IPv4 and IPv6 Internet and WAN Settings

41

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Configure Load Balancing Mode and Optional Protocol Binding for

IPv4

Interfaces

To use multiple ISP links simultaneously, configure load balancing. In load balancing mode,

any WAN port carries any outbound protocol unless protocol binding is configured.

When a protocol is bound to a particular WAN port, all outgoing traffic of that protocol is

directed to the bound WAN port. For example, if the HTTPS protocol is bound to the WAN1

port and the FTP protocol is bound to the WAN2 port, the VPN firewall automatically routes

all outbound HTTPS traffic from the computers on the LAN through the WAN1 port. All

outbound FTP traffic is routed through the WAN2 port.

Protocol binding addresses two issues:

•

Segregation of traffic between links that are not of the same speed.

High-volume traffic can be routed through the WAN port connected to a high-speed link,

and low-volume traffic can be routed through the WAN port connected to the low-speed

link.

•

Continuity of source IP address for secure connections.

Some services, particularly HTTPS, cease to respond when a client’s source IP address

changes shortly after a session has been established.

Configure Load Balancing Mode for IPv4 Interfaces



To configure load balancing mode:

1.

Select

Network Configuration > WAN Settings > WAN Mode

. The WAN Mode screen

displays:

Figure 20.

2.

In the Load Balancing Settings section of the screen, configure the following settings:

a.

Select the

Load Balancing Mode

radio button.

IPv4 and IPv6 Internet and WAN Settings

42

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

b.

From the corresponding drop-down list on the right, select one of the following load

balancing methods:

•

Weighted LB

. With weighted load balancing, balance weights are calculated

based on WAN link speed and available WAN bandwidth. This is the default

setting and most efficient load balancing algorithm.

•

Round-robin

. With round-robin load balancing, new traffic connections are sent

over a WAN link in a serial method irrespective of bandwidth or link speed. For

example, if the WAN1, WAN2, and WAN3 interfaces are active in round-robin load

balancing mode, an HTTP request could first be sent over the WAN1 interface,

then a new FTP session could start on the WAN2 interface, and then any new

connection to the Internet could be made on the WAN3 interface. This

load

balancing method ensures that a single WAN interface does not carry a

disproportionate distribution of sessions.

3.

Click

Apply

to save your settings.

Configure Protocol Binding for IPv4 Interfaces (Optional)



To configure protocol binding and add protocol binding rules:

1.

Select

Network Configuration > Protocol Binding

.

2.

Select the

Load Balancing

radio button. The Protocol Bindings screen displays. (The

following figure shows two examples in the Protocol Bindings table.)

Figure 21.

The Protocol Bindings table displays the following fields:

•

Check box

.

Allows you to select the protocol binding rule in the table.

•

Status icon

. Indicates the status of the protocol binding rule:

-

Green circle. The protocol binding rule is enabled.

-

Gray circle. The protocol binding rule is disabled.

•

Service

. The service or protocol for which the protocol binding rule is set up.

•

Local Gateway

. The WAN interface to which the service or protocol is bound.

•

Source Network

. The computers or groups on your network that are affected by the

protocol binding rule.

IPv4 and IPv6 Internet and WAN Settings

43

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

•

Destination Network

. The Internet locations (based on their IP address) or groups

that are covered by the protocol binding rule.

•

Action

. The Edit table button, which provides access to the Edit Protocol Binding

screen for the corresponding service.

3.

Click the

Add

table button below the Protocol Binding table. The Add Protocol Binding

screen displays:

Figure 22.

4.

Configure the protocol binding settings as described in the following table:

Table 6.

Add Protocol Binding screen settings

Setting

Description

Service

From the drop-down list, select a service or application to be covered by this rule. If the

service or application does not appear in the list, you need to define it using the Services

screen (see

Add Customized Services

on page

177).

Local Gateway

From the drop-down list, select one of the WAN interfaces.

Source Network

The source network settings determine which computers on your network are affected by

this rule. Select one of the following options from the drop-down list:

Any

All devices on your LAN.

Single address

In the Start IP field, enter the IP address to which the rule is applied.

Address Range

In the Start IP field and End IP field, enter the IP addresses for the

range to which the rule is applied.

Group

If this option is selected, the rule is applied to the selected group.

The group can be a LAN group or an IP (LAN) group.

Note:

For information about LAN groups, see

Manage IPv4 Groups

and Hosts (IPv4 LAN Groups)

on page

96. For information about IP

groups, see

Create IP Groups

on page

179.

IPv4 and IPv6 Internet and WAN Settings

44

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

5.

Click

Apply

to save your settings. The protocol binding rule is added to the Protocol Binding

table. The rule is automatically enabled, which is indicated by the ! status icon that displays

a green circle.



To edit a protocol binding:

1.

On the Protocol Bindings screen (see

Figure

21

on page

42), in the Protocol Bindings

table, click the

Edit

table button to the right of the binding that you want to edit. The Edit

Protocol Bindings screen displays. This screen shows the same fields as the Add Protocol

Bindings screen (see the previous figure).

2.

Modify the settings as described in the previous table.

3.

Click

Apply

to save your settings.



To enable, disable, or delete one or more protocol bindings:

1.

On the Protocol Bindings screen (see

Figure

21

on page

42), select the check box to the

left of the protocol binding that you want to enable, disable, or delete, or click the

Select

All

table button to select all bindings.

2.

Click one of the following table buttons:

•

Enable

.

Enables the binding or bindings. The ! status icon changes from a gray circle

to a green circle, indicating that the selected binding or bindings are enabled. (By

default, when a binding is added to the table, it is automatically enabled.)

•

Disable

.

Disables the binding or bindings. The ! status icon changes from a green

circle to a gray circle, indicating that the selected binding or bindings are disabled.

•

Delete

.

Deletes the binding or bindings.

Destination

Network

The destination network settings determine which Internet locations (based on their IP

address) are covered by the rule. Select one of the following options from the drop-down

list:

Any

All Internet IP address.

Single address

In the Start IP field, enter the IP address to which the rule is applied.

Address range

In the Start IP field and Finish field, enter the IP addresses for the

range to which the rule is applied.

Group

If this option is selected, the rule is applied to the selected IP (WAN)

group.

Note:

For information about IP groups, see

Create IP Groups

on

page

179.

Table 6.

Add Protocol Binding screen settings (continued)

Setting

Description

IPv4 and IPv6 Internet and WAN Settings

45

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Configure the Auto-Rollover Mode and Failure Detection Method for

IPv4

Interfaces

To use a redundant ISP link for backup purposes, ensure that the backup WAN interface has

already been configured. Then select the WAN interface that should function as the primary

link for this mode, and configure the WAN failure detection method on the WAN Mode screen

to support auto-rollover.

When the VPN firewall is configured in auto-rollover mode, it uses the selected WAN failure

detection method to detect the status of the primary link connection at regular intervals. For

IPv4 interfaces, the VPN firewall detects link failure in one of the following ways:

•

By sending DNS queries to a DNS server

•

By sending a ping request to an IP address

From the primary WAN interface, DNS queries or ping requests are sent to the specified IP

address. If replies are not received, after a specified number of retries, the primary WAN

interface is considered down and a rollover to the backup WAN interface occurs. When the

primary WAN interface comes back up, another rollover occurs from the backup WAN

interface back to the primary WAN interface. The WAN failure detection method that you

select applies only to the primary WAN interface, that is, it monitors the primary link only.

Configure Auto-Rollover Mode for IPv4 Interfaces



To configure auto-rollover mode:

1.

Select

Network Configuration > WAN Settings > WAN Mode

. The WAN Mode screen

displays:

Figure 23.