5 Replies Latest reply: Apr 17, 2013 2:03 PM by bperez RSS

    Multi WAN, load balance and link aggregation

    jfreitas

      Hello folks,

       

      Three simple questions:

       

      1-) Is it possible to use more than one ISP link in my McAfee Firewall Enterprise to divide my policies? For example, to create an ACL that allows SMTP to go through link 1 and another ACL to go through link 2 ?

      2-) Is it possible to do load balance in the firewall?

      3-) What does link aggregation do?

       

      I saw in the product guide that McAfee Firewall Enterprise supports link aggregation. How do I configure it and what it is used for?

       

      I called the techinical suuport and the person who answered me told me that it is not possible to use more than one ISP link in the firewall. I just can´t believe it. It is not possible that a so advanced firewall like McAfee firewall enterprise can´t use more than one ISP link. Even a linux box running any distribution is able to do that using a simple iproute2 and a US$15,000.00 firewall can´t do that????????

       

      It is just unacceptable.

       

      Does anyone tried to configure one of these things in the McAfee Firewall Enterprise?

       

      Thanks in advance!

        • 1. Re: Multi WAN, load balance and link aggregation
          oreeh

          > 1-) Is it possible to use more than one ISP link in my McAfee Firewall Enterprise to divide my policies? For example,

          > to create an ACL that allows SMTP to go through link 1 and another ACL to go through link 2 ?

           

          No. You need a dedicated load balancer (Radware, F5, ...) for this.

          However, you can use two links if the traffic can be separated / split using static / dynamic routes.

          For example: outbound HTTP, inbound SMTP on link one, site to site VPN on link two

           

          > 2-) Is it possible to do load balance in the firewall?

           

          No. You need a dedicated load balancer (Radware, F5, ...) for this.

           

          > 3-) What does link aggregation do?

           

          Link aggregation (also called bonding and etherchannel) is used to enhance throughput and for redundancy. If you aggregate 2 NICs one of them / one of the cables / one of the switch ports can fail.

          • 2. Re: Multi WAN, load balance and link aggregation
            puga

            Hi Oreeh,

             

            Perhaps can you provide an example about item 1 where you stated it can be achieved using static routes?

             

            I´ve an issue similar:

             

            I have two ISP and I need to allow access through of public IP of my ISP 1 for certain applications and through of public IP of my ISP 2 for other applications.

            I contacted to Mcafee support and the answer was:

             

            This is called asynchronous routing and it will work if you:
            1) create a stateless, bi-directional service to use in your rule (may work)
            or
            2) create a route back out your ISP2 interface so this traffic knows to go backout the interface it came in on (will work for sure)

            The best thing to do is number 2. These connections do not work by defaultthrough the firewall, since this is not how routing works in general.

             

            I´d appreciate if anyone can guide me with a configuration example.

             

            Thanks!

            • 3. Re: Multi WAN, load balance and link aggregation
              jfreitas

              Correct me if I am wrong, but I think that, in this case, you just will be able to create inbound rules to use your link 2. As far as I know (like was told me by McAfee´s Techinical Support), this firewall doesn´t perform policy based routing for outbound traffic (incredible huh?).

              • 4. Re: Multi WAN, load balance and link aggregation
                puga

                Hi,

                 

                the inbound rules are not enough.

                The issue is related to the response packets.

                For instance:

                If my web server is on ISP2, how can the firewall return the response packets to the requests from Internet users?

                Internet = 0.0.0.0, so, it implies double default route?

                 

                The answer from technical support does reference to create certain static routes toward certain destinations, but it is not practical!

                • 5. Re: Multi WAN, load balance and link aggregation
                  bperez

                  Is correct Puga i make that conf to route to ISP2 one cloud app, like google services. And all the internet protocols trought the ISP1 (GW). Is not practical to make routes to diferent gateways, is unnaceptable for MFE to be unable to make load balance/policy routes/etc. The old and famous McAfee Snapgear UTM, from 500 dlls can Make that!

                   

                  Regards!