Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 3.2 PTF-01, 3.2.3 PTF-01, 3.2.3, 3.2.0
8
Using Firewall Load Balancing
Introducing firewall load balancing
There are three primary scenarios in which firewall load balancing is useful:
- Balancing outbound traffic
Clients behind an enterprise's firewalls request information from Internet servers. - Balancing traffic to enterprise servers using a firewall sandwich configuration
Internet clients request information from enterprise servers behind firewalls. - Balancing two-way traffic using a firewall sandwich configuration
Clients behind an enterprise's firewalls request information from Internet servers, and Internet clients request information from enterprise servers behind the firewalls.This chapter describes configurations you can deploy for each of these scenarios. For each scenario, we detail:
- Configuration elements
- Procedure summary
- Configuration diagram
- Detailed procedure, including:
- Configuration utility procedure
- Command line procedure
- Example implementation, as shown in the configuration diagram
Note: The IP addresses shown in the example implementation are fictitious. In following these examples, choose IP addresses that are consistent with your network or networks.
Finally, we explain how you can use Extended Content Verification (ECV) to verify that your firewall configuration is working properly.
Note: The procedures in this chapter detail how to configure a single BIG-IP Controller. In order to complete your configuration, synchronize the configured BIG-IP Controller with the other
BIG-IP Controller in your BIG-IP Controller redundant system, as detailed in Configuring and synchronizing redundant systems in the BIG-IP Controller Getting Started Guide.
Balancing outbound traffic
In this scenario, internal users behind a set of firewalls request information from an Internet server. Figure 8.1 shows the elements of this configuration. This section explains how to set up the configuration using the sample IP addresses and device names shown in Figure 8.1 as an example.
This configuration requires you to configure address translation on your firewalls. Therefore, before attempting to implement this configuration, verify that your firewalls are capable of address translation.
Configuration elements
The topology shown in Figure 8.1 includes the following elements:
- Internal user cloud network
- Internal router
- Ethernet network connecting internal router to BIG-IP Controller redundant system
- BIG-IP Controller redundant system
- Ethernet network connecting BIG-IP Controller redundant system to firewalls
- Firewalls
- Ethernet network connecting firewalls to Internet
Task summary
To configure firewall load balancing for outbound traffic, you need to complete the following tasks in order. The sections that follow detail the individual steps needed to complete each task.
- Configure interfaces on BIG-IP Controller redundant system.
- Verify routing.
- Create a load balancing pool for the firewalls.
- Create a wildcard virtual server that references the pool, so that outbound traffic is load balanced across the firewalls and forwarded to the Internet.
- Configure address translation for your firewalls.
Configuring interfaces
Typically, a BIG-IP Controller has two interfaces:
- An external interface, typically set for destination processing. For example, in Figure 8.1, the external interface is exp0.
- An internal interface, typically set for source processing. For example, in Figure 8.1, the internal interface is exp1.
For this configuration, interface processing should be set, or reset, so that the external interface processes source addresses only and the internal interface processes destination addresses only.
To configure source and destination processing in the Configuration utility
- In the navigation pane, click NICs.
- The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table.
- In the Network Interface Card table, click the name of the interface you want to configure.
For example, to implement the configuration shown in Figure 8.3, you would click exp0. After you configure exp1, you would configure exp1.The Network Interface Card Properties screen opens.
· To enable source processing for this interface, click the Enable Source Processing check box.
For example, for exp0, the external interface, make sure this box is checked.
For exp1, the internal interface, make sure this box is cleared.· To enable destination processing for this interface, click the Enable Destination Processing check box.
For example, for exp0, make sure this box is cleared.
For exp1, make sure this box is checked. - Click Apply.
To configure source processing from the command line
Use the bigpipe interface command with the source keyword to turn source processing on or off for an interface:
bigpipe interface <interface> source <enable><disable>
where <interface> is the identifier for the internal interface of a BIG-IP Controller.
For example, to implement the configuration shown in Figure 8.1, you would use the commands:
bigpipe interface exp0 source enable
bigpipe interface exp1 source disable
To configure destination processing from the command line
Use the bigpipe interface command with the dest keyword to turn destination processing on for an interface:
bigpipe interface <interface> dest <enable><disable>
where <interface> is the identifier for the external interface of a BIG-IP Controller.
For example, to implement the configuration shown in Figure 8.1, you would use the command:
bigpipe interface exp1 dest enable
bigpipe interface exp0 dest disable
Verifying routing
Verify that the router between your client network (10.10.40.0/24) and the BIG-IP Controller redundant system is configured to point to the internal shared alias (10.10.30.1) for the redundant system. This alias is configured during setup, using the First-Time Boot utility. For more information about this utility, see Running the First-Time Boot Utility in Chapter 2, BIG-IP Controller Getting Started Guide. For more information about routing, see Addressing routing issues in Chapter 3, BIG-IP Controller Getting Started Guide.
Note: If the client network is on the same network as the BIG-IP Controller redundant system, then the BIG-IP internal shared alias can be used as a default gateway for the client network.
Creating a pool for the firewalls
The firewall configuration requires you to create a load balancing pool for the inside interfaces of your firewalls. A pool is a group of devices that you want the BIG-IP Controllers to load balance. For more information about pools, refer to More flexible load balancing using pools and members in Chapter 3, BIG-IP Administrator Guide.
You can use either the Configuration utility or the bigpipe pool command to create the pool. This section shows how to create such a pool, using the configuration in Figure 8.1 as an example. For more information about using the Configuration utility or the command, see Configuring a pool in Chapter 3, BIG-IP Controller Getting Started Guide.
To create a pool in the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - In the toolbar, click the Add Pool button.
The Add Pool screen opens. - In the Pool Name box, type in the name you want to use for the pool.
For example, to implement the configuration shown in Figure 8.1, you would type firewalls.
