| Configuring the WSM using Device Manager |
In the figure below traffic is load-balanced among the available firewalls.
Figure 1 :  Basic FWLB implementation
The following steps describe the basic FWLB process in the figure above.
| The external clients intend to connect to services at the publicly-advertised IP address assigned to a virtual server on the private-side WSM. |
| When the client request arrives at the public-side WSM, a filter redirects it to a real server group that consists of a number of different IP addresses. This redirection filter splits the traffic into balanced streams: one for each IP address in the real server group. For FWLB, each IP address in the real server group represents an IP Interface (IF) on a different private-side WSM subnet. |
On the public-side WSM, one static route is needed for each traffic stream. For instance, the first static route will lead to an IP interface on the private-side WSM using the first firewall as the next hop. A second static route will lead to a second private-side IP interface using the second firewall as the next hop, and so on. By combining the redirection filter and static routes, traffic is load balanced among all active firewalls.
|
| All traffic between specific IP source/destination address pairs flows through the same firewall, ensuring that sessions established by the firewalls persist for their duration. |
Client requests are forwarded or discarded according to rules configured for each firewall.
|
| Packets forwarded from the firewalls are sent to the original destination address, that is, the virtual server on the private-side WSM. There, they are load balanced to the real servers using standard SLB configuration. |
| Redirection filters are needed on all ports on the private-side WSM that attach to real servers or internal clients on the private-side of the network. Filters on these ports redirect the Internet-bound traffic to a real server group that consists of a number of different IP addresses. Each IP address represents an IP interface on a different subnet on the public-side WSM. |
Static routes are configured on the private-side WSM. One static route is needed for each stream that was configured on the public-side WSM. For instance, the first static route would be configured to lead to the first public-side IP interface using the first firewall as the next hop. The second static route would lead to the second public-side IP interface using the second firewall as the next hop, and so on. Since WSMs intelligently maintain state information, all traffic between specific IP source/destination addresses flows through the same firewall, maintaining session persistence.
|
| Each firewall forwards or discards the server responses according to the rules that are configured for it. Forwarded packets are sent to the public-side WSM and out to the Internet. |
See also: