We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Configure Packet-Based Balancing for VPN Tunnels with Traffic Intelligence

  • Last updated on

Packet-Based Balancing distributes traffic on a per-packet basis over multiple VPN transports in the same transport class. VPN transports using Packet-Based Balancing must have the same bandwidth and latency. In most cases, using Adaptive Session Balancing is preferable to Packet-Based Balancing because it allows for different link-quality requirements.

Limitations

  • VPN transports must be in the same transport class.
  • WAN links must have the same bandwidth and latency. For example: multiple identical WAN links from the same ISP.

Before You Begin

Create a multi-transport VPN tunnel between two CloudGen Firewalls:

Step 1. Enable Packet-Based Balancing

Packet-Based Balancing must be enabled for all transports in the transport class.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > Assigned Services > VPN Service > Site to Site VPN.
  2. Click Lock.
  3. Double-click the TINA VPN tunnel. The TINA Tunnel window opens.
  4. Click the Advanced tab.
  5. From the Packet Balancing list, select Cycle within a Transport Class.
    TI_packet_balacing_01.png
  6. Click OK.
  7. Click Send Changes and Activate.

Step 2. Create a Custom Connection Object for the TI Master

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.   
  2. In the left menu, click Connections.
  3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.  
  4. Enter a Name
  5. From the Translated Source IP list, select Original Source IP.
    TI_packet_balacing_02.png
  6. To edit the VPN Traffic Intelligence settings, click Edit/Show. The TI Transport Selection window opens.
  7. From the TI Learning Policy list, select Master.
    TI_session_balacing_01a.png 
  8. From the Primary Transport Class list, select the primary transport class.
  9. From the Primary Transport ID list, select the ID for the primary transport.
    TI_session_balacing_01b.png
  10. From the Secondary Transport Class list, select the same transport class used for the primary transport.
  11. From the Secondary Transport ID list, select the ID for the secondary transport.
    TI_session_balacing_01c.png
  12. Click OK.
  13. Click Send Changes and Activate.

Step 3. Create a Custom Connection Object for the TI Slave

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.   
  2. In the left menu, click Connections.
  3. Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.  
  4. Enter a Name.
  5. From the Translated Source IP list, select Original Source IP.
    TI_packet_balacing_02.png
  6. To edit the VPN Traffic Intelligence settings, click Edit/Show. The TI Transport Selection window opens.
  7. From the TI Learning Policy drop-down list, select Slave.
    TI_session_balacing_01e.png
  8. Click OK.
  9. Click Send Changes and Activate.

Step 4. Modify Access Rule on the Firewall Acting as TI Master

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic you want to balance:
    • Action –  Select Pass.
    • Bi-Directional – Select the check box to apply the rule in both directions.
    • Source – Select a network object for all local networks. 
    • Service – Select a service object from the list.
    • Destination – Select the network object containing the remote networks.
    • Connection Method – Select the connection object for the TI master created in step 2.
    TI_packet_balacing_051.png
  4. Click OK.
  5. Click Send Changes and Activate.

Step 5. Modify Access Rule on the Firewall Acting as TI Slave

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic you want to balance:  
    • Action – Select Pass.
    • Bi-Directional – Select the check box to apply the rule in both directions.
    • Source – Select a network object for all local networks. 
    • Service – Select a service object from the list.
    • Destination – Select the network object containing the remote networks.
    • Connection Method – Select the connection object for the TI slave created in step 3.
    TI_packet_balacing_05.pnga
  4. Click OK.
  5. Click Send Changes and Activate.

Traffic matching these access rules and using the VPN transports are now balanced per packet within the transport class.

Last updated on