- Click the Load Balancing Method list and select the method you want to use for this pool, or accept the default (Round Robin) method.
For example, to implement the configuration shown in Figure 8.1, accept the default (Round Robin) load balancing method.
- Use the Resources options to add members to the pool. To add a member to the pool, type the IP address in the Node Address box. The Port, Member ratio, and Member priority boxes are optional. If you do not type values in these boxes, the BIG-IP Controller assigns default values.
For example, to implement the configuration shown in Figure 8.1, you need complete the Node Address box only.
· Node Address
Type the IP address of the first firewall you want to add to the pool.To implement the configuration shown in Figure 8.1, you would type 10.10.20.4.
· Port
Type the port number of the port you want to use for this node in the pool. For firewalls, this port number is typically the wildcard port 0, which means that this firewall will process traffic on all ports.If you do not type a value in this field, the BIG-IP Controller assigns a value of 0.
· Ratio
Type a number to assign a ratio to this node within the pool. For example, if you are using the ratio load balancing mode and you type a 1 in this box, the node receives a lower percentage of connections than a node marked 2.If you do not type a value in this field, the BIG-IP Controller assigns a value of 1.
· Priority
Type in a number to assign a priority to this node within the pool. For example, if you are using a priority load-balancing mode and you type a 1 in this box, the node has a lower priority in the load-balancing pool than a node marked 2.If you do not type a value in this field, the BIG-IP Controller assigns a value of 1.
· Current Members
This is a list of the nodes that are part of the load balancing pool. - To add this firewall to the pool, click the add ( >>) button.
- Click the Apply button.
- A message that begins Wildcard ports are being phased out appears. This message does not pertain to firewall configuration. Click OK to close the message.
- Repeat steps 2-8 for any other firewalls you want to add to this pool.
For example, to implement the configuration shown in Figure 8.1, you would repeat steps 2-8, adding the firewall IP addresses 10.10.20.5 and 10.10.20.6.
To create the pool from the command line
Use the bigpipe pool command to create the pool:
bigpipe pool <pool name> { lb_mode <xx> member <Firewall1>:0 member
<Firewall2>:0 member <Firewall3>:0 }
In the command, replace the parameters with the appropriate information.
- <pool name> is a 1-31 character identifier for the pool.
- <Firewall1>, <Firewall2>, and <Firewall3> are the inside IP addresses of your respective firewalls.
- lb_mode <xx> designates the global load balancing method. For more information, refer to Changing the global load balancing mode in Chapter 3, BIG-IP Getting Started Guide.
In Figure 8.1, for example, the pool for the inside addresses is firewalls, the inside addresses are 10.10.20.4, 10.10.20.5, and 10.10.20.6, and the load balancing method is Round Robin. Thus, the command to implement this configuration would be:
bigpipe pool firewalls { lb_mode rr member 10.10.20.4:0 member
10.10.20.5:0 member 10.10.20.6:0 }
Creating a wildcard virtual server
To configure the BIG-IP Controllers for outbound connections, create a wildcard virtual server; that is, a virtual server that accepts all traffic from the internal network, then load balances the traffic across the firewalls. You can use either the Configuration utility or the bigpipe vip command to create the virtual server. This section shows how to create such a virtual server, using the configuration in Figure 8.1 as an example. For more information, see Configuring virtual servers in Chapter 3, BIG-IP Controller Getting Started Guide.
To create a wildcard virtual server in the Configuration utility
- In the navigation pane, click Virtual Servers.
- On the toolbar, click Add Virtual Server.
The Add Virtual Server screen opens. - In the Address box, type the wildcard IP address 0.0.0.0.
- In the Netmask box, type an optional netmask.
If you leave this box blank, the BIG-IP Controller generates a default netmask address based on the IP address of this virtual server. Use the default netmask unless your configuration requires a different netmask. - In the Broadcast box, type the broadcast address for this virtual server.
If you leave this box blank, the BIG-IP Controller generates a default broadcast address based on the IP address and netmask of this virtual server. - In the Port box, type a port number, or select a service name from the drop-down list. Note that port 0 defines a wildcard virtual server that handles all types of services.
For example, to implement the configuration shown in Figure 8.1, you would type 0.
- For Interface, select the external (destination processing) interface on which you want to create the virtual server.
If you choose None, the BIG-IP Controller does not create an alias, nor does it generate ARPs for the virtual IP address (see Optimizing large configurations in Chapter 3, BIG-IP Administrator Guide for details).
For example, to implement the configuration shown in Figure 8.1, choose None. - In Resources, click the Pool button.
- In the Pool list, select the pool you want to apply to the virtual server. For example, to implement the configuration shown in Figure 8.1, you would choose firewalls (having created the firewalls pool in Creating a pool for the firewalls, on page 8-8).
- To add this virtual server, click Add.
- Click Apply.
To create the virtual server from the command line
Use the bigpipe vip command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:
bigpipe vip <virtual server>:<service> <interface> use pool <pool
name>
In the command, replace the parameters with the appropriate information:
- <virtual server> is an IP address appropriate to your network.
- <service> is a service you want to configure, such as HTTP; FTP, or telnet.
- <interface> is the interface on the BIG-IP on which you want to create this virtual server.
- <pool name> is the name of the pool you want this virtual server to use.
Repeat this command for each service you want to configure.
For example, to implement the configuration shown in Figure 8.1, the command would be:
bigpipe vip 0.0.0.0:0 none use pool firewall
Configuring address translation on your firewalls
Because you have a single set of BIG-IP Controllers in this configuration, you need to configure your firewalls so that they perform address translation. This ensures that, in situations where a firewall opens and maintains a connection for a client, packets sent back to the client return to the client through that firewall. Refer to your firewall documentation for instructions.
Balancing traffic to enterprise servers using a firewall sandwich configuration
In this scenario, Internet clients request information from an enterprise server behind a firewall. Figure 8.2 shows the elements of this configuration. This section explains how to set up this configuration, using the sample IP addresses and device names shown in Figure 8.2 as an example.
