• SonicOS 7.0 Rules and Policies
• Settings
  • Configuring App/Match/Malware
  • Configuring Content Filtering Service (CFS)
    • SonicWall CFS
    • CFS Custom Category
  • Geo-IP
    • Custom List
      • Editing a Custom List Entry
      • Deleting Custom List Entries
    • Using Geo-IP Diagnostics
  • Botnet
    • Configuring Botnet Settings
    • Creating Custom Botnet Lists
    • Viewing Dynamic Botnets Lists
    • Configuring a Dynamic Botnet List Server
    • Using Botnet Diagnostics
  • Decryption (DPI-SSL)
    • Certificate
    • Common Name
    • SSL Servers
  • Decryption (DPI-SSH)
  • Signature Update
• Security Policy
  • User & Country
  • App/URL/Custom Match
• NAT Policy
  • About NAT in SonicOS
  • About NAT Load Balancing
    • Determining the NAT LB Method to Use
    • Caveats
    • How Load Balancing Algorithms are Applied
    • Sticky IP Algorithm Examples
      • Example One - Mapping to a Network
      • Example Two - Mapping to an IP Address Range
  • About NAT64
    • Use of Pref64::/n
  • About FQDN-based NAT
  • About Source MAC Address Override
  • Viewing NAT Policy Entries
    • Changing the Display
    • Filtering the Display
  • Adding or Editing NAT or NAT64 Rule Policies
  • Deleting NAT Policies
  • Creating NAT Rule Policies: Examples
    • Creating a One-to-One NAT Policy for Inbound Traffic
    • Creating a One-to-One NAT Policy for Outbound Traffic
    • Inbound Port Address Translation via One-to-One NAT Policy
    • Inbound Port Address Translation via WAN IP Address
    • Creating a Many-to-One NAT Policy
    • Creating a Many-to-Many NAT Policy
    • Creating a NAT Load Balancing Policy for Two Web Servers
• Routing
  • About Routing
    • About Metrics and Administrative Distance
      • About Metrics
      • About Administrative Distance
    • Route Advertisement
    • ECMP Routing
    • Policy-based Routing
    • Policy-based TOS Routing
    • PBR Metric-based Priority
    • Policy-based Routing and IPv6
    • OSPF and RIP Advanced Routing Services
      • About Routing Services
        • Protocol Type
        • Maximum Hops
        • Split-Horizon
        • Poison Reverse
        • Routing Table Updates
        • Subnet Sizes Supported
        • Autonomous System Topologies
      • OSPF Terms
    • Drop Tunnel Interface
    • App-based Routing
  • Rules and Policies > Route Policy
    • Configuring Route Policies
      • Adding Static Routes
      • Probe-Enabled Policy-based Routing Configuration
• Decryption Policy
  • Client-side SSL Rules
  • Server-side SSL Rules
  • SSH Rules
  • Setting up the Decryption Policy Table
    • Managing the Decryption Policy Toolbars
    • Changing the Policy Priority
    • Creating Decryption Policies
      • Adding Decryption Policies
      • Editing Decryption Policies
      • Deleting Decryption Policies
• DoS Policy
  • Setting up the DoS Policy Table
    • Managing the DoS Policy Toolbars
    • Changing the DoS Policy Priority
    • Creating DoS Policies
      • Adding DoS Policies
      • Editing DoS Policies
      • Deleting DoS Policies
• DNS Policy
  • Creating DNS Policies
    • Adding DNS Policies
    • Editing DNS Policies
    • Deleting DNS Policies
  • DNS Doctoring
• Endpoint Policy
• Shadow
• SonicWall Support
  • About This Document

Creating a NAT Load Balancing Policy for Two Web Servers

This is a more specific example of a one-to-many NAT load balancing policy. To configure NAT load balancing in this example, complete the following tasks:

• Enabling Logging and Name Resolution for Logging
• Creating Address Objects and an Address Group
• Creating the Inbound NAT Load Balancing Policy
• Creating the Outbound NAT Policy
• Creating an Access Rule
• Verifying and Troubleshooting the NAT Load Balancing Configuration

Enabling Logging and Name Resolution for Logging

It is strongly advised that you enable logging for all categories, and enable name resolution for logging.

