Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2157 Views 5 Replies Latest reply: Apr 17, 2013 2:03 PM by bperez RSS
jfreitas Newcomer 52 posts since
Jan 16, 2007
Currently Being Moderated

Mar 25, 2011 8:45 AM

Multi WAN, load balance and link aggregation

Hello folks,

 

Three simple questions:

 

1-) Is it possible to use more than one ISP link in my McAfee Firewall Enterprise to divide my policies? For example, to create an ACL that allows SMTP to go through link 1 and another ACL to go through link 2 ?

2-) Is it possible to do load balance in the firewall?

3-) What does link aggregation do?

 

I saw in the product guide that McAfee Firewall Enterprise supports link aggregation. How do I configure it and what it is used for?

 

I called the techinical suuport and the person who answered me told me that it is not possible to use more than one ISP link in the firewall. I just can´t believe it. It is not possible that a so advanced firewall like McAfee firewall enterprise can´t use more than one ISP link. Even a linux box running any distribution is able to do that using a simple iproute2 and a US$15,000.00 firewall can´t do that????????

 

It is just unacceptable.

 

Does anyone tried to configure one of these things in the McAfee Firewall Enterprise?

 

Thanks in advance!

  • oreeh Apprentice 76 posts since
    Nov 24, 2009
    Currently Being Moderated
    1. Mar 27, 2011 7:09 AM (in response to jfreitas)
    Re: Multi WAN, load balance and link aggregation

    > 1-) Is it possible to use more than one ISP link in my McAfee Firewall Enterprise to divide my policies? For example,

    > to create an ACL that allows SMTP to go through link 1 and another ACL to go through link 2 ?

     

    No. You need a dedicated load balancer (Radware, F5, ...) for this.

    However, you can use two links if the traffic can be separated / split using static / dynamic routes.

    For example: outbound HTTP, inbound SMTP on link one, site to site VPN on link two

     

    > 2-) Is it possible to do load balance in the firewall?

     

    No. You need a dedicated load balancer (Radware, F5, ...) for this.

     

    > 3-) What does link aggregation do?

     

    Link aggregation (also called bonding and etherchannel) is used to enhance throughput and for redundancy. If you aggregate 2 NICs one of them / one of the cables / one of the switch ports can fail.

  • puga Newcomer 29 posts since
    Mar 21, 2011
    Currently Being Moderated
    2. Apr 13, 2011 10:08 PM (in response to oreeh)
    Re: Multi WAN, load balance and link aggregation

    Hi Oreeh,

     

    Perhaps can you provide an example about item 1 where you stated it can be achieved using static routes?

     

    I´ve an issue similar:

     

    I have two ISP and I need to allow access through of public IP of my ISP 1 for certain applications and through of public IP of my ISP 2 for other applications.

    I contacted to Mcafee support and the answer was:

     

    This is called asynchronous routing and it will work if you:
    1) create a stateless, bi-directional service to use in your rule (may work)
    or
    2) create a route back out your ISP2 interface so this traffic knows to go backout the interface it came in on (will work for sure)

    The best thing to do is number 2. These connections do not work by defaultthrough the firewall, since this is not how routing works in general.

     

    I´d appreciate if anyone can guide me with a configuration example.

     

    Thanks!

  • puga Newcomer 29 posts since
    Mar 21, 2011
    Currently Being Moderated
    4. Apr 14, 2011 10:28 AM (in response to jfreitas)
    Re: Multi WAN, load balance and link aggregation

    Hi,

     

    the inbound rules are not enough.

    The issue is related to the response packets.

    For instance:

    If my web server is on ISP2, how can the firewall return the response packets to the requests from Internet users?

    Internet = 0.0.0.0, so, it implies double default route?

     

    The answer from technical support does reference to create certain static routes toward certain destinations, but it is not practical!

  • bperez Apprentice 128 posts since
    Nov 9, 2009
    Currently Being Moderated
    5. Apr 17, 2013 2:03 PM (in response to puga)
    Re: Multi WAN, load balance and link aggregation

    Is correct Puga i make that conf to route to ISP2 one cloud app, like google services. And all the internet protocols trought the ISP1 (GW). Is not practical to make routes to diferent gateways, is unnaceptable for MFE to be unable to make load balance/policy routes/etc. The old and famous McAfee Snapgear UTM, from 500 dlls can Make that!

     

    Regards!

     

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points