Enable Server Pool load balancing using NAT rules

NAT rules specify which traffic is directed to the Server Pool. You can use NAT rules to apply both source and destination address translation for Server Pools.

Before you begin

Add Access rules that allow the type of traffic that is handled by the Server Pool.

If there are any existing Access rules that enable Server Pool load balancing, we recommend that you remove the Server Pool elements from the rules or delete the rules before you configure NAT rules for Server Pool load balancing.
Note: If the Destination cell of an Access rule contains a Server Pool element, the Access rule applies Server Pool load balancing, and the NAT rules are ignored.

When you use destination address translation with Server Pools, the NAT operation translates the external IP addresses of Server Pool elements to the internal IP addresses of the Host elements that are members of the Server Pool.

When you use source address translation with Server Pools, the return packets from the Server Pool servers are routed through the NGFW Engine to the client. These packets are recognized as part of the existing connection between the client and the server. This feature also allows you to use dynamic source NAT with Server Pool load balancing.

Note the following:
  • Make sure that there are no overlapping NAT rules in the policy.
  • If you want to balance traffic that arrives through a VPN using a Server Pool, NAT must be enabled in the properties of the VPN element (NAT is disabled by default for traffic that uses a VPN).
  • You must create a separate NAT rule for each Server Pool.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Open the Firewall Policy for editing and add an IPv4 or IPv6 NAT rule.
    Note: If the Server Pool uses both IPv4 and IPv6 addresses, you must create separate IPv4 and IPv6 NAT rules.
  2. Add the elements that represent the IP addresses of the clients that connect to the Server Pool to the Source cell.
  3. Add the Server Pool element to the Destination cell.
    The Server Pool element must be the only element in the Destination cell. Destination address translation is automatically configured when you add a Server Pool element to the Destination cell. You cannot change the destination translation options.
  4. Add the Service element that represents the service that the Server Pool offers to the Service cell.
    Note: Each rule must contain only one service.
  5. (Optional) Double-click the NAT cell, then define options for source address translation.
    Defining source address translation routes return packets from servers in the Server Pool to the clients through the NGFW Engine.
  6. Save and Install the Firewall Policy to transfer the changes.

Next steps

If you want the NGFW Engine to automatically update dynamic DNS (DDNS) entries for the Server Pool according to the available NetLinks, configure DDNS updates.

Network Address Translation dialog box

Use this dialog box to define the settings for overwriting source and destination addresses in packets.

Option Definition
Source Translation tab
Translation Type

Defines the translation type.

  • None — Source addresses in matching connections are not translated. The packets are sent onwards with the source address intact.
  • Static — Source addresses in matching connections are translated using the same number of IP addresses as there are possible original source addresses. Each translated IP address corresponds to one original IP address.
  • Dynamic — Source addresses in matching connections are translated using a smaller pool of IP addresses than there are original source addresses included in the rule. Many hosts can use the same IP address, and the connections are distinguished by allocating a different TCP or UDP port for each connection.

    Also used for activating an Outbound Multi-Link configuration (IPv4 only).

    Because ports are needed to track connections, dynamic NAT only works with TCP and UDP protocols. If the protocol used in the communications is not transported on top of TCP or UDP, the communicating applications must encapsulate the packets in TCP or UDP (NAT traversal) to communicate through dynamic NAT.

IP Address Pool

(Dynamic only)

The IP address pool of IP addresses that are used for the translation. The minimum size for the pool is one IP address. The number of IP addresses required depends on how many ports you allow the address translation to use, and how many concurrent connections dynamic address translation handles at peak times. If the IP address/port pairs run out, new connections cannot be opened before existing connections are closed.

The IP addresses used for NAT must not be in use in the network, as this creates an IP address conflict. However, the engine’s own IP address (CVI on clusters) can be used for address translation if there are no free IP addresses available (make sure that your selected port range does not overlap with communications ports that the engine uses on this address).

IP Address(es)

(Static only)

Define the original and translated IP addresses.

