Firewall Load Balancing

Firewall load balancing distributes traffic across multiple firewalls, providing fault tolerance and increased throughput. Firewall load balancing protects your network by:

  • Dividing the load between the firewalls, which eliminates a single point of failure and allows the network to scale.
  • Increasing high availability.

Configuring a Citrix ADC appliance for firewall load balancing is similar to configuring load balancing, with the following exceptions:

  • The recommended service type is ANY.
  • The recommended monitor type is PING.
  • The load balancing virtual server mode is set to MAC.

You can set up firewall load balancing in a sandwich, an enterprise, or multiple-firewall environment configuration.

  • The sandwich environment is used for load balancing traffic entering the network from outside and traffic leaving the network to the internet. The configuration involves two Citrix ADC appliances, one on each side of a set of firewalls. You configure an enterprise environment for load balancing traffic leaving the network to the internet.
  • The enterprise environment involves configuring a single Citrix ADC appliance between the internal network and the firewalls that provide access to the Internet.
  • The multiple-firewall environment is used for load balance traffic coming from another firewall. Firewall load balancing enabled on both the sides of the Citrix ADC appliance improves the traffic flow in both the egress and ingress direction. It also ensures faster processing of the traffic. The multiple-firewall environment involves configuring a Citrix ADC appliance sandwiched between two firewalls.

Important: If you configure static routes on the Citrix ADC appliance for the destination IP address and enable L3 mode, the Citrix ADC appliance uses its routing table to route the traffic instead of sending the traffic to the load balancing virtual server.

Note: For FTP to work, an extra virtual server or service must be configured on the Citrix ADC appliance with IP address and port as * and 21 respectively, and the service type specified as FTP. In this case, the Citrix ADC appliance manages the FTP protocol by accepting the FTP control connection, modifying the payload, and managing the data connection, all through the same firewall.

Firewall Load Balancing supports only some of the load balancing methods supported on the Citrix ADC appliance. Also, you can configure only a few types of persistence and monitors.

Firewall Load Balancing Methods

The following load balancing methods are supported for firewall load balancing.

  • Least Connections
  • Round Robin
  • Least Packets
  • Least Bandwidth
  • Source IP Hash
  • Destination IP Hash
  • Source IP Destination IP Hash
  • Source IP Source Port hash
  • Least Response Time Method (LRTM)
  • Custom Load

Firewall Persistence

Only SOURCEIP, DESTIP, and SOURCEIPDESTIP based persistence are supported for firewall load balancing.

Firewall Server Monitoring

Only PING and transparent monitors are supported in firewall load balancing. You can bind a PING monitor (default) to the back-end service that represents the firewall. If a firewall is configured not to respond to ping packets, you can configure transparent monitors to monitor hosts on the trusted side through individual firewalls.

Firewall Load Balancing