How to Configure Security Policies to Allow Layer 7 Load Balancing
Besides Layer 4 load balancing capabilities, Layer 7 load balancing can also identify application-layer characteristics and select real servers based on the application-layer characteristics such as the URL and host. In Layer 7 load balancing scenarios, two sessions are established on a firewall for the access requests of each client.
- Session for the client to access the virtual server. A security policy needs to be configured for such access. In the security policy, the destination security zone is the security zone where the real server resides, and the destination IP address is the IP address of the virtual server.
- Session for the client to access the real server. The firewall directly forwards packets of the session without security policy check. Therefore, no security policy needs to be configured.
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
101 |
Allow L7 SLB |
Untrust |
DMZ |
any |
203.0.113.1/32 |
http |
permit |
102 |
Allow health check |
Local |
DMZ |
10.1.1.1/32 |
10.10.1.1-10.10.1.3 |
ICMP1 |
permit |
1: To prevent services from being distributed to servers that cannot work properly, you need to enable service health check and configure a security policy to permit detection packets. ICMP is used as an example. For details, see How to Configure Security Policies to Allow Service Health Check. |
|||||||