Scaling Next-Generation Firewalls with Citrix NetScaler



Similar documents
Firewall Load Balancing

Link Load Balancing :50:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Configuring Auto Policy-Based Routing

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Policy Based Forwarding

Understanding and Configuring NAT Tech Note PAN-OS 4.1

ExamPDF. Higher Quality,Better service!

Set Up a VM-Series Firewall on the Citrix SDX Server

High Availability. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

How To Load Balance On A Cisco Cisco Cs3.X With A Csono Css 3.X And Csonos 3.5.X (Cisco Css) On A Powerline With A Powerpack (C

Understanding Slow Start

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Firewall Load Balancing

Availability Digest. Redundant Load Balancing for High Availability July 2013

Load Balancing McAfee Web Gateway. Deployment Guide

ServerIron TrafficWorks Firewall Load Balancing Guide

NetScaler and XenMobile Solution for Enterprise Mobility

CNS Implementing NetScaler 11.0 For App and Desktop Solutions

Deployment Guide for Microsoft Lync 2010

Load Balancing Barracuda Web Filter. Deployment Guide

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

High Availability Failover Optimization Tuning HA Timers PAN-OS 6.0.0

Load Balancing Trend Micro InterScan Web Gateway

Load Balancing Sophos Web Gateway. Deployment Guide

Set Up a VM-Series Firewall on an ESXi Server

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

Load Balancing Bloxx Web Filter. Deployment Guide

Citrix NetScaler Global Server Load Balancing Primer:

DATA CENTER. Best Practices for High Availability Deployment for the Brocade ADX Switch

Smoothwall Web Filter Deployment Guide

Configuring Active/Active HA Tech Note PAN-OS 4.0

High Availability Solutions & Technology for NetScreen s Security Systems

Load Balancing Smoothwall Secure Web Gateway

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Configuring IPS High Bandwidth Using EtherChannel Load Balancing

Designing Networks with Palo Alto Networks Firewalls

VMware vcloud Air Networking Guide

Deployment Guide for Microsoft SharePoint 2010

Improving Microsoft Exchange 2013 performance with NetScaler Hands-on Lab Exercise Guide. Johnathan Campos

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

Configuring PA Firewalls for a Layer 3 Deployment

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Set Up a VM-Series Firewall on an ESXi Server

Server Iron Hands-on Training

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

Chapter 1 Load Balancing 99

MULTI WAN TECHNICAL OVERVIEW

Layer 2-7 High Availability

Load Balancing Clearswift Secure Web Gateway

Networking and High Availability

Load Balancing Microsoft Remote Desktop Services. Deployment Guide

Deployment Guide Sept-2014 rev. a. Load Balancing Windows Terminal Server with Session Directory Using Array APV Series ADCs

Citrix NetScaler 10 Essentials and Networking

High Availability. PAN-OS Administrator s Guide. Version 7.0

Firewall Defaults and Some Basic Rules

SonicOS Enhanced 4.0: NAT Load Balancing

Deployment Guide. WAN Link Load Balancing. Deployment Guide. A Step-by-Step Technical Guide

Load Balancing Microsoft Terminal Services. Deployment Guide

"Charting the Course... Implementing Citrix NetScaler 11 for App and Desktop Solutions CNS-207 Course Summary

Configuring Citrix NetScaler for IBM WebSphere Application Services

Networking and High Availability

CNS-208 Citrix NetScaler 10.5 Essentials for ACE Migration

FortiOS Handbook Load Balancing for FortiOS 5.0

FortiOS Handbook - Load Balancing VERSION 5.2.2

Load Balancing. FortiOS Handbook v3 for FortiOS 4.0 MR3

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

Firewall Feature Overview

Configuring Network Address Translation

Configuring the Transparent or Routed Firewall

How To Manage Outgoing Traffic On Fireware Xtm

How do I load balance FTP on NetScaler?

