Add Firewall load-balancing filter entries
You can manually add IP addresses to the Firewall Cluster's load-balancing filter.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Right-click a Firewall Cluster element and select Edit Firewall Cluster.
- In the navigation pane on the left, browse to .
- In the Clustering Mode section, click Clustering.
- Click the Manual LB Filters tab.
- Click Add to generate a new filter entry row.
- Double-click the IP Address field.
- Select whether you want to filter an IPv4 Network, an IPv6 Network, or a Range of IP addresses.
- Enter the IPv4 address and netmask, the IPv6 address and prefix, or the address range, and click OK.
- Click the Action cell and select an action.
- If you selected Replace by as the action, click the Replacement IP field and enter the replacement IP address.
- (Optional) Select any additional options.
- Click OK.
- Click Save and Refresh to transfer the changes.
Advanced Cluster Settings dialog box (Firewalls and Master NGFW Engines)
Use this dialog box to define advanced clustering settings.
Setting | Description |
---|---|
Cluster tab | |
Heartbeat Message Period | Specifies how often clustered NGFW Engines send heartbeat messages to each other (notifying that they are up and running).
Enter the value in milliseconds. The default value is 1000 milliseconds (one second). CAUTION: Setting this option too low can result in unnecessary heartbeat
failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
|
Heartbeat Failover Time | Defines the time from the previous heartbeat message after which a node is treated as failed. Enter the value in milliseconds. The failover time must be
at least twice as long as the Heartbeat Message Period. The default value is 5000 milliseconds. CAUTION: Setting this option too low can result in unnecessary
heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
|
Node Synchronization table | Click or double-click the cells to edit the values. |
Interface ID | Shows the assigned interface ID. |
State Sync | Defines how the nodes exchange information about the traffic that they process.
Note: We strongly recommend using Access rule options to disable state synchronization for specific traffic rather than adjusting the State Sync settings for the cluster.
|
Full Sync Interval or Incr Sync Interval | Define how frequently the full synchronizations and incremental synchronizations are done. Do not set the values much higher or lower than their defaults
(5000 ms for full, 50 ms for incremental) CAUTION: Adjusting the Sync Intervals has significant impact on the cluster's performance. Inappropriate settings
seriously degrade the firewall's performance.
|
Sync Security Level |
CAUTION: If the Firewall Cluster's primary and secondary Heartbeat Interfaces are not connected to dedicated networks and you use None or
Sign as the Sync Security Level, VPN traffic is transferred unencrypted between engine nodes when VPN traffic
balancing requires that traffic is forwarded between the nodes.
|
Heartbeat IP | Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications. The default is 225.1.1.1. This multicast IP address must not be used for other purposes on any of the network interfaces. |
Synchronization IP | Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications. The default is 225.1.1.2. This multicast IP address must not be used for other purposes on any of the network interfaces. |
Setting | Description |
---|---|
Manual LB Filters tab This tab contains advanced settings for fine-tuning load-balancing filters. CAUTION: Do not manually tune the load-balancing filter unless you are certain it is necessary. Normally, there is no need to tune the
filter, because the configuration generates all required entries automatically. Unnecessary tuning can adversely affect the operation of the filter.
|
|
Filter Mode | Defines how traffic is balanced between the nodes.
|
Load-Balancing Filter Uses Ports
(Firewalls only) |
When selected, includes a port value for selecting between all nodes. This setting decreases the granularity of VPN load balancing, and increases the granularity of other traffic load balancing. In typical networks, traffic is balanced based on IP address information only. If there is a dominating pair of communication IP addresses, apply the Use Ports option in the load-balancing filter entry only to their traffic and not globally. Note: Enabling this option is not compatible with some features, such as mobile VPNs.
|
Filter Entries table | Click Add Row to add a row to the table, or Remove Row to remove the selected row. |
IP Address | Double-click the cell to open the Load Balancing Filter IP Entry dialog box. |
Action | Select one of the following actions:
|
Replacement IP | Enter the replacement IP address. |
Use Ports | Overrides the global Load-Balancing Filter Uses Ports option. For example, if two hosts send most traffic through the engine, you can set the Use Ports option for one of them to divide the traffic between the cluster nodes, improving granularity. Using this option for IP addresses in a VPN site can reduce the granularity of VPN load balancing and prevent VPN client connections involving those IP addresses. |
NAT Enforce | Enables a specific NAT-related process in the load-balancing filter. CAUTION: Do not enable this option unless instructed to do so by Forcepoint
Customer Hub.
|
Use IPsec | Specifies addresses receiving IPsec traffic on the node itself. The option enables a specific load-balancing process for all IPsec traffic directed to the IP address
specified in the filter entry. CAUTION: Do not enable this option unless instructed to do so by Forcepoint
Customer Hub.
|
Ignore Other | Forces the handling of packets to and from the specified IP addresses one node at a time. |
Load Balancing Filter IP Entry dialog box
Use this dialog box to define an IP address or range of addresses for a manual load-balancing filter.
Option | Definition |
---|---|
IPv4 Network | Enter the IP address in the IPv4 Address field and the netmask in the Netmask field. |
IPv6 Network | Enter the IP address in the IPv6 Address field and the prefix in the Prefix field. |
Range | Enter the IP addresses in the first and second fields. |