  • Original — The IP addresses you want to change with this address translation. These are defined in the Source cell of the NAT rule and shown here for your reference only; it is not possible to change the Original addresses here.
  • Translated — The IP addresses you want the address translation to write in the packets. The Translated address space must have the same number of IP addresses as there are in the Original address space because each original address has a fixed pair in the translated address space.

Click Select to select an element.

Address Allows manual entry of the IP address or (sub)network to use for the address translation.
First Port to Use

(Dynamic only)

The start of the port range for source IP address translation. The default is the beginning of the “free” high port range, 1024.
Last Port to Use

(Dynamic only)

The end of the port range for source IP address translation. The default is the highest possible port, 65535.
Automatic Proxy ARP (Recommended)

(IPv4 only)

Allows the engine to answer address queries regarding the translated addresses. For this to work, the original IP address of all hosts whose IP address is translated must be included in the address definitions (for example, a Network element) under the correct interface in the Routing view.

This option is required in most cases, but it must not be active for IP addresses that are used by any equipment in the directly connected networks.

Automatic Proxy Neighbor Discovery

(IPv6 only)

Allows the engine to answer address queries regarding the translated addresses. For this to work, the original IP address of all hosts whose IP address is translated must be included in the address definitions (for example, a Network element) under the correct interface in the Routing view.

There is a limit to the number of addresses that the engine can proxy for neighbor discovery.

Option Definition
Destination Translation tab
Translation Type

Defines the translation type.

  • None — IP addresses are not translated. Packets are sent onwards with the original destination address.
  • Translate Destination — Translates destination IP addresses.
  • Forward to Proxy — Forwards traffic to a proxy server.
    Note: Not all protocols are supported. The supported protocols depend on the proxy server to which traffic is forwarded.
  • Server Pool Translation — Translates the external IP addresses of Server Pool elements to the internal IP addresses of the Host elements that are members of the Server Pool.
    Note: When there is a Server Pool element in the Destination cell, this option is automatically selected and you cannot change it.
Option Definition
Destination Translation tab, Translate Destination selected
Translate Destination

(Optional)

When selected, enables options for translating destination IP addresses.
IP Addresses

Defines the original and translated IP addresses.

  • Original — The IP addresses you want to change with this address translation. These are defined in the Destination cell of the NAT rule and shown here for reference only; it is not possible to change the Original addresses here.
  • Translated — The IP addresses you want the address translation to write in the packets. The Translated address space must have the same number of IP addresses as there are in the Original address space, as each original address has a fixed pair in the translated address space.

Click Select to select an element.

Address Allows manual entry of the IP address or (sub)network to use for the address translation.
Automatic Proxy ARP (Recommended)

(IPv4 only)

Allows the engine to answer address queries regarding the translated addresses. For this to work, the original IP address of all hosts whose IP address is translated must be included in the address definitions (for example, a Network element) under the correct interface in the Routing view.

This option is required in most cases, but it must not be active for IP addresses that are used by any equipment in the directly connected networks.

Automatic Proxy Neighbor Discovery

(IPv6 only)

Allows the engine to answer address queries regarding the translated addresses. For this to work, the original IP address of all hosts whose IP address is translated must be included in the address definitions (for example, a Network element) under the correct interface in the Routing view.

There is a limit to the number of addresses that the engine can proxy for neighbor discovery.

Translate Destination Port Select if you want to translate destination ports. If you do not select this option, ports are not translated, so packets are sent onwards with the destination port intact.
IP Ports
Define the original and translated IP ports.
  • Original — The ports you want to change with this address translation. These are defined in the Service element in the Service cell of the NAT rule and shown here for reference only; it is not possible to change the Original ports here.
  • Translated — The port or port range you want the address translation to write in the packets. If you enter a port range, it must have the same number of ports as there are in the Original ports because each original port has a fixed pair in the translated address space (for example, 1–1023 could be translated to 50001–51023).
Option Definition
Destination Translation tab, Forward to Proxy selected
Proxy Server Specifies the proxy server to which traffic is forwarded. Click Select to select an element.