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

Securing Networks with PIX and ASA

FAQ: BroadLink Multi-homing Load Balancers

Deployment Guide for Citrix XenDesktop

Configuring WAN Failover & Load-Balancing

TESTING & INTEGRATION GROUP SOLUTION GUIDE

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Solutions Guide. Deploying Citrix NetScaler with Microsoft Exchange 2013 for GSLB. citrix.com

Citrix NetScaler and Microsoft SharePoint 2013 Hybrid Deployment Guide

Load Balancing VMware Horizon View. Deployment Guide

> Technical Configuration Guide for Microsoft Network Load Balancing. Ethernet Switch and Ethernet Routing Switch Engineering

How To Manage A Netscaler On A Pc Or Mac Or Mac With A Net Scaler On An Ipad Or Ipad With A Goslade On A Ggoslode On A Laptop Or Ipa On A Network With

Solutions Guide. Deploying Citrix NetScaler for Global Server Load Balancing of Microsoft Lync citrix.com

Configuring Health Monitoring

F-SECURE MESSAGING SECURITY GATEWAY

IOS Server Load Balancing

Barracuda Load Balancer Administrator s Guide

Chapter 2 Connecting the FVX538 to the Internet

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

SonicWALL NAT Load Balancing

How To Use Netscaler As An Afs Proxy

High Availability for Desktop Virtualization

Troubleshooting Tools

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

CNS-208 Citrix NetScaler 10 Essentials for ACE Migration

About the VM-Series Firewall

Load Balancing Microsoft AD FS. Deployment Guide

Firewall Load Balancing

White Paper. Citrix NetScaler Deployment Guide

Transcription:

Scaling Next-Generation Firewalls with Citrix NetScaler SOLUTION OVERVIEW Citrix NetScaler service and application delivery solutions are deployed in thousands of networks around the globe to optimize and control the delivery of enterprise and cloud services. In this deployment guide, Citrix NetScaler is used to increase the throughput and redundancy of Networks nextgeneration firewalls in networks that require more than 20Gbps firewall throughput. This deployment leverages a typical firewall load-balancing sandwich architecture, where traffic is directed through load balancers in both inbound and outbound directions to a series of firewalls. While testing was completed with a mid-range Citrix NetScaler ADC with a throughput of 36 Gbps, this model can be expanded to increase firewall throughput. A high-end Citrix NetScaler can be deployed with a maximum of four* Networks next-generation firewalls in Active-Active configuration for a total firewalling throughput of 80 Gbps. *Due to the number of interfaces on the NetScaler, only four firewalls are supported. DEPLOYMENT MODELS Networks next-generation firewalls and Citrix NetScaler load balancers can be deployed in multiple modes. The next-generation firewall supports Virtual-Wire, Layer-2, or Layer-3 modes. However, the firewall sandwich topology will have exactly one upstream and one downstream connection per firewall, so Layer-2 deployments are not likely to be common. Testing of the solution has focused on Layer-3 and Virtual-Wire for the nextgeneration firewall. 172.16.1.2 172.16.1.3 The NetScaler can be used in L2 or L3 mode, however, L2 mode is suggested here so that no changes are necessary to the rest of the network. If L3 mode was used, the NetScaler would need to be the default gateway or next hop for adjacent devices, thus requiring a change to adjacent device routing tables. L2 mode does not require this change. 172.16.1.1 172.16.1.4 172.16.2.4 172.16.2.1 Citrix NetScaler 172.16.1.5 172.16.2.5 Networks NGFW 172.16.2.2 172.16.2.3 Figure 1: Layer 3 Deployment

