Policy Based Routing and WAN Load Balancing Example on SonicOS 7.X and SonicOS Enhanced

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

The following example walks you through creating a route policy for two simultaneously active WAN interfaces. For this example, a secondary WAN interface needs to be setup and configured with the settings from your ISP.

Configure the security appliance for load balancing by checking Enable Load Balancing on the Network | System|Failover & LB page. For this example, choose Round-Robin as the load balancing type on the Network | System|Failover & LB page. Click Apply to save your changes.

1. Click Policy in the top navigation menu
2. Select the Rules and Policies|Routing Rules
3. Click the Add button. The Add Route Policy window is displayed.
4. Create a routing policy that directs all LAN Subnet sources to Any destination for HTTP service out of the Default Gateway via the X1 interface. 
5. Click on Save to save the policy.
   
   
   
   
6. Create a second routing policy that directs all LAN Subnet sources to Any destinations for Telnet service out of the X9 Default Gateway via the X9 interface.
   
   

These two policy-based routes force all sources from the LAN subnet to always go out the primary WAN when using any HTTP-based application, and force all sources from the LAN subnet to always go out the backup WAN when using any Telnet-based application.

To test the HTTP policy-based route, from a computer attached to the LAN interface, access the public Web sites WhatIsMyIP.com  If the HTTP route policy is functioning correctly, site will the primary WAN interface’s IP address and not the secondary WAN interface.

To test the Telnet policy-based route, telnet to route-server.exodus.net and, when logged in, issue the who command. It should display the IP address (or resolved FQDN) of the WAN IP address of the secondary WAN interface and not the primary WAN interface.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Procedure:

The following example walks you through creating a route policy for two simultaneously active WAN interfaces. For this example, a secondary WAN interface (say, X3 or if a Gen4 TZ device, OPT) needs to be setup and configured with the settings from your ISP. Next, configure the security appliance for load balancing by checking Enable Load Balancing on the Manage | Network | Failover & Load Balancing page. For this example, choose Per Connection Round-Robin as the load balancing method on the Manage | Network | Failover & Load Balancing page. Click Apply to save your changes on the Manage | Network | Failover & Load Balancing page.

1. Click Manage in the top navigation menu
2. Select the Network | Routing page.
3. Under Route Policies
4. Click the Add button under the Route Policies table. The Add Route Policy window is displayed.
5. Create a routing policy that directs all LAN Subnet sources to Any destination for HTTP service out of the Default Gateway via the X1 interface. 
6. Click on OK to save the policy
   
7. Create a second routing policy that directs all LAN Subnet sources to Any destinations for Telnet service out of the X9 Default Gateway via the X9 interface.

These two policy-based routes force all sources from the LAN subnet to always go out the primary WAN when using any HTTP-based application, and force all sources from the LAN subnet to always go out the backup WAN when using any Telnet-based application.

To test the HTTP policy-based route, from a computer attached to the LAN interface, access the public Web sites WhatIsMyIP.com . If the HTTP route policy is functioning correctly, site will  display the primary WAN interface’s IP address and not the secondary WAN interface.

To test the Telnet policy-based route, telnet to route-server.exodus.net and, when logged in, issue the who command. It should display the IP address (or resolved FQDN) of the WAN IP address of the secondary WAN interface and not the primary WAN interface.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Procedure:

The following example walks you through creating a route policy for two simultaneously active WAN interfaces. For this example, a secondary WAN interface (say, X3 or if a Gen4 TZ device, OPT) needs to be setup and configured with the settings from your ISP. Next, configure the security appliance for load balancing by checking Enable Load Balancing on the Network > WAN Failover & LB page. For this example, choose Per Connection Round-Robin as the load balancing method on the Network > WAN Failover & LB page. Click Apply to save your changes on the Network > WAN Failover & LB page.

1. Select the Network > Routing page.
2. Click the Add button under the Route Policies table. The Add Route Policy window is displayed.
3. Create a routing policy that directs all LAN Subnet sources to Any destination for HTTP service out of the Default Gateway via the X1 interface. 
   
4. Create a second routing policy that directs all LAN Subnet sources to Any destinations for Telnet service out of the X3 Default Gateway via the X3 interface.

These two policy-based routes force all sources from the LAN subnet to always go out the primary WAN when using any HTTP-based application, and force all sources from the LAN subnet to always go out the backup WAN when using any Telnet-based application.

To test the HTTP policy-based route, from a computer attached to the LAN interface, access the public Web sites WhatIsMyIP.com If the HTTP route policy is functioning correctly, site will display the primary WAN interface’s IP address and not the secondary WAN interface.

To test the Telnet policy-based route, telnet to route-server.exodus.net and, when logged in, issue the who command. It should display the IP address (or resolved FQDN) of the WAN IP address of the secondary WAN interface and not the primary WAN interface.