Scribd
Upload
412 views9 pages

Sophos Firewall Load Baancing

- The document discusses how to configure gateway load balancing and failover on Sophos Firewall to provide stable and redundant internet access across multiple ISP links. - It describes adding new gateways, configuring active-active and active-backup load balancing with weighted round-robin distribution, and setting failover conditions to detect and switch to backup gateways when active links fail. - Weight settings determine the proportional traffic distribution between links, with more weight assigning more sessions, while failover conditions like ping checks identify and switch traffic from down to backup gateways.

Uploaded by

Sanjay B
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
412 views9 pages

Sophos Firewall Load Baancing

- The document discusses how to configure gateway load balancing and failover on Sophos Firewall to provide stable and redundant internet access across multiple ISP links. - It describes adding new gateways, configuring active-active and active-backup load balancing with weighted round-robin distribution, and setting failover conditions to detect and switch to backup gateways when active links fail. - Weight settings determine the proportional traffic distribution between links, with more weight assigning more sessions, while failover conditions like ping checks identify and switch traffic from down to backup gateways.

Uploaded by

Sanjay B
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Sophos Firewall: How to configure gateway load

balancing and failover


 123530

 11 Mar 2019

 32 people found this helpful

 English | Español | Italiano | 日本語 | Français | Deutsch

Overview
Organizations in nowadays require stable, fast and redundant ISP links to run business critical
applications. To achieve constant and secure availability to the Internet and to avoid network
vulnerability, most organizations prefer to have multiple ISP links which allows network
administrators to configure failover and load balancing.

This article describes the steps to configure Sophos Firewall for load balancing and failover for
multiple ISP links based on the number of WAN ports available in the appliance. You can
terminate multiple ISP links on available physical interfaces in the form of gateways. A gateway
can be configured as an active or a backup as following:

 Active-Active: All gateways are in the active state, and traffic is balanced between all of them.
By default, Sophos Firewall adds a new gateway as an active, so load balancing is automatically
enabled between existing and newly added links. Sophos Firewall use the weighted round-robin
algorithm for load balancing, which maximizes the utilization of capacities across the various
links.
 Active-Backup: One or more gateways are configured as backup. This setup allows the
administrator to configure gateway failover for when an active gateway goes down.
Note: Load balancing and failover is supported both for IPv4 and IPv6 traffic which can be done
between two IPv4 gateways or two IPv6 gateways.

The following sections are covered:

 Adding a new gateway


 Configuring load balancing
 Configuring gateway failover
 Related information
 Feedback and contact

Applies to the following Sophos products and versions


Sophos Firewall

Consider the above network diagram in which one ISP link is terminated on Port B and the
administrator wants to terminate another ISP link on Port D.

Adding a new gateway


Go to Network > Interfaces and configure an unbound physical port. As an example Port D is
the chosen port.
By clicking Save, the gateway is added to the list of gateways under Network > WAN Link
Manager.

Configuring load balancing


Sophos Firewall adds a new gateway as an active gateway by default, so load balancing is
automatically enabled between existing and newly added links.

The weighted round robin algorithm is used for load balancing, wherein each link is assigned a
weight. The traffic that Sophos Firewall distributes among links is in proportion to the weight
assigned to them.

To assign a weight to a link, go to Network > WAN Link Manager and edit the required
gateway.
Additional information for weight calculation
When using two or more active gateways, choosing the appropriate weight for each gateway
can be tricky. The below example illustrates the correspondence between traffic weight and
percentage.

Assuming that:

w1 = weight for link 1.

w2 = weight for link 2.

pt = proportional traffic percentage.

pt1 = traffic percentage for link 1.

pt2 = traffic percentage for link 2.

First we need to calculate the proportional traffic percentage:

pt = 100 / ( w1 + w2 )

Second we calculate the singular percentage for the two links:

pt1 = w1 x pt

pt2 = w2 x pt

As an example, if w1 = 1 and w2 = 2:

pt = 100 / (1+2) = 100/3 = 33,3

pt1 = 1 x 33,3 => 33%

pt2 = 2 x 33,3 => 66%


Modifying the weight leads to modify the percentages.

For more than two links, we can sum the weight of all the links inside the formula pt = 100 / ( w1
+ w2 + ... + wn).

The traffic is routed to the gateway as per the number of sessions and not the data from each
session.

For example:

Session 1 is media streaming: 200MB data used.

Session 2 is website browsing: 150KB date used.

Session 3 is a FTP connection: 200KB data used.

If the weight between two gateways is 2 and 1 respectively to gateway1 and gateway2, then
session 1 and session 2 would go through gateway1 and session 3 will go through gateway2.

Configuring gateway failover


Gateway failover can be deployed in Active-Active and Active-Backup configurations.

In Active-Active setup, if any of the active gateways fails, the traffic is redirected to the other
active gateway. Administrator can specify the failover conditions to indicate how the failed
gateway should be detected.

In Active-Backup setup, if an active gateway fails, the traffic should be redirected to a backup
gateway.

Configuring backup gateway


Go to Network > WAN Link Manager and edit the required gateway.
Select the type as a Backup and configure the required details.

By saving the changes, if any active gateway fails, PortD_Gateway will be activated and will
inherit the weight of the failed gateway.
Configuring failover condition
Upon adding a gateway, Sophos Firewall adds a default failover rule indicating that if it is not
able to ping the recently added gateway IP address, then this gateway is considered down.

Click Add or Edit to either add a new or edit an existing rule. As an example, we added the
below shown rule that states if Sophos Firewall is not able to ping the gateway IP: 172.16.16.15
nor establish a TCP connection on port 80 to 4.2.2.2, then the gateway will be considered down.
During a link failure incident, Sophos Firewall regularly checks the connection's health in the
goal to restore the connection faster when the Internet service is restored. When the connection
is restored and the gateway is up again, the traffic will be rerouted through the active gateway
automatically.

Note: Sophos Firewall notifies administrators via email about all changes in gateway status.
This can also be viewed in Log Viewer.

You might also like