Manually tune the Firewall load-balancing filter

The Firewall Cluster’s load-balancing filter can be manually edited if there is a specific need for modifications.

CAUTION:
Do not manually tune the load-balancing filter unless you are certain it is necessary. Normally, there is no need to tune the load-balancing filter, because the configuration generates all required entries automatically. Unnecessary tuning can adversely affect the operation of the filter.

Any edited load-balancing parameters are combined with the automatically created filtering entries. However, editing the load-balancing parameters of the Firewall Cluster without careful consideration can cause conflicts in filtering decisions.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Firewall Cluster element and select Edit Firewall Cluster.
    The Engine Editor opens.
  2. In the navigation pane on the left, browse to General > Clustering.
  3. In the Clustering Mode section, click Clustering.
  4. On the Manual LB Filters tab of the Advanced Cluster Settings dialog box , select an option from the Filter Mode drop-down list to define how traffic is balanced between the nodes.
  5. (Optional) Select Load-Balancing Filter Uses Ports to include a port value for selecting between all nodes.

    This setting decreases the granularity of VPN load balancing, and increases the granularity of other traffic load balancing. In typical networks, traffic is balanced based on IP address information only. If there is a dominating pair of communication IP addresses, apply the Use Ports option in the load-balancing filter entry only to their traffic.

    CAUTION:
    Enabling the Load-Balancing Filter Uses Ports option is not compatible with some features, such as mobile VPNs.
  6. Click OK.
  7. Click Save and Refresh to transfer the changes.

Advanced Cluster Settings dialog box (Firewalls and Master NGFW Engines)

Use this dialog box to define advanced clustering settings.

Setting Description
Cluster tab
Heartbeat Message Period Specifies how often clustered NGFW Engines send heartbeat messages to each other (notifying that they are up and running). Enter the value in milliseconds. The default value is 1000 milliseconds (one second).
CAUTION:
Setting this option too low can result in unnecessary heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
Heartbeat Failover Time Defines the time from the previous heartbeat message after which a node is treated as failed. Enter the value in milliseconds. The failover time must be at least twice as long as the Heartbeat Message Period. The default value is 5000 milliseconds.
CAUTION:
Setting this option too low can result in unnecessary heartbeat failures. Setting this option too high can cause unnecessary service outages when a failure occurs.
Node Synchronization table Click or double-click the cells to edit the values.
Interface ID Shows the assigned interface ID.
State Sync Defines how the nodes exchange information about the traffic that they process.
  • All (recommended) — Both full and incremental synchronization messages are sent. This option allows frequent updates without consuming resources excessively. Regular full synchronization guarantees that all nodes stay synchronized even if some incremental messages are not delivered.
  • Full Only (not recommended) — Only full synchronization messages are sent. Incremental updates are not sent in between, so nodes might not have the same information about connections unless the full sync interval is reduced.
Note: We strongly recommend using Access rule options to disable state synchronization for specific traffic rather than adjusting the State Sync settings for the cluster.
Full Sync Interval or Incr Sync Interval Define how frequently the full synchronizations and incremental synchronizations are done. Do not set the values much higher or lower than their defaults (5000 ms for full, 50 ms for incremental)
CAUTION:
Adjusting the Sync Intervals has significant impact on the cluster's performance. Inappropriate settings seriously degrade the firewall's performance.
Sync Security Level
  • None — No security features. Do not select this option unless the heartbeat traffic uses a dedicated, secure network that does not handle other traffic.
  • Sign — (default) Transmissions are authenticated to prevent outside injections of connection state information.
  • Encrypt and Sign — Transmissions are authenticated and encrypted. This option increases the overhead compared to the default option. However, it is recommended if node-to-node communications are relayed through insecure networks (for example, if the backup heartbeat is configured on an interface that handles other traffic).
CAUTION:
If the Firewall Cluster's primary and secondary Heartbeat Interfaces are not connected to dedicated networks and you use None or Sign as the Sync Security Level, VPN traffic is transferred unencrypted between engine nodes when VPN traffic balancing requires that traffic is forwarded between the nodes.
Heartbeat IP Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications. The default is 225.1.1.1. This multicast IP address must not be used for other purposes on any of the network interfaces.
Synchronization IP Enter an IP address between 224.0.0.0 and 239.255.255.255 if you want to change the multicast IP addresses used for node-to-node communications. The default is 225.1.1.2. This multicast IP address must not be used for other purposes on any of the network interfaces.
Setting Description
Manual LB Filters tab

This tab contains advanced settings for fine-tuning load-balancing filters.

CAUTION:
Do not manually tune the load-balancing filter unless you are certain it is necessary. Normally, there is no need to tune the filter, because the configuration generates all required entries automatically. Unnecessary tuning can adversely affect the operation of the filter.
Filter Mode Defines how traffic is balanced between the nodes.
  • Static — Packet ownership (the node to which the connection or packet belongs) can change only when nodes are added or removed from the cluster, or when they switch from one state to another.
  • Dynamic — Traffic is balanced to avoid node overloads and existing connections are moved between nodes whenever overload is detected.
Load-Balancing Filter Uses Ports

(Firewalls only)

When selected, includes a port value for selecting between all nodes.

This setting decreases the granularity of VPN load balancing, and increases the granularity of other traffic load balancing. In typical networks, traffic is balanced based on IP address information only. If there is a dominating pair of communication IP addresses, apply the Use Ports option in the load-balancing filter entry only to their traffic and not globally.

Note: Enabling this option is not compatible with some features, such as mobile VPNs.
Filter Entries table Click Add Row to add a row to the table, or Remove Row to remove the selected row.
IP Address Double-click the cell to open the Load Balancing Filter IP Entry dialog box.
Action Select one of the following actions:
  • None — No action is performed for the IP address specified in this entry. Used with the Replacement IP, Use Ports, NAT Enforce, Use IPsec, or Ignore Other options.
  • Replace by — The IP address in the Replacement IP cell replaces the original IP address. This option is the default action.
  • Pass on All Nodes — The filter entry allows packets to all nodes.
  • Block on All Nodes — The filter entry blocks packets to all nodes.
  • Pass on Node <number> — The filter entry forces the selected node to handle all packets belonging to the connection specified in this entry.
Replacement IP Enter the replacement IP address.
Use Ports Overrides the global Load-Balancing Filter Uses Ports option. For example, if two hosts send most traffic through the engine, you can set the Use Ports option for one of them to divide the traffic between the cluster nodes, improving granularity. Using this option for IP addresses in a VPN site can reduce the granularity of VPN load balancing and prevent VPN client connections involving those IP addresses.
NAT Enforce Enables a specific NAT-related process in the load-balancing filter.
CAUTION:
Do not enable this option unless instructed to do so by Forcepoint Customer Hub.
Use IPsec Specifies addresses receiving IPsec traffic on the node itself. The option enables a specific load-balancing process for all IPsec traffic directed to the IP address specified in the filter entry.
CAUTION:
Do not enable this option unless instructed to do so by Forcepoint Customer Hub.
Ignore Other Forces the handling of packets to and from the specified IP addresses one node at a time.