To enable logging

1. Navigate to the DEVICE | Log > Settings.

   

2. Click the Edit icon at the top of the table.

   The Edit Attributes of All Categories dialog appears.

   

1. Choose debug from the Event Priority drop-down menu.

2. Select Enable for Display Events in Log Monitor and for any other desired settings.

   Debug logs should only be used for initial configuration and troubleshooting, and it is advised that once setup is complete, you reset the logging level back to a more appropriate level for your network environment.

3. Click Save.

4. Click Accept on the DEVICE | Log > Settings page to save and activate the changes.

To enable log name resolution

1. Navigate to the DEVICE | Log > Name Resolution page.

2. Choose DNS then NetBIOS from the Name Resolution Method drop-down menu. The DNS Settings section displays.

   

3. Select the Inherit DNS Settings Dynamically from WAN Zone option. The Log Resolution DNS Server fields are filled automatically and cannot be changed.

4. Click Accept to save and activate the changes.

Creating Address Objects and an Address Group

To create address objects and an address group

1. Navigate to the OBJECT | Match Objects > Addresses page.

2. Create address objects for both of the internal web servers as well as for the Virtual IP on which external users access the servers. For example:

   

   

   

3. Click over to the Address Groups tab. Click +Add.

4. Create an address group named www_group and add the two internal server address objects you just created. For example:

   

Creating the Inbound NAT Load Balancing Policy

To configure the inbound NAT load balancing policy

1. Navigate to the POLICY | Rules and Policies > NAT page.

2. Click +Add and create an Inbound NAT Rules policy for www_group to allow anyone attempting to access the Virtual IP to get translated to the address group you just created.

   Do not save the NAT rule just yet.

3. Click the Advanced/Actions view. Under NAT Method, select Sticky IP as the NAT Method.

4. Under High Availability, select Enable Probing.

5. For Probe type, select TCP from the drop-down menu, and type 80 into the Port field.

   This means that SonicOS checks to see if the server is up and responding by monitoring TCP port 80 (which is what people are trying to access).

6. Click Add to save and activate your changes.

   Before you go any further, check the logs and the status page to see if the resources have been detected and have been logged as online. Two alerts appear as Firewall Events with the message Network Monitor: Host 192.160.200.220 is online (with your IP addresses). If you do not see these two messages, check the previous steps.

7. Click Close.

Creating the Outbound NAT Policy

To configure the corresponding outbound NAT policy

1. Navigate to the POLICY | Rules and Policies > NAT page.

2. Click +Add and create an Outbound NAT policy for www_group to allow the internal servers to get translated to the Virtual IP when accessing resources out the WAN interface (by default, the X1 interface). The Original / Translated settings are shown here. Advanced / Actions settings are not necessary.

   

Creating an Access Rule

To configure the access rule

1. Navigate to the POLICY | Rules and Policies > Access Rules page.

2. Click +Add to create an access rule to allow traffic from the outside to access the internal web servers through the Virtual IP.

   

3. Click Add to create the access rule.

4. Click Cancel to exit the dialog.

Verifying and Troubleshooting the NAT Load Balancing Configuration

Test your work by connecting via HTTP to a web page hosted on one of the internal web servers using a browser from a computer outside the WAN. You should be connected through the Virtual IP.

If you wish to load balance one or more SonicWall appliances, repeat these procedures using HTTPS instead of HTTP as the allowed service.

If the web servers are not accessible, go to the POLICY | Rules and Policies > Access Rules page and click the expansion arrow next to the web server in question to view its Traffic Statistics.

If the rule is configured incorrectly you will not see any Rx or TX Bytes; if it is working, you will see these increment with each successful external access of the load balanced resources.

Finally, check the logs and the status page to see if there are any alerts (noted in yellow) about the Network Monitor noting hosts that are offline; it could be that all of your load balancing resources are not reachable by the firewall and that the probing mechanism has marked them offline and out of service. Check the load balancing resources to ensure that they are functional and check the networking connections between them and the firewall.