Friday, January 19, 2007

Load balancing with Sonicwall TZ170













I've worked with a bunch of different types of firewalls and routers and although Sonicwall is not one of my most favorite products for some applications it does do something right at a fairly reasonable cost. The load balance option on the TZ170 works pretty good and it's easy to configure.

The unit can be configured to load balance in active/active mode, active/passive and active/active (this is my favorite). In active active, you can set the amount of data that passes though each ISP connection using percentage based or even load based. So with these configuration options one can split off data by preference or by bandwidth availability for each connection.

Remote Support

4 comments:

Computer Support said...

These firewalls from sonicwall areok. For theprice you get a decent firewall for your LAN. For complexe data network applications or for quality and reliable features they are not the right choice.

Support

mad-scientist said...

I came a cross this port while looking for information on load balancing for firewalls (Sonic). I was hoping to find information directly from someone who has actually configured load balancing on the unit and not just the marketing or selling hype found on sonicwall's web site.

Since I need to buy the upgrade license to enable the option port on the device, I know after seeing this post, can tell that it;s going to work for my customer. They have a DSL connection and a T1. The DSL bandwidth is saturated with all their users and the T1 is hardly used since it was purchase mostly for a web server. Since the T1 is so under utilized I'm looking for a way to use the available bandwidth but of course not all of and continue to use the DSL.

After seeing your post I'm going to try the Sonicwall to do the job of load balancing between the two networks.

Anonymous said...

The load balance with two ISP (two different internet connections) works ok. For the price of the TZ series getting load balance fail over is a nice feature. This feature is not without problems however. Let me explain. For inbound connections, meaning connections initiated from a computer on the outside network like the internet, don't work as one would imagine. Inbound connections don't load balance, only outbound. For inbound, BGP protocol is normally used in conjunction with your ISP.

Outbound is ok and for fail over internet actions they work pretty good. There's a downside however and that involves the use of https sites. Let say for example a user goes to a site that has https enabled and a user logs into that site to use it. The problem occurs because of the way the load balancing is designed. The connection from a desktop computer or server to a web site that has ssl enabled causes a prolem because the connection from a client to a server does get tracked and kept going out the same ISP. The outbound connection to the web site changes and https is not very tolerant of this. The web site, the protocol actualy, sees that the source ip address is differet or as it sees it, it's changed. This event to the server is a security problem. It thinks the data connection has been compromised when the ip address changes.

Anonymous said...

What needs to be done to over come this problem is to create a rule that makes all https network traffic use only one of the connections. When that's done, the source ip address is maintained and there's no problem with the changing ip address to the https enabled server.