Configuration elements
The topology shown in Figure 8.2 includes the following elements:
- Ethernet network between Internet and outside BIG-IP Controller redundant system
- Outside BIG-IP Controller redundant system
- Ethernet network connecting outside BIG-IP Controller redundant system and firewalls
- Firewalls set
- Ethernet network connecting firewalls and inside BIG-IP Controller redundant system
- Inside BIG-IP Controller redundant system
- Ethernet network connecting inside BIG-IP Controller redundant system and enterprise content servers
- Enterprise servers
Task summary
To load balance traffic to enterprise servers across a set of firewalls using a firewall sandwich, you need to complete the following tasks in order. The sections that follow detail the individual steps required to complete each task.
- Configure BIG-IP interfaces for source and destination processing
- Create outside and inside groups, or pools, for the firewalls and servers.
- Create virtual servers for the firewall sandwich.
Configuring BIG-IP interfaces for source and destination processing
Typically, a BIG-IP Controller has two interfaces:
- An external interface, usually set for destination processing.
- An internal interface, usually set for source processing.
In order for the firewall sandwich configuration to work, you must set all interfaces on the BIG-IP Controller systems (1a and 1b, and 2a and 2b, in Figure 8.2) to process both source and destination addresses.
Thus, you must turn source processing on for the external interfaces and destination processing on for the internal interfaces.
To configure source and destination processing in the Configuration utility
- In the navigation pane, click NICs.
The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table. - In the Network Interface Card table, click the name of the interface you want to configure.
The Network Interface Card Properties screen opens.· To enable source processing for this interface, click the Enable Source Processing check box.
· To enable destination processing for this interface, click the Enable Destination Processing check box.
- Click the Apply button.
For example, to implement the configuration shown in Figure 8.2, you would click exp0, make sure that both the Enable Source Processing and Enable Destination Processing check boxes are checked, then click the Apply button.
- Repeat this process for each BIG-IP interface.
To configure source processing from the command line
Use the bigpipe interface command with the source keyword to turn source processing on for an interface:
bigpipe interface <interface> source enable
where <interface> is the identifier for the internal interface of a BIG-IP Controller.
For example, to implement the configuration shown in Figure 8.2, you would use the command
bigpipe interface exp0 source enable
Repeat this process for each BIG-IP Controller.
To configure destination processing from the command line
Use the bigpipe interface command with the dest keyword to turn destination processing on for an interface:
bigpipe interface <interface> dest enable
where <interface> is the identifier for the external interface of a BIG-IP Controller.
For example, to implement the configuration shown in Figure 8.2, you would use the command:
bigpipe interface exp1 dest enable
Repeat this process for each BIG-IP Controller.
Creating pools for firewalls and servers
The firewall sandwich configuration requires you to create load balancing pools for the inside and outside interfaces on the firewalls. A pool is a group of devices that you want the BIG-IP Controller redundant system to load balance. For more information about pools, refer to More flexible load balancing using pools and members in Chapter 3, BIG-IP Administrator Guide..
In order to load balance the content servers, you must create a pool for these servers. After you create these pools, you can create the virtual servers that use the pools.
Creating a pool for outside firewall addresses
First, create the pool for the outside addresses of the firewalls on the outside BIG-IP Controller redundant system.
For example, to implement the configuration shown in Figure 8.2, you would create this pool on BIG-IP Controllers 1a and 1b.
To create a pool in the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - In the toolbar, click the Add Pool button.
The Add Pool screen opens. - In the Pool Name box, type in the name you want to use for the pool.
For example, to implement the configuration shown in Figure 8.2, you would type firewall_outsides.
- Click the Load Balancing Method list and select the method you want to use for this pool, or accept the default (Round Robin) method.
For example, to implement the configuration shown in Figure 8.2, accept the default (Round Robin) load balancing method.
- Use the Resources options to add members to the pool. To add a member to the pool, type the IP address in the Node Address box. The Port, Member ratio, and Member priority boxes are optional. If you do not type values in these boxes, the BIG-IP Controller assigns default values.
For example, to implement the configuration shown in Figure 8.2, you need complete the Node Address box only.
· Node Address
Type the IP address of the first firewall you want to add to the pool.To implement the configuration shown in Figure 8.2, you would type 10.10.20.4.
· Port
Type the port number of the port you want to use for this node in the pool. For firewalls, this port number is typically the wildcard port 0, which means that this firewall will process traffic on all ports.If you do not type a value in this field, the BIG-IP Controller assigns a value of 0.
· Ratio
Type a number to assign a ratio to this node within the pool. For example, if you are using the ratio load balancing mode and you type a 1 in this box, the node receives a lower percentage of connections than a node marked 2.
If you do not type a value in this field, the BIG-IP Controller assigns a value of 1.· Priority
Type in a number to assign a priority to this node within the pool. For example, if you are using a priority load-balancing mode and you type a 1 in this box, the node has a lower priority in the load-balancing pool than a node marked 2.If you do not type a value in this field, the BIG-IP Controller assigns a value of 1.
· Current Members
This is a list of the nodes that are part of the load balancing pool. - To add this firewall to the pool, click the add ( >>) button.
- Click the Apply button.
- A message that begins Wildcard ports are being phased out appears. This message does not pertain to firewall configuration. Click OK to close the message.
- Repeat steps 2-8 for any other firewalls you want to add to this pool.
For example, to implement the configuration shown in Figure 8.2, you would repeat steps 2-8, adding the firewall IP addresses 10.10.20.5 and 10.10.20.6.
To create the pool from the command line
Use the bigpipe pool command to create the pool.
bigpipe pool <pool name> { lb_mode <xx> member <Firewall1>:0 member
<Firewall2>:0 member <Firewall3>:0 }
In the command, replace the parameters with the appropriate information:
- <pool name> is a 1-31 character identifier for the pool.
