Manual Chapter : BIG-IP FireGuard Controller guide v3.3: Balancing Traffic Outbound to the Internet

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 3.3.1 PTF-06, 3.3.1 PTF-05, 3.3.1 PTF-04, 3.3.1 PTF-03, 3.3.1 PTF-02, 3.3.1 PTF-01, 3.3.0
Manual Chapter


2

Balancing Traffic Outbound to the Internet



Introducing firewall load balancing for outbound traffic

This chapter explains how to set up a configuration in which users behind a set of firewalls request information from Internet servers. Such a configuration is common for any enterprise that wants to provide users on its intranet access to the Internet, but wants to deny Internet users access to its intranet.

The job of the BIG-IP FireGuard redundant system is to load balance the firewalls so that they perform as efficiently and effectively as possible. You can also use the BIG-IP FireGuard redundant system to limit outbound traffic to specific ports, thereby enhancing security.

This type of configuration requires you to configure network address translation (NAT) on your firewalls. Before attempting to implement this configuration, verify that your firewalls can perform NAT.

Figure 2.1, following, illustrates this type of scenario, and provides an example configuration for this entire chapter. Remember that this is just a sample: when creating your own configuration, you must use IP addresses, host names, and so on, that are applicable to your own network.

Figure 2.1 Balancing outbound traffic

Configuration tasks

To configure firewall load balancing for outbound traffic, you need to complete the following tasks in order:

  • Verify user network routing.
  • Create a load balancing pool for the firewalls.
  • Create a wildcard virtual server that references the load balancing pool, so that outbound traffic is load balanced across the firewalls and forwarded to the Internet.
  • Configure interfaces on the BIG-IP FireGuard redundant system.
  • Configure address translation on the firewalls.
  • Create a route on the firewalls for return traffic to the user network.

    Each of the following sections explains one of these tasks, and shows how you perform the task in order to implement a configuration typical for an enterprise that wants to provide users limited access to the Internet, as shown in Figure 2.1.

    Note: The procedures in this chapter detail how to configure a single BIG-IP FireGuard. In order to complete your configuration, synchronize the configured BIG-IP FireGuard with the other BIG-IP FireGuard in your BIG-IP FireGuard redundant system, as detailed in Synchronizing configurations between controllers, on page 6-37.

Verifying user network routing

Verify that the default route on the router between your client network and the BIG-IP FireGuard redundant system is the internal shared alias for the BIG-IP FireGuard redundant system. This alias is configured during setup, using the First-Time Boot utility. For more information about this utility, see Running the First Time Boot utility in the BIG-IP Installation Guide. For more information about routing, see Addressing routing issues in the BIG-IP Installation Guide.

To implement the example configuration shown in Figure 2.1, make sure that the router between network 10.10.40.0/24 and the BIG-IP FireGuard redundant system is configured to point to 10.10.30.1.

Note: The router in Figure 2.1 is optional. If the client network is on the same network as the BIG-IP FireGuard redundant system, then you can use the BIG-IP FireGuard internal shared alias as a default gateway for the client network.

Creating a pool for the firewalls

To use this configuration, you must create a load balancing pool. A pool is a group of devices that you want the BIG-IP FireGuard redundant system to load balance. The devices you want to load balance are your firewalls, so you create a pool containing the inside interfaces of these firewalls. For more information about pools, refer to Configuring a pool, on page 6-5.

You can use either the Configuration utility or the bigpipe pool command to create the pool.

To create a pool using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. In the toolbar, click the Add Pool button.
    The Add Pool screen opens.
  3. In the Add Pool screen, configure the attributes required for the firewalls you want to add to the pool.
    For additional information about creating a pool, click the Help button.

    Configuration notes
    To create the configuration shown in Figure 2.1:

    · Create a pool named firewalls.

    · Add each firewall from the example, 10.10.20.4, 10.10.20.5, and 10.10.20.6, to the pool. For each firewall you add to the pool, specify port 0, which means this firewall accepts traffic on all ports.

To create the pool from the command line

Use the bigpipe pool command to create the pool:

bigpipe pool <pool name> { lb_method <xx> member <Firewall1>:0 member <Firewall2>:0 member <Firewall3>:0 }

In the command, replace the parameters with the appropriate information.

  • <pool name> is a 1-31 character identifier for the pool.
  • <Firewall1>, <Firewall2>, and <Firewall3> are the inside IP addresses of your respective firewalls.
  • lb_method <xx> designates the load balancing method. For more information, refer to Understanding individual load balancing methods in BIG-IP Reference Guide.

    In Figure 2.1, for example, the pool for the inside addresses is firewalls, the inside addresses are 10.10.20.4, 10.10.20.5, and 10.10.20.6, and the load balancing method is Round Robin. Thus, the command to implement this configuration would be:

    bigpipe pool firewalls { lb_method rr member 10.10.20.4:0 member 10.10.20.5:0 member 10.10.20.6:0 }

Creating a wildcard virtual server

To configure the BIG-IP FireGuard redundant system for outbound connections, you must create a wildcard virtual server; that is, a virtual server that accepts all traffic from the user network, then load balances the traffic across the firewalls.

To create a wildcard virtual server using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
  2. On the toolbar, click Add Virtual Server.
    The Add Virtual Server screen opens.
  3. In the Add Virtual Server screen, configure the attributes required for the virtual server you want to add.
    For additional information about creating a pool, click the Help button.

    Configuration notes
    To create the configuration shown in Figure 2.1:

    · Add a virtual server with address 0.0.0.0 and port 0 (this designates a wildcard virtual server).

    · In the Pool list, select firewalls (having created the firewalls pool in Creating a pool for the firewalls, on page 2-4).

