Creating a NAT Load Balancing Policy for Two Web Servers

This is a more specific example of a one-to-many NAT load balancing policy. To configure NAT load balancing in this example, complete the following tasks:

• Enabling Logging and Name Resolution for Logging
• Creating Address Objects and an Address Group
• Creating the Inbound NAT Load Balancing Policy
• Creating the Outbound NAT Policy
• Creating an Access Rule
• Verifying and Troubleshooting the NAT Load Balancing Configuration

Enabling Logging and Name Resolution for Logging

It is strongly advised that you enable logging for all categories, and enable name resolution for logging.

To enable logging

1. Navigate to the DEVICE | Log > Settings.

   

2. Click the Edit icon at the top of the table.

   The Edit Attributes of All Categories dialog appears.

   

1. Choose debug from the Event Priority drop-down menu.

2. Select Enable for Display Events in Log Monitor and for any other desired settings.

   Debug logs should only be used for initial configuration and troubleshooting, and it is advised that once setup is complete, you reset the logging level back to a more appropriate level for your network environment.

3. Click Save.

4. Click Accept on the DEVICE | Log > Settings page to save and activate the changes.

To enable log name resolution

1. Navigate to the DEVICE | Log > Name Resolution page.

2. Choose DNS then NetBIOS from the Name Resolution Method drop-down menu. The DNS Settings section displays.

   

3. Select the Inherit DNS Settings Dynamically from WAN Zone option. The Log Resolution DNS Server fields are filled automatically and cannot be changed.

4. Click Accept to save and activate the changes.

Creating Address Objects and an Address Group

To create address objects and an address group

1. Navigate to the OBJECT | Match Objects > Addresses page.

2. Create address objects for both of the internal web servers as well as for the Virtual IP on which external users access the servers. For example:

   

   

   

3. Click over to the Address Groups tab. Click +Add.

4. Create an address group named www_group and add the two internal server address objects you just created. For example:

   

Creating the Inbound NAT Load Balancing Policy

To configure the inbound NAT load balancing policy

1. Navigate to the POLICY | Rules and Policies > NAT page.

2. Click +Add and create an Inbound NAT Rules policy for www_group to allow anyone attempting to access the Virtual IP to get translated to the address group you just created.

   Do not save the NAT rule just yet.

3. Click the Advanced/Actions view. Under NAT Method, select Sticky IP as the NAT Method.

4. Under High Availability, select Enable Probing.

5. For Probe type, select TCP from the drop-down menu, and type 80 into the Port field.

   This means that SonicOS checks to see if the server is up and responding by monitoring TCP port 80 (which is what people are trying to access).

6. Click Add to save and activate your changes.

   Before you go any further, check the logs and the status page to see if the resources have been detected and have been logged as online. Two alerts appear as Firewall Events with the message Network Monitor: Host 192.160.200.220 is online (with your IP addresses). If you do not see these two messages, check the previous steps.

7. Click Close.

Creating the Outbound NAT Policy

To configure the corresponding outbound NAT policy

1. Navigate to the POLICY | Rules and Policies > NAT page.

2. Click +Add and create an Outbound NAT policy for www_group to allow the internal servers to get translated to the Virtual IP when accessing resources out the WAN interface (by default, the X1 interface). The Original / Translated settings are shown here. Advanced / Actions settings are not necessary.

   

Creating an Access Rule

To configure the access rule

1. Navigate to the POLICY | Rules and Policies > Access Rules page.

2. Click +Add to create an access rule to allow traffic from the outside to access the internal web servers through the Virtual IP.

   

3. Click Add to create the access rule.

4. Click Cancel to exit the dialog.

Verifying and Troubleshooting the NAT Load Balancing Configuration

Test your work by connecting via HTTP to a web page hosted on one of the internal web servers using a browser from a computer outside the WAN. You should be connected through the Virtual IP.

If you wish to load balance one or more SonicWall appliances, repeat these procedures using HTTPS instead of HTTP as the allowed service.

If the web servers are not accessible, go to the POLICY | Rules and Policies > Access Rules page and click the expansion arrow next to the web server in question to view its Traffic Statistics.

If the rule is configured incorrectly you will not see any Rx or TX Bytes; if it is working, you will see these increment with each successful external access of the load balanced resources.

Finally, check the logs and the status page to see if there are any alerts (noted in yellow) about the Network Monitor noting hosts that are offline; it could be that all of your load balancing resources are not reachable by the firewall and that the probing mechanism has marked them offline and out of service. Check the load balancing resources to ensure that they are functional and check the networking connections between them and the firewall.