- <Firewall1>, <Firewall2>, and <Firewall3> are the external IP addresses of your respective firewalls.
- lb_mode <xx> designates the global load balancing method. For more information, refer to Changing the global load balancing mode in Chapter 3, BIG-IP Getting Started Guide.
In Figure 8.2, for example, the pool for the outside addresses is firewall_outsides, the outside addresses are 10.10.20.4, 10.10.20.5, and 10.10.20.6, and the load balancing method is Round Robin. Thus, the command would be:
bigpipe pool firewall_outsides { lb_mode rr member 10.10.20.4:0
member 10.10.20.5:0 member 10.10.20.6:0 }
Creating a pool for inside firewall addresses
Next, create a pool for the internal addresses of your firewalls on the inside BIG-IP Controller redundant system. Use the Configuration utility, or the bigpipe pool command, as you did to create the pool for the outside firewall addresses. Choose a pool name appropriate for this pool.
For example, to implement the configuration shown in Figure 8.2, you would create this pool on BIG-IP Controllers 2a and 2b. In this example, the pool for the inside addresses is firewall_insides, the inside addresses are 10.10.30.4, 10.10.30.5, and 10.10.30.6, and the load balancing method is Round Robin. Thus the command to implement this configuration would be:
bigpipe pool firewall_insides { lb_mode rr member 10.10.30.4:0
member 10.10.30.5:0 member 10.10.30.6:0 }
Creating the server pool
Finally, create the pool for the nodes that handle requests to your enterprise servers on the inside BIG-IP Controller redundant system. Use the Configuration utility, or the bigpipe pool command, as you did to create the firewall pools. Choose a pool name appropriate for this pool.
For example, to implement the configuration shown in Figure 8.2, you would create this pool on BIG-IP Controllers 2a and 2b. In this example, the pool for the server addresses is server_pool, the server addresses are 10.10.40.4 and 10.10.40.5 and the load balancing method is Round Robin. Thus, the command to implement this configuration would be:
bigpipe pool server_pool { lb_mode rr member 10.10.40.4:80 member
<10.10.40.5>:80 member }
Creating virtual servers for the firewall sandwich
After you define the pools for the inner and outer interfaces of the firewalls, you can define the virtual servers for the BIG-IP Controller redundant systems. To do this, you must configure both redundant systems to load balance inbound connections.
Creating a virtual server for the outside firewall interfaces
Because the outside BIG-IP Controller redundant system load balances inbound connections across the outside interfaces of the firewalls, you need to create a wildcard virtual server on this system (1a and 1b in Figure 8.2) that references the pool you created in Creating a pool for outside firewall addresses, on page 8-17, that contains these interfaces.
To create a wildcard virtual server in the Configuration utility
- In the navigation pane, click Virtual Servers.
- On the toolbar, click Add Virtual Server.
The Add Virtual Server screen opens. - In the Address box, type the wildcard IP address 0.0.0.0.
- In the Netmask box, type an optional netmask.
If you leave this box blank, the BIG-IP Controller generates a default netmask address based on the IP address of this virtual server. Use the default netmask unless your configuration requires a different netmask. - In the Broadcast box, type the broadcast address for this virtual server.
If you leave this box blank, the BIG-IP Controller generates a default broadcast address based on the IP address and netmask of this virtual server. - In the Port box, type a port number, or select a service name from the drop-down list. Note that port 0 defines a wildcard virtual server that handles all types of services.
For example, to implement the configuration shown in Figure 8.2, you would type 0.
- For Interface, select the external (destination processing) interface on which you want to create the virtual server.
If you choose none, the BIG-IP Controller does not create an alias, nor does it generate ARPs for the virtual IP address (see Optimizing large configurations in Chapter 3, BIG-IP Administrator Guide for details).
For example, to implement the configuration shown in Figure 8.2, you would choose none. - In Resources, click the Pool button.
- In the Pool list, select the pool you want to apply to the virtual server.
For example, to implement the configuration shown in Figure 8.2, you would choose firewall_outsides.
- To add this virtual server, click Add.
- Click Apply.
To create the wildcard virtual server from the command line
Use the bigpipe vip command to create the virtual server:
bigpipe vip <virtual server>:<service> <interface> use pool <pool
name>
In the command, replace the parameters with the appropriate information:
- <virtual server> is an IP address appropriate to your network.
- <service> is a service you want to configure, such as HTTP; FTP, or telnet.
- <interface> is the interface on the BIG-IP Controller on which you want to create this virtual server.
- <pool name> is the name of the pool you want this virtual server to use.
Repeat this command for each service you want to configure.
For example the command to implement the configuration shown in Figure 8.2 would be:
bigpipe vip 0.0.0.0:0 none use pool firewall_outsides
Configuring the inside BIG-IP Controller redundant system
After you configure the outside BIG-IP Controller redundant system to handle inbound traffic, configure the inside BIG-IP Controller redundant system to handle inbound traffic.
First, create the virtual server for the inside redundant system on the inside BIG-IP Controller redundant system (2a and 2b in Figure 8.2). Use the Configuration utility, or the bigpipe vip command, as you did to create the wildcard virtual server for the inside controllers. Instead of using a wildcard IP address, use a standard IP address and pool appropriate for your network.
For example, to use the bigpipe vip command to implement the configuration shown in Figure 8.2, you would type:
bigpipe vip 10.10.30.9:http use pool server_pool
Designating the last hop pool
When a BIG-IP Controller redundant system is accepting connections for virtual servers from more than one firewall, it is typically desirable to return packets through the same firewall from which the connection originated. Returning the data through the originating firewall has two potential benefits:
- It balances the outbound load across the firewall set.
- It guarantees, in situations where the firewall is maintaining a connection for a client, that packets can be returned to that client.