To create a wildcard virtual server from the command line

Use the bigpipe vip command to configure the virtual server to use the pool that contains the outside addresses of the firewalls:

bigpipe vip 0.0.0.0:0 <interface> use pool <pool name>

In the command, replace the parameters with the appropriate information:

  • <interface> is the interface on the BIG-IP on which you want to create this virtual server.
  • <pool name> is the name of the pool you want this virtual server to use.

    Repeat this command for each service you want to configure.

    To implement the example configuration shown in Figure 2.1, the command is:

    bigpipe vip 0.0.0.0:0 none use pool firewalls

Enhancing security

To supplement the security offered by your firewalls, you may want to limit the types of traffic that can pass outbound to the Internet. You can use port-specific wildcard virtual servers to restrict traffic in this manner. While a standard wildcard virtual server forwards all traffic, a port-specific wildcard virtual server forwards traffic specific to only the specified port. For more information, see Defining wildcard virtual servers, on page 6-8.

You can use either the Configuration utility or the bigpipe vip command to create the virtual server.

To create a port-specific wildcard server using the Configuration utility

Follow the instructions detailed in To create a wildcard virtual server using the Configuration utility, on page 2-6. In step 3, when you configure the Port attribute, choose the port to which you want outgoing traffic to be limited for that virtual server. Complete the rest of the directions as detailed on page 2-6, then repeat the process for any other ports you want to be accessible to outgoing traffic.

To implement the example configuration shown in Figure 2.1, to limit the traffic forwarded to HTTP and FTP, you would complete the steps in To create a wildcard virtual server using the Configuration utility three times (that is, once for each of three port-specific virtual servers). For the Port attribute, you would enter 80 for the HTTP service, and 20 and 21 for the FTP service.

To create a port-specific wildcard server from the command line

To create a port-specific wildcard server, use the bigpipe vip command as you did in To create a wildcard virtual server from the command line, on page 2-6. Substitute the number of the port to which you want to limit access.

To limit the traffic forwarded to HTTP and FTP in the configuration shown in Figure 2.1, you would replace the command in To create a wildcard virtual server from the command line with the following commands:

bigpipe vip 0.0.0.0:80 none use pool firewall

bigpipe vip 0.0.0.0:20 none use pool firewall

bigpipe vip 0.0.0.0:21 none use pool firewall

Configuring interfaces

Typically, a BIG-IP FireGuard has two interfaces:

  • An external interface, typically set for destination processing. In Figure 2.1, the external interface is exp0.
  • An internal interface, typically set for source processing. In Figure 2.1, the internal interface is exp1.

    For this configuration, you set, or reset, interface processing so that the internal interface only processes destination addresses. This enables the wildcard virtual server you created in Creating a wildcard virtual server, on page 2-5, to process outbound user requests.

    You must also set, or reset, interface processing on the external interface, so that this interface only processes source addresses. When the result of a user request returns from the Internet to the external interface, source processing looks up the connection established by the wildcard virtual server on the destination processing (internal) interface, then sends the result to the user.

To configure source and destination processing using the Configuration utility

  1. In the navigation pane, click NICs.
  2. The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table.

    In the Network Interface Card table, click the name of the interface you want to configure. The Network Interface Card Properties screen opens.

  3. In the Network Interface Card Properties screen, configure the attributes required for the interface. For additional information about creating a pool, click the Help button.

    Configuration notes
    To create the configuration shown in Figure 2.1:

    · For exp0, make sure the Enable Source Processing check box is checked.

    · For exp1, make sure the Enable Destination Processing check box is checked.

To configure source processing from the command line

Use the bigpipe interface command with the source keyword to turn source processing on or off for an interface:

bigpipe interface <interface> source [ <enable> | <disable> ]

where <interface> is the identifier for the internal interface of a BIG-IP FireGuard.

To implement the example configuration shown in Figure 2.1, you use the commands:

bigpipe interface exp0 source enable

bigpipe interface exp1 source disable

To configure destination processing from the command line

Use the bigpipe interface command with the dest keyword to turn destination processing on for an interface:

bigpipe interface <interface> dest [ <enable> | <disable> ]

where <interface> is the identifier for the external interface of a BIG-IP FireGuard.

For the example configuration shown in Figure 2.1, you would use the command:

bigpipe interface exp1 dest enable

bigpipe interface exp0 dest disable

Configuring network address translation on firewalls

This example configuration includes a single BIG-IP FireGuard redundant system on the inside of your firewalls. In this respect it is different from other configurations in this guide, which include BIG-IP FireGuard redundant pairs on both sides of your firewalls. Although the use of one BIG-IP FireGuard redundant pair simplifies some aspects of the configuration, it also requires additional work from your firewalls.

Specifically, you must configure your firewalls so that they perform network address translation (NAT). This ensures that, in situations where a firewall opens and maintains a connection for a user, packets sent back to that user return to the user through that firewall. Refer to your firewall documentation for instructions on NAT configuration.

Creating a route for return traffic

For outbound traffic, the virtual server you created in Creating a wildcard virtual server, on page 2-5, determines the next hop; that is, the next device to which a request should be sent in order to reach its ultimate destination. Therefore, no special routing is required. However, in order to provide a route back to your internal network, you must add a route on your firewalls to this network, using the external shared alias of the BIG-IP FireGuard redundant system as a gateway.

In Figure 2.1, the external shared alias of the BIG-IP FireGuard system is 10.10.20.1 and the internal network is 10.10.40.0/24. Thus, a command to configure this routing might be:

route add -net 10.10.40.0 -gateway 10.10.20.1

The exact syntax of this command depends on the type of router.