Port: 10.80.81.0:0 Listen Netmask: 255.255.255.0 Listen Interface: ether0 (from what interface the external traffic reaches the DX- External) Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the external) Traffic received on DX-External external interface with destination Internal hits the FWLB-VIP Target Hosts: Target Host Type: Non Transparent FW1-ext IP FW2-ext IP Load Balancing (the defaults settings are usually good): Page 14 --- Firewall Load Balancing June 2007

Health Checking: Health Check IP: The DX-Internal IP address (or floating VIP if DX-Internal in failover mode) Note: The DX-External checks the firewall sending ping through it up to the DX-Internal. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-External to the DX- Internal. Save: Create DX-FWLB-VIP for traffic from External to Management o In "Services" "Firewall Load Balancer" "FWLB Groups" Create a "New FWLB Group" with the settings: General: Name: External-Management Listen Address / Port: 10.80.82.0:0 Listen Netmask: 255.255.255.0 Listen Interface: ether0 (from what interface the external traffic reaches the DX- External) Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the external) Traffic received on DX-External external interface with destination Management hits the FWLB-VIP Page 15 --- Firewall Load Balancing June 2007

Target Hosts: Target Host Type: Non Transparent FW1-ext IP FW2-ext IP Load Balancing (the defaults settings are usually good): Health Checking: Health Check IP: The DX-Management IP address (or floating VIP if DX- Management in failover mode) Note: The DX-External checks the firewall sending ping through it up to the DX-Management. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-External to the DX- Management. Save: Page 16 --- Firewall Load Balancing June 2007

DX-Internal Enable DX-FWLB o In "Services" "Firewall Load Balancer" "Default FWLB Settings" Create DX-FWLB-VIP for traffic from Internal to External o In "Services" "Firewall Load Balancer" "FWLB Groups" Create a "New FWLB Group" with the settings: General: Name: Internal-External Listen Address / Port: 0.0.0.0:0 (0.0.0.0:0/0 means Any) Listen Netmask: 0.0.0.0 Listen Interface: ether1 (from what interface the internal traffic reaches the DX- Internal) Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Internal internal interface with destination External hits the FWLB-VIP Target Hosts: Target Host Type: Non Transparent FW1-int IP FW2-int IP Page 17 --- Firewall Load Balancing June 2007

Load Balancing (the defaults settings are usually good): Health Checking: Health Check IP: The DX-External IP address (or floating VIP if DX-External in failover mode). Note: The DX-Internal checks the firewall sending ping through it up to the DX- External. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-Internal to the DX-External. Save: Create DX-FWLB-VIP for traffic from Internal to Management o In "Services" "Firewall Load Balancer" "FWLB Groups" Create a "New FWLB Group" with the settings: General: Name: Internal-Management Listen Address / Port: 10.80.82.0:0 Listen Netmask: 255.255.255.0 Listen Interface: ether1 (from what interface the internal traffic reaches the DX- Internal) Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Internal Internal interface with destination Management hits the FWLB-VIP Page 18 --- Firewall Load Balancing June 2007

Target Hosts: Target Host Type: Non Transparent FW1-int IP FW2-int IP Load Balancing (the defaults settings are usually good): Health Checking: Health Check IP: The DX-Management IP address (or floating VIP if DX- Management in failover mode). Note: The DX-Internal checks the firewall sending ping through it up to the DX- Management. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-Internal to the DX- Management. Save: Page 19 --- Firewall Load Balancing June 2007

DX-Management Enable DX-FWLB o In "Services" "Firewall Load Balancer" "Default FWLB Settings" Create DX-FWLB-VIP for traffic from Management to External o In "Services" "Firewall Load Balancer" "FWLB Groups" Create a "New FWLB Group" with the settings: General: Name: Management-External Listen Address / Port: 0.0.0.0:0 (0.0.0.0:0/0 means Any) Listen Netmask: 0.0.0.0 Listen Interface: ether1 (from what interface the internal traffic reaches the DX- Management) Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Management management interface with destination External hits the FWLB-VIP Target Hosts: Target Host Type: Non Transparent FW1-mgt IP FW2-mgt IP Page 20 --- Firewall Load Balancing June 2007

Load Balancing (the defaults settings are usually good): Health Checking: Health Check IP: The DX-External IP address (or floating VIP if DX-External in failover mode). Note: The DX-Management checks the firewall sending ping through it up to the DX-External. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-Management to the DX- External. Save: Create DX-FWLB-VIP for traffic from Management to Internal o In "Services" "Firewall Load Balancer" "FWLB Groups" Create a "New FWLB Group" with the settings: General: Name: Management-Internal Listen Address / Port: 10.80.81.0:0 Listen Netmask: 255.255.255.0 Listen Interface: ether1 (from what interface the internal traffic reaches the DX- Management) Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Management management interface with destination Internal hits the FWLB-VIP Page 21 --- Firewall Load Balancing June 2007