To configure your firewall sandwich along these lines, use the Configuration utility or the bigpipe vip command with the lasthop keyword to designate the pool containing the inside interfaces of the firewalls as the last hop pool.
To configure a last hop pool in the Configuration utility
- In the navigation pane, click Virtual Servers.
The Virtual Servers screen opens. - In the virtual server list, click the virtual server for which you want to set up a last hop pool.
For example, to implement the configuration shown in Figure 8.2, you would select 10.10.30.9:http.
The properties screen for the virtual server you clicked opens.
- Click the Last Hop Pool list. Select the pool you created containing your routers.
For example, to implement the configuration shown in Figure 8.2, you would select firewall_insides.
- Click the Apply button.
To configure last hop pools for virtual servers from the command line
Use the bigpipe vip command:
bigpipe vip <virtual server>:<service> lasthop pool <pool name>
In the command, replace the parameters with the appropriate information:
- <virtual server> is an IP address appropriate to your network.
- <service> is a service you want to configure, such as HTTP; FTP, or telnet.
- <pool name> is the name of the pool you want this virtual server to use.
For example, to implement the configuration shown in Figure 8.2, you would type:
bigpipe vip 10.10.30.9:http lasthop pool firewall_insides
Balancing two-way traffic using a firewall sandwich configuration
You can use the firewall sandwich configuration to load balance two-way traffic. Figure 8.3 shows the elements of this configuration. This section explains how to set up this configuration, using the sample IP addresses and device names shown in Figure 8.3 as an example.
Configuration elements
The topology shown in Figure 8.3 includes the following elements:
- Router between Internet and Ethernet network
- Ethernet network between router and outside BIG-IP Controller redundant system
- Outside BIG-IP Controller redundant system
- Ethernet network connecting outside BIG-IP Controller redundant system and firewalls
- Firewalls set
- Ethernet network connecting firewalls and inside BIG-IP Controller redundant system
- Inside BIG-IP Controller redundant system
- Ethernet network connecting inside BIG-IP Controller redundant system and enterprise servers
- Enterprise servers
- Internal user cloud
Task summary
To load balance two-way traffic across a set of firewalls using a firewall sandwich configuration, you need to complete the following tasks in order. The sections that follow detail the individual steps required to complete each task.
- Configure BIG-IP Controller interfaces for source and destination processing.
- Configure for inbound traffic.
a) Configure routing.
b) Create a pool for outside firewall addresses.
c) Create a pool for inside firewall addresses.
d) Create a pool for enterprise servers.
e) Create a virtual server on the outside BIG-IP Controllers to load balance inbound traffic to the firewalls.
f) Create a virtual server on the inside BIG-IP Controllers to balance traffic to the content servers.
g) Create a last hop pool to ensure that any outbound traffic that results from inbound traffic returns through the appropriate firewall.
- Configure for outbound traffic.
a) Verify routing.
b) Create a wildcard virtual server on the inside BIG-IP Controllers to balance outbound traffic across the firewalls.
c) Create a wildcard virtual server on the outside BIG-IP Controllers to forward outbound traffic to the Internet.
d) Designate a last hop pool.
This section explains how to set up this configuration, using the sample IP addresses and device names in Figure 8.3 as an example.
Configuring for inbound traffic
Perform the tasks in this section to ensure that inbound traffic across your firewalls to your enterprise servers is load balanced.
Configuring BIG-IP interfaces for source and destination processing
Typically, a BIG-IP Controller has two interfaces:
- An external interface, usually set for destination processing.
- An internal interface, usually set for source processing.
In order for the firewall sandwich configuration to work, you must set all interfaces on the BIG-IP Controller redundant systems (1a and 1b, and 2a and 2b, in Figure 8.3) to process both source and destination addresses.
Thus, you must turn source processing on for the external interfaces and destination processing on for the internal interfaces.
To configure source and destination processing in the Configuration utility
- In the navigation pane, click NICs.
- The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table.
- In the Network Interface Card table, click the name of the interface you want to configure.
The Network Interface Card Properties screen opens.
· To enable source processing for this interface, click the Enable Source Processing check box.
· To enable destination processing for this interface, click the Enable Destination Processing check box.
- Click Apply.
For example, to implement the configuration shown in Figure 8.3, you would click exp0, make sure that both the Enable Source Processing and Enable Destination Processing check boxes are checked, then click the Apply button.
- Repeat this process for each BIG-IP Controller interface.
To configure source processing from the command line
Use the bigpipe interface command with the source keyword to turn source processing on for an interface:
bigpipe interface <interface> source enable
where <interface> is the identifier for the internal interface of a BIG-IP Controller.
For example, to implement the configuration shown in Figure 8.3, you would use the command
bigpipe interface exp0 source enable
Repeat this process for each BIG-IP Controller.
To configure destination processing from the command line
Use the bigpipe interface command with the dest keyword to turn destination processing on for an interface:
bigpipe interface <interface> dest enable
where <interface> is the identifier for the external interface of a BIG-IP Controller.
For example, to implement the configuration shown in Figure 8.3, you would use the command:
bigpipe interface exp1 dest enable
Repeat this process for each BIG-IP Controller.
Configuring routing
Your external router should route traffic for the network that includes the external interfaces of the BIG-IP Controllers that load balance your enterprise servers. For example, in Figure 8.3, the internal BIG-IP Controllers are 2a and 2b, the network is 10.10.30.0, and the shared alias is 10.10.10.1. Thus, a command to configure this routing might be:
Route add -net 10.10.30.0 10.10.10.1
Note: The exact syntax of this command depends on your operating system and router.
Creating pools for firewalls and servers
The firewall sandwich configuration requires you to create load balancing pools for the inside and outside interfaces on the firewalls. A pool is a group of devices that you want the BIG-IP Controller redundant system to load balance. For more information about pools, refer to More flexible load balancing using pools and members in Chapter 3, BIG-IP Administrator Guide.