PALO PALO ALTO ALTO NETWORKS: NETWORKS: Technology Technology Partner Partner Solution Program Brief VIRTUAL-WIRE DEPLOYMENT In a virtual-wire deployment, a single subnet connects the load balancers across multiple firewalls. There are two important configuration differences between virtual-wire and layer-3 configurations. First, since there are no IP addresses on the firewall virtual-wire ports, the NetScalers must perform their health checks to the NetScaler ports on the far-end. Second, in order to balance the traffic, each NetScaler must have a unique IP on for each interface that connects to a firewall, and a static ARP entry for the IP on the corresponding interface of the opposite NetScaler. Networks HA Pair NetScaler HA Pair Networks HA Pair 172.16.1.1 172.16.1.3 NetScaler HA Pair Citrix NetScaler 172.16.1.5 172.16.1.7 Figure 3: HA Configuration Active Passive 172.16.1.6 00:e0:ed:25:95:a0 172.16.1.8 00:e0:ed:25:95:a01 Networks NGFW CONFIGURATION Configuration of the Citrix NetScaler involves 4 steps: Step 1. Set IP addresses and routing Start by setting IP addresses to the NetScaler and establishing routing to the subnets on the local side." Routes to the far-side subnets aren t necessary because this traffic will be load balanced across the firewalls to the far-side NetScaler where the far-side routing will take place. 172.16.1.2 172.16.1.4 Figure 2: Virtual Wire Deployment HIGH-AVAILABILITY There are several high availability options for the Citrix NetScaler and Networks next-generation firewall. There is protection from a failed firewall or link because the firewall health is monitored by the NetScaler. If a firewall fails, then the service is considered down and does not receive further traffic. Future flows are delivered to the remaining operational firewalls. Both the NetScaler and the Networks next-generation firewalls are also capable of Active-Passive and Active-Active high availability features. When the Citrix NetScalers are paired with a second device and high availability enabled on each NetScaler pair, the system is protected from the failure of a load balancer on either side. The system is already protected from a firewall failure, however, when each firewall is paired with a passive firewall; session state will be maintained during a firewall failure, and firewall capacity will remain constant through the failure. Step 2. Enable the modes and features Enable the load balanciang feature, and set the MAC-Based Forwarding mode. Set the L2 or L3 forwarding mode per the choice of deployment model. (see deployment models above) Step 3. Define a service for each firewall The term service in this case refers to a firewall. Each firewall must have a service defined using the add server and add service commands. If using the virtual wire deployment mode, a static ARP entry is required to bind the IP addresses on the NetScaler to specific interfaces for correct load balancing. Step 4. Define a virtual server The virtual server is created and the load balancing method and parameters set. The services you defined are then bound to the virtual server. See the example configurations for more detail.

VERIFICATION On the Citrix NetScaler, check that the services and virtual servers are configured correctly using the show lb vserver and show lb service commands. Correct load balancing of traffic can be verified with the stat lb vserver command. Sample output of these commands is shown below: > show lb vserver VS1 VS1 (*:*) - ANY Type: ADDRESS State: UP Last state change was at Mon Mar 25 05:59:23 2013 Time since last state change: 1 days, 03:17:17.390 Effective State: UP ARP:DISABLED Client Idle Timeout: 120 sec Down state flush: ENABLED Disable Primary Vserver On Down : DISABLED Appflow logging: ENABLED No. of Bound Services : 2 (Total) 0 (Active) Configured Method: SRCIPDESTIPHASH Mode: MAC Persistence: NONE Connection Failover: DISABLED L2Conn: OFF Skip Persistency: None IcmpResponse: PASSIVE 1) LB6 (172.16.1.6: *) - ANY State: UP Weight: 1 2) LB8 (172.16.1.8: *) - ANY State: UP Weight: 1 Done > show service LB8 LB8 (172.16.1.8:*) - ANY State: DOWN Last state change was at Mon Mar 25 05:59:23 2013 Time since last state change: 1 days, 03:20:15.290 Server Name: 172.16.1.8 Server ID : "None" Monitor Threshold : 0 Max Conn: 0 Max Req: 0 Max Bandwidth: 0 kbits Use Source IP: YES Use Proxy Port: NO Client Keepalive(CKA): NO Access Down Service: NO TCP Buffering(TCPB): NO HTTP Compression(CMP): NO Idle timeout: Client: 120 sec Server: 120 sec Client IP: DISABLED Cacheable: NO SC: OFF SP: OFF Down state flush: ENABLED Appflow logging: ENABLED 1) Monitor Name: ping-default State: UP Weight: 1 Probes: 5 Failed [Total: 0 Current: 0] Last response: Success - ICMP echo reply received. Response Time: 2000.0 millisec Done >

