Firewall Security Policy: How to Configure Security Policies to Allow SLB

Server load balancing (SLB) is used to distribute user requests to multiple servers for processing, improving the concurrent service processing capability and the scalability and reliability of the entire service system. Server load balancing can be applied in three typical scenarios based on the service type. The firewall also needs to know the health status of real servers through service health check and schedule services based on the health status. This document describes how to configure security policies in each SLB application scenario.

Layer 4 load balancing is implemented based on the destination IP address and port number in a packet. A client accesses the virtual server based on the address and port number provided by a firewall. The firewall selects a real server based on the load balancing algorithm and replaces the destination IP address and port number in the packet with the IP address and port number of the selected real server. Layer 4 load balancing is similar to destination NAT.

Figure 1-1 Address translation for Layer 4 load balancing

Since USG6000/USG9500 V500R001C30 and USG6000E V600R006, the firewall first searches for security policies before processing Layer 4 load balancing services. After a service packet passes the security policy check, the firewall replaces the destination IP address and port number in the packet and forwards the packet based on the routing table. In this case, configure a security policy as follows:

• Specify the destination IP address and service as the IP address and port number of the virtual server, respectively.
• Specify the destination security zone as the security zone where the real server is located.
• Specify the source IP address as the client IP address. This document uses an enterprise providing services for clients on the external network as an example. As the client cannot be determined, the source IP address is set to any.

For the USG6000 V100R001 and USG9500 V300R001C01, load balancing is equivalent to destination NAT. The destination address in the security policy must be the address after NAT, that is, the address of the real server.

For the USG6000/USG9500 V500R001C00 to V500R001C20 and USG9500 V300R001C20, the firewall first replaces the destination IP address and port number in a packet and then searches for the security policy. Therefore, the destination address in the security policy must be specified as the replaced address, that is, the address of the real server.

Besides Layer 4 load balancing capabilities, Layer 7 load balancing can also identify application-layer characteristics and select real servers based on the application-layer characteristics such as the URL and host. In Layer 7 load balancing scenarios, two sessions are established on a firewall for the access requests of each client.

• Session for the client to access the virtual server. A security policy needs to be configured for such access. In the security policy, the destination security zone is the security zone where the real server resides, and the destination IP address is the IP address of the virtual server.
• Session for the client to access the real server. The firewall directly forwards packets of the session without security policy check. Therefore, no security policy needs to be configured.

In SSL offloading scenarios, a firewall decrypts the HTTPS service of the server that a client accesses and restores the service to the HTTP service. The firewall functions as an SSL proxy server and is responsible for SSL encryption and decryption, reducing the service load on the server.

Figure 1-2 SSL offloading

Similar to the Layer 7 load balancing scenario, two sessions are established on the firewall for the access requests of each client in the SSL offloading scenario. The difference between the two scenarios is that security policies need to be configured for both the session for a client to access the virtual server and the session for a client to access the real server.

• Session for the client to access the virtual server: In the security policy, the destination security zone is the security zone where the real server resides, and the destination IP address is the IP address of the virtual server.
• Session for the client to access the real server: In the security policy, the destination security zone is the security zone where the real server resides, the destination IP address is the IP address of the real server, and the source security zone is Local or the security zone where the client resides.
  • In USG6000E V600R007, USG6000/USG9500 V500R005C20, and their later versions, the source security zone in the security policy of the session for the client to access the real server must be Untrust, that is, the security zone where the client resides.
  • In versions earlier than USG6000E V600R007 and USG6000/USG9500 V500R005C20, the source security zone in the security policy of the session for the client to access the real server must be Local.

The firewall periodically sends probe packets to learn the health status of the real server and schedules services based on the health status. The firewall supports TCP, HTTP, HTTPS, DNS, RADIUS, and ICMP probe packets.

In earlier versions, you need to configure security policies for service health check. Since USG6000/USG9500 V500R005C10, the firewall does not perform security policy check when sending probe packets. No security policy needs to be configured for the USG6000E.

In a probe packet, the source IP address is the IP address of the outbound interface, the destination IP address is the IP address of the real server, the source security zone is Local, and the destination security zone is the security zone where the real server resides.

If the probe packet is a TCP, HTTP, HTTPS, DNS, or RADIUS packet, you can manually specify the destination port of the probe packet. If no destination port is specified, the firewall detects the service port opened by the real server. If the service port of the real server is not configured, the firewall detects the service port of the virtual server. Therefore, configure a security policy based on the SLB service configuration.