In order to load balance the enterprise servers, you must also create a pool for these servers. After you create these pools, you can create the virtual servers that use the pools.
Creating a pool for outside firewall addresses
First, create the pool for the outside addresses of the firewalls on the outside BIG-IP Controller redundant system.
For example, to implement the configuration shown in Figure 8.3, you would create this pool on BIG-IP Controllers 1a and 1b.
To create a pool in the Configuration utility
- In the navigation pane, click Pools.
The Pools screen opens. - In the toolbar, click the Add Pool button.
The Add Pool screen opens. - In the Pool Name box, type in the name you want to use for the pool. For example, to implement the configuration shown in Figure 8.3, you would type firewall_outsides.
- Click the Load Balancing Method list and select the method you want to use for this pool, or accept the default (Round Robin) method.
For example, to implement the configuration shown in Figure 8.3, accept the default (Round Robin) load balancing method. - Use the Resources options to add members to the pool. To add a member to the pool, type the IP address in the Node Address box. The Port, Member ratio, and Member priority boxes are optional. If you do not type values in these boxes, the BIG-IP Controller assigns default values.
For example, to implement the configuration shown in Figure 8.3, you need complete the Node Address box only.· Node Address
Type the IP address of the first firewall you want to add to the pool.
To implement the configuration shown in Figure 8.3, you would type 10.10.20.4.· Port
Type the port number of the port you want to use for this node in the pool. For firewalls, this port number is typically the wildcard port 0, which means that this firewall will process traffic on all ports.If you do not type a value in this field, the BIG-IP Controller assigns a value of 0.
· Ratio
Type a number to assign a ratio to this node within the pool. For example, if you are using the ratio load balancing mode and you type a 1 in this box, the node receives a lower percentage of connections than a node marked 2.If you do not type a value in this field, the BIG-IP Controller assigns a value of 1.
· Priority
Type in a number to assign a priority to this node within the pool. For example, if you are using a priority load-balancing mode and you type a 1 in this box, the node has a lower priority in the load-balancing pool than a node marked 2.If you do not type a value in this field, the BIG-IP Controller assigns a value of 1.
· Current Members
This is a list of the nodes that are part of the load balancing pool. - To add this firewall to the pool, click the add ( >>) button.
- Click the Apply button.
- A message that begins Wildcard ports are being phased out appears. This message does not pertain to firewall configuration. Click OK to close the message.
- Repeat steps 2-8 for any other firewalls you want to add to this pool.
For example, to implement the configuration shown in Figure 8.3, you would repeat steps 2-8, adding the firewall IP addresses 10.10.20.5 and 10.10.20.6.
To create the pool from the command line
Use the bigpipe pool command to create the pool.
bigpipe pool <pool name> { lb_mode <xx> member <Firewall1>:0 member
<Firewall2>:0 member <Firewall3>:0 }
In the command, replace the parameters with the appropriate information:
- <pool name> is a 1-31 character identifier for the pool.
- <Firewall1>, <Firewall2>, and <Firewall3> are the external IP addresses of your respective firewalls.
- lb_mode <xx> designates the global load balancing method. For more information about load balancing methods, refer to Changing the global load balancing mode in Chapter 3, BIG-IP Getting Started Guide.
In Figure 8.3, for example, the pool for the outside addresses is firewall_outsides, the outside addresses are 10.10.20.4, 10.10.20.5, and 10.10.20.6, and the load balancing method is Round Robin. Thus, the command would be:
bigpipe pool firewall_outsides { lb_mode rr member 10.10.20.4:0
member 10.10.20.5:0 member 10.10.20.6:0 }
Creating a pool for inside firewall addresses
Next, create a pool for the inside addresses of your firewalls on the inside BIG-IP Controller redundant system (2a and 2b in Figure 8.3). Use the Configuration utility, or the bigpipe pool command, as you did to create the outside pool. Choose a pool name appropriate for this pool.
In Figure 8.3, for example, the pool for the inside addresses is firewall_insides, the inside addresses are 10.10.30.4, 10.10.30.5, and 10.10.30.6, and the load balancing method is Round Robin. Thus the command to implement this configuration would be:
bigpipe pool firewall_insides { lb_mode rr member 10.10.30.4:0
member 10.10.30.5:0 member 10.10.30.6:0 }
Creating a server pool
Finally, create the pool for the nodes that handle requests to your enterprise servers on the inside BIG-IP Controller redundant system (2a and 2b in Figure 8.3). Use the Configuration utility, or the bigpipe pool command, as you did to create the firewall pools. Choose a pool name appropriate for this pool.
In Figure 8.3, for example, the pool for the server addresses is server_pool, the inside addresses are 10.10.40.4 and 10.10.40.5 and the load balancing method is round robin. Thus, the command to implement this configuration would be:
bigpipe pool server_pool { lb_mode rr member 10.10.40.4:80 member
10.10.40.5:80 member }
Creating virtual servers for the firewall sandwich
After you define the pools for the inner and outer interfaces of the firewalls, you can define the virtual servers for the BIG-IP Controller redundant systems. To do this, you must configure both redundant systems to load balance inbound connections.
Creating a virtual server to load balance the firewalls
Because the outside BIG-IP Controller redundant system will load balance inbound connections across the outside interfaces of the firewalls, you need to create a virtual server on that system (1a and 1b in Figure 8.3). This virtual server will reference the pool you created above that contains these outside firewall interfaces.
In order to accommodate the possibility that you might have multiple virtual servers for your enterprise servers, create a network virtual server. A network virtual server is a virtual server that handles a whole network range, instead of just one IP address. For example, in Figure 8.3, the virtual server 10.10.30.0 load balances traffic across the firewall set to all virtual servers on the 10.10.30.0/24 network.
To define a virtual server in the Configuration utility
- In the navigation pane, click Virtual Servers.