stat lb vserver <vserver> > stat lb vserver VS1 Virtual Server Summary vsvrip port Protocol State Health VS1 * * ANY UP 0 Virtual Server Statistics Rate (/s) Total Vserver hits 0 0 Requests 0 0 Responses 0 0 Request bytes 0 0 Response bytes 0 0 Total Packets rcvd 0 0 Total Packets sent 0 0 Current client connections -- 0 Current Client Est connections -- 0 Current server connections -- 0 Spill Over Threshold -- 0 Spill Over Hits -- 0 Labeled Connection -- 0 Push Labeled Connection -- 0 Deferred Request 0 0 Invalid Request/Response -- 0 Invalid Request/Response Dropped -- 0 Bound Service(s) Summary IP port Type State Hits Req FW1 172.16.1.3 * ANY UP 0 0 FW2 172.16.1.4 * ANY UP 0 0 Rsp Throughp ClntConn SurgeQ SvrConn ReuseP MaxConn FW1 0 0 0 0 0 0 0 FW2 0 0 0 0 0 0 0 ActvTrans SvrTTFB Load FW1 0 0 0 FW2 0 0 0 Done > SUMMARY Citrix NetScaler application delivery solutions can increase the throughput and redundancy of Networks next-generation firewalls in networks that require more than 20Gbps firewall throughput. Using a firewall load-balancing sandwich architecture, a high-end Citrix Netscaler can be deployed with a maximum of four Networks next-generation firewalls in Active-Active configuration for a total firewalling throughput of 80 Gbps.

APPENDIX: NETSCALER CONFIGURATIONS Layer-3 Configurations Step 1. Set IP addresses and routing Configure local IP addresses. These IP's will be used by adjacent devices as the default gateway or next hop to the far-end networks. These IP addresses will also be the source of health monitoring pings sent to the connected firewall interfaces. Then set routes to the relevant destination subnets on the local side. add ns ip 172.16.1.1 255.255.255.0 -vserver DISABLED add route 10.0.2.0 255.255.255.0 172.16.1.2 add route 10.0.3.0 255.255.255.0 172.16.1.3 Step 2. Enable the modes and features Turn on the Load Balancing feature (LB). Turn on the Layer-3 forwarding mode (L3) and Mac-based Forwarding (MBF). Disable the Layer-2 forwarding mode (L2) if it is enabled. enable ns feature LB enable ns mode L3 MBF disable ns mode L2 Step 3. Define a service for each firewall Configure one service for each firewall. For each firewall, provide the IP address of the local connected firewall data interfaces. The -usip (Use Source IP) argument ensures that the packet IP addresses are not altered. add server 172.16.1.4 172.16.1.4 add server 172.16.1.5 172.16.1.5 add service FW1 172.16.1.4 ANY * -usip YES add service FW2 172.16.1.5 ANY * -usip YES Step 4. Define a virtual server The virtual server receives the traffic and rewrites the MAC address to that of a service defined above. The virtual service is set to use the source/destination IP as the load balancing method, and to redirect rewriting the destination MAC address to that of the firewall, instead of rewriting the destination IP address (default). Set the load balancing parameters to account for the firewalls as a next hop, instead of a server. Bind each service to the virtual server. The last command changes the Receive Side Scaling to maintain symmetry of flows such that each flow is always processed by the same internal Packet Engine, thus improving performance.