Target Hosts: Target Host Type: Non Transparent FW1-mgt IP FW2-mgt IP Load Balancing (the defaults settings are usually good): Health Checking: Health Check IP: The DX-Internal IP address (or floating VIP if DX-Internal in failover mode). Note: The DX-Management checks the firewall sending ping through it up to the DX-External. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-Management to the DX- External. Save: Page 22 --- Firewall Load Balancing June 2007

3.2.2. 1 DX mode The configuration can be done in WebUI and CLI. This document covers only WebUI. DX Enable DX-FWLB Same as "3.2.1 DX-External" Enable DX-FWLB Same as "3.1.1 DX-External" Create DX-FWLB-VIP for traffic from External to Management Same as "3.1.1 DX-External" Create DX-FWLB-VIP for traffic from Internal to External Same as "3.1.1 DX-Internal" Create DX-FWLB-VIP for traffic from Internal to Management Same as "3.1.1 DX-Internal" Create DX-FWLB-VIP for traffic from Management to External Same as "3.1.1 DX-Management" Create DX-FWLB-VIP for traffic from Management to Internal Same as "3.1.1 DX-Management" Page 23 --- Firewall Load Balancing June 2007

3.3. How to configure the DX-FWLB for transparent firewalls Multiple transparent firewalls are load balanced by the DX; who checks their availability too. This chapter covers the case with firewalls with 2 interfaces. For firewalls with more than two interfaces; that's a similar case detailed in the above section. Note: In transparent firewalls; the firewalls have no IP address and act as a bridge. 3.3.1. Sandwich mode The configuration can be done in WebUI and CLI. This document covers only WebUI. Page 24 --- Firewall Load Balancing June 2007

DX-External Enable DX-FWLB o In "Services" "Firewall Load Balancer" "Default FWLB Settings" Create DX-FWLB-VIP for traffic from External to Any o In "Services" "Firewall Load Balancer" "FWLB Groups" Create a "New FWLB Group" with the settings: General: Name: External Listen Address / Port: 0.0.0.0:0 (0.0.0.0:0/0 means Any) Listen Netmask: 0.0.0.0 Listen Interface: ether0 (from what interface the external traffic reaches the DX- External) Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the external) Traffic received on DX-External external interface with destination Any hits the FWLB-VIP Target Hosts: Target Host Type: Transparent DX-Internal-FW1 IP DX-Internal-FW2 IP Page 25 --- Firewall Load Balancing June 2007

Load Balancing (the defaults settings are usually good): Health Checking (the defaults settings are usually good): Note: The DX-External checks the firewall sending ping through it up to the DX-Internal. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-External to the DX- Internal. Save: DX-Internal Enable DX-FWLB o In "Services" "Firewall Load Balancer" "Default FWLB Settings" Page 26 --- Firewall Load Balancing June 2007

Create DX-FWLB-VIP for traffic from Internal to Any o In "Services" "Firewall Load Balancer" "FWLB Groups" Create a "New FWLB Group" with the settings: General: Name: Internal Listen Address / Port: 0.0.0.0:0 (0.0.0.0:0/0 means Any) Listen Netmask: 0.0.0.0 Listen Interface: ether0 (from what interface the internal traffic reaches the DX- Internal) Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Internal internal interface with destination Any hits the FWLB-VIP Target Hosts: Target Host Type: Transparent DX-Internal-FW1-IP DX-Internal-FW2-IP Load Balancing (the defaults settings are usually good): Page 27 --- Firewall Load Balancing June 2007

Health Checking (the defaults settings are usually good): Note: The DX-Internal checks the firewall sending ping through it up to the DX- Internal. So both firewall interfaces + firewall engine are validated. But don't forget to authorize that icmp traffic from the DX-External to the DX-Internal. Save: 3.3.2. 1 DX mode This mode is not supported for transparent firewalls. Page 28 --- Firewall Load Balancing June 2007

3.4. How to configure the DX-FWLB for transparent and non- transparent devices As with non-transparent and transparent firewalls; the DX can provide load balancing and high availability of any transparent device and the configuration will be the same; as IDP, VPN, The configuration is strictly identical to the chapter "How to configure the DX-FWLB for non-transparent firewalls" for devices acting as a router and "How to configure the DX-FWLB for transparent firewalls" for devices actions as a bridge. 3.5. How to configure the DX-FWLB in an environment with multiple Internet accesses In Datacenters with multiple Internet accesses; the DX usually has to reply to the clients via the same path. The DX-FWLB capabilities reply to such requirement. Internet Routers/FWs.1.1 64.50.21.0/24 72.41.35.0/24 DX The configuration can be done in WebUI and CLI. This document covers only WebUI. Page 29 --- Firewall Load Balancing June 2007