- On the toolbar, click Add Virtual Server.
The Add Virtual Server screen opens. - In the Address box, type the virtual server's IP address or host name.
For example, to implement the configuration shown in Figure 8.3, you would type 10.10.30.0. - In the Netmask box, type a netmask appropriate for this virtual server.
For example, to create a virtual server for the 10.10.30.0/24 network shown in Figure 8.3, you would type 255.255.255.0. - In the Broadcast box, type the broadcast address for this virtual server. If you leave this box blank, the BIG-IP Controller generates a default broadcast address based on the IP address and netmask of this virtual server.
- In the Port box, either type a port number, or select a service name from the drop-down list.
- For Interface, select the external (destination processing) interface on which you want to create the virtual server. Select default to allow the Configuration utility to select the interface based on the network address of the virtual server. If no external interface is found for that network, the virtual server is created on the first external interface. If you choose none, the BIG-IP Controller does not create an alias, nor does it generate ARPs for the virtual IP address. In this case, the BIG-IP Controller accepts traffic on all interfaces.
For example, to implement the configuration shown in Figure 8.3, you would choose none. - In Resources, click the Pool button.
- In the Pool list, select the pool you want to apply to the virtual server.
For example, to implement the configuration shown in Figure 8.3, you would type firewall_outsides. - Click Apply.
To define a standard virtual server from the command line
Use the bigpipe vip command to create the virtual server:
bigpipe vip <virtual server>:<service> use pool <pool name>
In the command, replace the parameters with the appropriate information:
- <virtual server> is an IP address appropriate to your network.
- <service> is a service you want to configure, such as HTTP, FTP, or telnet.
- <pool name> is the name of the pool you want this virtual server to use.
Repeat this command for each service you want to configure.
For example, to implement the configuration shown in Figure 8.3, you would use the command
bigpipe vip 10.10.30.0 none use pool firewall_outsides
Create a virtual server to load balance the enterprise servers
After you configure the outside controllers to handle inbound traffic, configure the inside controllers to handle inbound traffic.
First, create the virtual server for the inside controllers as you did in Creating a virtual server to load balance the firewalls, on page 8-34, using the either the Configuration utility or the bigpipe vip command. Choose an address, service, and pool name appropriate to your network.
For example, to implement the configuration shown in Figure 8.3, you would choose the address 10.10.30.9, the service http, and the pool name server_pool.
If you used the command line to create this virtual server, the command would be:
bigpipe vip 10.10.30.9:http use pool server_pool
Designating a last hop pool for inbound traffic
When a BIG-IP Controller redundant system is accepting inbound connections for virtual servers from more than one firewall, it is typically desirable to return packets through the same firewall from which the connection originated. Returning the data through the originating firewall provides two potential benefits:
- It balances the outbound load across the firewall set.
- It guarantees, in situations where the firewall is maintaining a connection for a client, that packets can be returned to that client.
To configure your firewall sandwich along these lines, use the Configuration utility or the bigpipe vip command with the lasthop keyword to designate the pool containing the inside interfaces of the firewalls as the last hop pool.
To designate a last hop pool in the Configuration utility
- In the navigation pane, click Virtual Servers.
The Virtual Servers screen opens. - In the virtual server list, click the virtual server for which you want to set up a last hop pool.
For example, to implement the configuration shown in Figure 8.3, select 10.10.30.9:http.
The properties screen for the virtual server you clicked opens.
- Click the Last Hop Pool list. Select the pool you created containing your routers.
For example, to implement the configuration shown in Figure 8.3, select firewall_insides.
- Click the Apply button.
To designate last hop pools for virtual servers from the command line
Use the bigpipe vip command:
bigpipe vip <virtual server>:<service> lasthop pool <pool name>
In the command, replace the parameters with the appropriate information:
- <virtual server> is an IP address appropriate to your network.
- <service> is a service you want to configure, such as HTTP, FTP, or telnet.
- <pool name> is the name of the pool you want this virtual server to use.
For example, to implement the configuration shown in Figure 8.3, you would type:
bigpipe vip 10.10.30.9:http lasthop pool firewall_insides
Configuring for outbound traffic
Perform the tasks in this section to ensure that outbound traffic from your internal users across your firewalls to the Internet is load balanced.
Verifying routing
Verify that the router between your client network (10.10.40.0/24) and the inside redundant BIG-IP Controller redundant system is configured to point to the external shared alias (10.10.30.1) for the redundant system. This alias should have been configured during setup, using the First-Time Boot utility. For more information about this utility, see Running the First-Time Boot Utility in BIG-IP Controller Getting Started Guide. For more information about routing, see Addressing routing issues in Chapter 3, BIG-IP Controller Getting Started Guide.
Creating a wildcard virtual server for balancing traffic to the firewalls
To configure the inside BIG-IP Controller redundant system (2a and 2b in Figure 8.3) for outbound connections, create a wildcard virtual server that accepts all traffic from the internal network, then load balances the traffic through the firewalls.
To create the wildcard virtual server in the Configuration utility
- In the navigation pane, click Virtual Servers.
- On the toolbar, click Add Virtual Server.
The Add Virtual Server screen opens. - In the Address box, type the wildcard IP address 0.0.0.0.
- In the Netmask box, type an optional netmask.
If you leave this box blank, the BIG-IP Controller generates a default netmask address based on the IP address of this virtual server. Use the default netmask unless your configuration requires a different netmask. - In the Broadcast box, type the broadcast address for this virtual server.
If you leave this box blank, the BIG-IP Controller generates a default broadcast address based on the IP address and netmask of this virtual server. - In the Port box, type a port number, or select a service name from the drop-down list. Note that port 0 defines a wildcard virtual server that handles all types of services. If you specify a port number, you create a port-specific wildcard virtual server. The wildcard virtual server only handles traffic for the port specified.
For example, to implement the configuration shown in Figure 8.3, you would type 0.
