Setting up slb – Amer Networks E5Web GUI User Manual
Page 694
The table below shows the rules that would be defined for a typical scenario of a set of web
servers behind the Clavister Security Gateway for which the load is being balanced. Access across
the internet is via the wan interface which has the IP address wan_ip. The rules allow external
clients to access the web servers. The service is not listed.
Rule Name
Action
Src Interface
Src Network
Dest Interface
Dest Network
Service
web_slb
SLB_SAT
any
all-nets
core
wan_ip
http-all
web_slb_allow
Allow
wan
all-nets
core
wan_ip
http-all
The SLB_SAT rule has any as the source interface in case any internal clients want to access the
server (an interface group could be used to precisely specify the allowed source interfaces). If the
accessing clients are on the same network as the web servers then an NAT rule for those clients
would also be needed as shown below:
Rule Name
Action
Src Interface
Src Network
Dest Interface
Dest Network
Service
web_slb
SLB_SAT
any
all-nets
core
wan_ip
http-all
web_slb_nat
NAT
lan
lan_net
core
wan_ip
http-all
web_slb_allow
Allow
wan
all-nets
core
wan_ip
http-all
It is assumed here that internal clients also open connections to wan_ip in order to access the
web servers and so their connections are automatically routed to core.
In the IP rules, the destination interface is always specified as core, meaning cOS Core itself deals
with the connection. The key advantage of having a separate Allow rule is that the web servers
can log the exact IP address that is generating external requests. Using only a NAT rule, which is
possible, means that web servers would see only the IP address of the Clavister Security Gateway.
Example 10.3. Setting up SLB
In this example server load balancing is to be done between two HTTP web servers which are
situated behind the Clavister Security Gateway. The web servers have the private IPv4 addresses
192.168.1.10 and 192.168.1.11. Access by external client is via the wan interface which has the
IPv4 address wan_ip.
The default SLB values for monitoring, distribution method and stickiness are used. A NAT rule is
used in conjunction with the SLB_SAT rule so that clients behind the gateway can access the web
servers.
An Allow rule is used to allow access by external clients.
Command-Line Interface
A. Create an address object for each of the web servers:
Device:/> add Address IP4Address server1 Address=192.168.1.10
Device:/> add Address IP4Address server2 Address=192.168.1.11
B. Create a Group which contains the 2 web server objects:
Device:/> add Address IP4Group server_group Members=server1,server2
C. Specify the SLB_SAT IP rule:
Chapter 10: Traffic Management
694