Alteon Application Switch Operating System Application Guide
Firewall Load Balancing
Document ID: RDWR-ALOS-V2900_AG1302 687
To add the filters required for the DMZ (to each Alteon)
1. On the dirty-side Alteon, create the filter to allow HTTP traffic to reach the DMZ Web servers.
In this example, the DMZ Web servers use IP addresses 205.178.29.0/24.
2. Create another filter to deny all other traffic to the DMZ Web servers.
Note: The deny filter has a higher filter number than the allow filter. This is necessary so that
the allow filter has the higher order of precedence.
3. Add the filters to the traffic ingress ports.
4. Apply and save the configuration changes.
Firewall Health Checks
Basic FWLB health checking is automatic. No special configuration is necessary unless you want to
tune the health checking parameters. For details, see Health Checking, page 481
.
Firewall Service Monitoring
To maintain high availability, Alteon monitors firewall health status and send packets only to healthy
firewalls. There are two methods of firewall service monitoring: ICMP and HTTP. Each Alteon
monitors the health of the firewalls on a regular basis by pinging the IP interfaces configured on its
partner Alteon on the other side of the firewall.
>> # /cfg/slb/filt 80
>> Filter 80# sip any
>> Filter 80# dip 205.178.29.0
>> Filter 80# dmask 255.255.255.0
>> Filter 80# proto tcp
>> Filter 80# sport any
>> Filter 80# dport http
>> Filter 80# action allow
>> Filter 80# ena
(Select Filter 80)
(From any source IP address)
(To the DMZ base destination)
(For the range of DMZ addresses)
(For TCP protocol traffic)
(From any source port)
(To an HTTP destination port)
(Allow the traffic)
(Enable the filter)
>> Filter 80# /cfg/slb/filt 89
>> Filter 89# sip any
>> Filter 89# dip 205.178.29.0
>> Filter 89# dmask 255.255.255.0
>> Filter 89# proto any
>> Filter 89# action deny
>> Filter 89# ena
(Select Filter 89)
(From any source IP address)
(To the DMZ base destination)
(For the range of DMZ addresses)
(For TCP protocol traffic)
(Allow the traffic)
(Enable the filter)
>> Filter 89# /cfg/slb/port 1
>> SLB Port 1# add 80
>> SLB Port 1# add 89
(Select the ingress port)
(Add the allow filter)
(Add the deny filter)
>> SLB Port 1# apply
>> SLB Port 1# save
To Next Page
Loading...
Need help?
General