How to Configure Security Policies to Allow Layer 4 Load Balancing

Layer 4 load balancing is implemented based on the destination IP address and port number in a packet. A client accesses the virtual server based on the address and port number provided by a firewall. The firewall selects a real server based on the load balancing algorithm and replaces the destination IP address and port number in the packet with the IP address and port number of the selected real server. Layer 4 load balancing is similar to destination NAT.

Figure 11-1 Address translation for Layer 4 load balancing

Since USG6000/USG9500 V500R001C30 and USG6000E V600R006, the firewall first searches for security policies before processing Layer 4 load balancing services. After a service packet passes the security policy check, the firewall replaces the destination IP address and port number in the packet and forwards the packet based on the routing table. In this case, configure a security policy as follows:

• Specify the destination IP address and service as the IP address and port number of the virtual server, respectively.
• Specify the destination security zone as the security zone where the real server is located.
• Specify the source IP address as the client IP address. This document uses an enterprise providing services for clients on the external network as an example. As the client cannot be determined, the source IP address is set to any.

For the USG6000 V100R001 and USG9500 V300R001C01, load balancing is equivalent to destination NAT. The destination address in the security policy must be the address after NAT, that is, the address of the real server.

For the USG6000/USG9500 V500R001C00 to V500R001C20 and USG9500 V300R001C20, the firewall first replaces the destination IP address and port number in a packet and then searches for the security policy. Therefore, the destination address in the security policy must be specified as the replaced address, that is, the address of the real server.