DX Enable DX-FWLB o In "Services" "Firewall Load Balancer" "Default FWLB Settings" Create DX-FWLB-VIP for traffic from Internal to Any o In "Services" "Firewall Load Balancer" "FWLB Groups" Create a "New FWLB Group" with the settings: General: Name: Internal Listen Address / Port: 0.0.0.0:0 (0.0.0.0:0/0 means Any) Listen Netmask: 0.0.0.0 Listen Interface: ether1 (from what interface the internal traffic reaches the DX) Listen VLAN: 0 (0 means I don't have VLAN set up on that interface. If the interface selected has, specify the VLAN where is connected the internal) Traffic received on DX-Internal internal interface with destination Any hits the FWLB-VIP Target Hosts: Target Host Type: Transparent Router/FW1-int IP Router/FW2-int IP Page 30 --- Firewall Load Balancing June 2007

Load Balancing (the defaults settings are usually good): Health Checking (the defaults settings are usually good): Note: The DX checks the router/firewall sending ping to it. Save: Page 31 --- Firewall Load Balancing June 2007

4. DX-FWLB status and stats / Troubleshooting 4.1. DX-FWLB status This can be done via CLI only. In CLI: "show fwlb status" dx-107-1% show fwlb status FWLB: up (failover: Master) 4.2. DX-FWLB Group devices status This can be done via CLI only. In CLI: "show fwlb group <group-name> target host all" dx-107-1% show fwlb group 84 target host all Target Host: 20.80.80.40 Weight: 1 Max Connections: 0 Status: up Target Host: 20.80.80.41 Weight: 1 Max Connections: 0 Status: up 4.3. DX-FWLB stats The stats are available per FWLB group. This can be done via CLI only. In CLI: "show fwlb group <group-name> stats" dx-107-1% show fwlb group 84 stats -------------------------------------------------------------- FWLB Basic stats for group 84 -------------------------------------------------------------- Bytes from Firewall : 14,650,048 (13.97 MB) Packets from Firewall : 19,718 (19.71 K) Bytes to Firewall : 899,844 (878.75 KB) Packets to Firewall : 19,170 (19.17 K) Total Active sessions : 0 Page 32 --- Firewall Load Balancing June 2007

4.4. DX-FWLB sessions entries The FWLB sessions entries are available per group. This can be done via CLI only. In CLI: "show fwlb group <group-name> session" dx-107-1% show fwlb group 84 session Total sessions: 2 Session Table DIRECTION: 1 - Forward; 2 - Reverse; 3 - Both SRC IP DST IP SERVER DIR IDLE ====================================================================== 172.24.90.145 10.80.84.252 20.80.80.40 3 0 172.24.146.37 10.80.84.252 20.80.80.41 3 2 ====================================================================== 4.5. DX-FWLB advanced settings The default settings are good in most of the cases; but they may need some tuning in specific customer environments. The configuration can be done in WebUI and CLI. This document covers only WebUI. Timeouts The DX-FWLB configuration has 2 default timeout values (under "Services" "Firewall Load Balancer" "FWLB Groups": Sticky Timeout Session Timeout The Sticky Timeout is to be sure the same client (whatever its destination) will be managed by the same device. That may be a requirement to help monitoring. By default we keep track of the clients stickiness for 2 hours of inactivity. For specific customer requirement; this value can be modified in the range [1-43200 min (30 days)]. The Session Timeout is to be sure the FWLB sessions entries table won't be filled up with old useless entries. By default the entries with no activity for 30 minutes (1800 seconds) will be removed from the FWLB table. For specific customer requirement; this value can be modified in the range [1-604800 sec (7 days)]. Of course smaller is the value; smaller the FWLB table will be. And higher is the value; bigger the FWLB table will be. So don't forget to validate any change with your Juniper representative to see if there is no scalability concern. Page 33 --- Firewall Load Balancing June 2007

Health Check intervals The DX FWLB validates the devices health at different intervals depending if the device is up or down (under "Services" "Firewall Load Balancer" "FWLB Groups") and the device status will change after N retry. By default the values are: Check Interval when Taget Host is Up: 20 sec by default (range [1-172800 sec]) Check Interval when Taget Host is Down: 10 sec by default(range [1-172800 sec]) Retry to change device status from up to down: 3 by default (range [1-1000 sec]) Page 34 --- Firewall Load Balancing June 2007