- For Interface, select the external (destination processing) interface on which you want to create the virtual server.
If you choose none, the BIG-IP Controller does not create an alias, nor does it generate ARPs for the virtual IP address. (See Optimizing large configurations in Chapter 2, BIG-IP Administrator Guide for details.)
For example, to implement the configuration shown in Figure 8.3, you would choose none. - In Resources, click the Pool button.
- In the Pool list, select the pool you want to apply to the virtual server.
For example, to implement the configuration shown in Figure 8.3, you would choose firewall_insides.
- Click Add.
- Click Apply.
To create the wildcard virtual server from the command line
Use the bigpipe vip command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:
bigpipe vip <virtual server>:<service> <interface> use pool <pool
name>
In the command, replace the parameters with the appropriate information:
- <virtual server> is an IP address appropriate to your network.
- <service> is a service you want to configure, such as HTTP, FTP, or telnet.
- <interface> is the interface on the BIG-IP Controller on which you want to create this virtual server.
- <pool name> is the name of the pool you want this virtual server to use.
Repeat this command for each service you want to configure.
For example, to implement the configuration shown in Figure 8.3, you would type:
bigpipe vip 0.0.0.0:0 none use pool firewall_insides
Creating a wildcard virtual server to forward traffic to the Internet
After the appropriate firewall has processed outbound traffic, you want the outside BIG-IP Controller redundant system (1a and 1b in Figure 8.3) to forward the traffic to the Internet. To accomplish this, create a wildcard virtual server as you did in the previous section, using either the Configuration utility or the command line.
If you use the Configuration utility, use the address and port 0.0.0.0:0 and select Forwarding in the Resources section.
From the command line, to implement the configuration shown in Figure 8.3, you would type
bigpipe vip 0.0.0.0:0 none forward
Designating a last hop pool for outbound traffic
Just as you used a last hop pool to balance and maintain inbound connections in Designating a last hop pool for inbound traffic, on page 8-36, you now create a last hop pool for outbound traffic for the same purposes. Create the pool on the outside BIG-IP Controller redundant system (1a and 1b in Figure 8.3).
Create the last hop pool for outbound traffic as you did for inbound traffic, using either the Configuration utility or the command line.
If you use the Configuration utility, use the address and port 0.0.0.0:0 and select firewall_outsides in the Last Hop Pool section.
From the command line, to implement the configuration shown in Figure 8.3, you would type
bigpipe vip 0.0.0.0:0 lasthop pool firewall_outsides
Setting up ECV service checks for firewalls
In addition to verifying content on web servers, you can use Extended Content Verification (ECV) service checks to verify connections to mail servers and FTP servers through firewalls. If you want to set up ECV service checks through firewalls to these types of servers, there are certain issues that you need to address.
Note: For information about setting up standard ECV service checks, see Configuring Extended Content Verification service checking in the BIG-IP Controller Getting Started Guide.
To set up ECV for a firewall using the Configuration utility
There are two procedures required to set up ECV through a firewall. First, set up the frequency and timeout for the port:
- In the navigation pane, click the Expand (+) button next to Nodes.
The navigation tree expands to display Ports. - In the navigation pane, click Ports.
The Global Node Port properties screen opens. - In the Port list, click the port you want to configure.
The properties screen for the port opens. - In the Frequency (seconds) box, type the interval (in seconds) at which the BIG-IP Controller performs a service check on the node.
- In the Timeout (seconds) box, type the time limit (in seconds) that a node has to respond to a service check issued by the BIG-IP Controller.
- Click the Apply button.
After you configure the frequency and timeout settings for the port, set the specific settings for the transparent node:
- In the navigation pane, click Nodes.
The Node Properties screen opens. - In the Node list, click the node you want to configure.
The Node Properties screen opens.
For example, to set up a service check for the configuration shown in Figure 8.3, you would choose 10.10.10.20.4, 10.10.10.20.5, or 10.10.20.6.
In the Service Check Extended section, click the ECV button to enable ECV. - In the Type list, select Transparent.
By default, the list is set to Transparent. - In the Dest-IP:Dest-Port/url box, you must type the destination IP address of the node you are checking on the other side of the transparent device. The port number/port name argument is optional. The URL entry is also optional. For more information about what to type in this box, see Table 8.1.
For example, to set up a service check for the configuration shown in Figure 8.3, you might type 10.10.30.9:80/www/forms/survey.html. - In the Receive String (optional) box, you can type an ECV check receive string. The receive string is optional.
For example, if the document given as an example for the Figure 8.3 configuration contained the string "Company Survey," you might type that here. - Click the Apply button.
Note: You must have at least one wildcard virtual server configured in order to configure ECV through a transparent node.
To set up ECV service checks from the command line
You can set up ECV to verify that a firewall is functioning properly. To check if a firewall is functioning, you can add an entry to the /etc/bigd.conf file that allows you to retrieve content through the firewall.
You can use a text editor, such as vi or pico, to manually create the /etc/bigd.conf file, which stores ECV information. To create the entry for checking a firewall, use the following syntax:
transparent <node ip>:<node port> <url> ["recv_expr"]
You can also use the following syntax for this entry:
transparent <node ip>:<node port> <dest ip>:<dest port>/<path>
["recv_expr"]
For example, if, in the configuration shown in Figure 8.3, you want to run a service check through the transparent firewall 10.10.20.4 to the node 10.10.30.11, the entry might look like this:
transparent 10.10.20.4 10.10.30.9:80/www/forms/survey.html "Company
Survey"
For more information about these configuration entries, please refer to Table 8.1.
Note: The /etc/bigd.conf file is read once at startup. If you change the file on the command line, you must reboot or restart bigd for the changes to take effect. If you make changes in the Configuration utility, clicking the apply button makes changes and restarts bigd. See the BIG-IP Controller Reference Guide, System Utilities, for details.