SonicWALL Active/Active Cluster - Multiple gateway
edir
Newbie
We have 2 firewalls in Active-Active mode, and now we are trying to understand how can we configure the load balance between two gateways.
Do I have to choose what equipment the traffic will go through?
Does someone have any example of configuring this part? I mean of the switch configuration. [policy based routes on a downstream router]
š«š
Best Answer
-
CORRECT ANSWER
Connex_Ananth
Newbie
Dear @edir
As @Saravanan mentioned in Active/Active scenario, you should need downstream or upstream device to select the gateway accordingly. you may configure Policy Based Routing based on source/destination or even ports.
If your downstream device support ECMP (Equal Cost Multiple Path ) routing then you can achieve fail over /load-balancing.
Still if you need different method of load balancing and fail over - you can try any external load balancer like A10 Thunder appliance.
Thanks,
Ananth - Connex
5
Answers
Hi @EDIR,
Thank you for contacting SonicWall Community.
The load balancing between the two gateways can be achieved using a static route defined on the downstream device such as a L3 Switch or a Router. Since the SonicWall appliances are in Active-Active cluster, you should be using two virtual groups for each interfaces configured on SonicWall. Let me take X0 as an example, we should see X0 IP - Virtual Group 1 and X0 IP - Virtual Group 2 objects in the address objects section. We are going to use one of these objects as the default gateway in the route that would be defined in the downstream device.
This makes the downstream device to force the traffics via standby cluster unit to achieve load balancing.
Hope this helps. Please let us know if any questions. We would be happy to answer.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
If i'am using just one default gateway, i'll not being really using the active-active feature
We would like so see a configuration (in switch) which shows these routes or PBR.
Hi @EDIR,
The Active - Active by default offers, Hardware Failover and Load Balancing only with offloading DPI inspection from active (Master) firewall to idle (Slave) firewall. Therefore we are trying to share the network load with the slave unit as well and making slave to be part of the active state. In your case, if you want to dedicate some network traffic to pass via the slave unit, you have to define the route on the downstream device as explained previously. I have seen this working flawlessly.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services