PALO ALTO NETWORKS: Technology Partner Program NOTE: The 'set rsskeytype' command is available only in specific NetScaler software versions. For other versions, do not enter the command. The command is available in: 9.3.nc Build 58.5009.e and higher 10.1 Build 103.16 and higher Not available on 10.0 software version as of this writting. add lb vserver VS1 ANY * * -persistencetype NONE -lbmethod SRCIPDESTIPHASH -m MAC set lb parameter -preferdirectroute NO -vserverspecificmac ENABLED bind lb vserver VS1 FW1 bind lb vserver VS1 FW2 set rsskeytype -rsstype SYMMETRIC Virtual-Wire Configuration Step 1. Set IP addresses and routing Configure local IP addresses. These IP's will be used by the remote NetScaler for monitoring and load balancing. Notice that in virtual wire mode, the NetScaler monitors the health of the far-end NetScaler,t not the health of the firewall. Then set routes to the relevant destination subnets on the local side. add ns ip 172.16.1.5 255.255.255.0 -vserver DISABLED add ns ip 172.16.1.7 255.255.255.0 -vserver DISABLED add route 192.168.1.0 255.255.255.0 172.16.1.1 add route 192.168.3.0 255.255.255.0 172.16.1.3 Step 2. Enable the modes and features Turn on the Load Balancing feature (LB). Turn on the Layer-2 forwarding mode (L2) and Mac-based Forwarding (MBF). Disable the Layer-3 forwarding mode (L3). The NetScaler can be used in L2 or L3 mode, however, L2 mode is suggested here so that no changes are necessary to the rest of the network. If L3 mode were used here, the NetScaler would need to be the default gateway or next hop for adjacent devices, thus requiring a change to adjacent device routing tables. L2 mode does not require this change. enable ns feature LB enable ns mode L2 MBF disable ns mode L3 Step 3. Define a service for each firewall In virtual-wire mode, the firewall interfaces do not have IP addresses. So the services here are configured with the IP addresses of the far-end NetScaler. These IP addresses are configured during Step 1 while configuring the far-end NetScaler. The -usip (Use Source IP) argument ensures that the packet IP addresses are not altered. Each service must also have a static ARP entry which ties the far-end NetScaler IP address to the corresponding far-end NetScaler MAC address and a local egress interface. These static ARP entries ensure that traffic is load balanced across the firewalls, instead of all traffic being sent to one firewall.

add server 172.16.1.6 172.16.1.6 add server 172.16.1.8 172.16.1.8 add service LB6 172.16.1.6 ANY * -usip YES add service LB8 172.16.1.8 ANY * -usip YES add arp -IPAddress 172.16.1.6 -mac 00:e0:ed:25:95:a0 -ifnum 10/3 add arp -IPAddress 172.16.1.8 -mac 00:e0:ed:25:95:a1 -ifnum 10/4 Step 4. Define a virtual server The virtual server receives the traffic and rewrites the MAC address to that of a service defined above. The virtual service is set to use the source/destination IP as the load balancing method, and to redirect rewriting the destination MAC address instead of rewriting the destination IP address (default). Set the load balancing parameters to account for the firewalls as a next hop, instead of a server. Bind each service to the virtual server. The last command changes the Receive Side Scaling to maintain symmetry of flows such that each flow is always processed by the same internal Packet Engine, thus improving performance. NOTE: The 'set rsskeytype' command is available only in specific NetScaler software versions. For other versions, do not enter the command. The command is available in: 9.3.nc Build 58.5009.e and higher 10.1 Build 103.16 and higher Not available on 10.0 software version as of this writting. add lb vserver VS1 ANY * * -persistencetype NONE -lbmethod SRCIPDESTIPHASH -m MAC set lb parameter -preferdirectroute NO -vserverspecificmac ENABLED bind lb vserver VS1 LB6 bind lb vserver VS1 LB8 set rsskeytype -rsstype SYMMETRIC 3300 Olcott Street Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com Copyright 2013, Networks, Inc. All rights reserved. Networks, the Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Networks, Inc. All specifications are subject to change without notice. Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_TPSB_CNADC_062513

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information