Packet-Based Balancing distributes traffic on a per-packet basis over multiple VPN transports in the same transport class. VPN transports using Packet-Based Balancing must have the same bandwidth and latency. In most cases, using Adaptive Session Balancing is preferable to Packet-Based Balancing because it allows for different link-quality requirements.
Limitations
- VPN transports must be in the same transport class.
- WAN links must have the same bandwidth and latency. For example: multiple identical WAN links from the same ISP.
Before You Begin
Create a multi-transport VPN tunnel between two CloudGen Firewalls:
- Create a TINA site-to-site VPN tunnel. For more information, see How to Create a TINA VPN Tunnel between CloudGen Firewalls or How to Create a VPN Tunnel with the VPN GTI Editor.
- Add one or more additional transports in the same TI class to the VPN tunnel. For more information, see How to Add a VPN Transport to a TINA VPN Tunnel or How to Configure Traffic Intelligence Using the VPN GTI Editor.
Step 1. Enable Packet-Based Balancing
Packet-Based Balancing must be enabled for all transports in the transport class.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > Assigned Services > VPN Service > Site to Site VPN.
- Click Lock.
- Double-click the TINA VPN tunnel. The TINA Tunnel window opens.
- Click the Advanced tab.
- From the Packet Balancing list, select Cycle within a Transport Class.
- Click OK.
- Click Send Changes and Activate.
Step 2. Create a Custom Connection Object for the TI Master
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
- In the left menu, click Connections.
- Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.
- Enter a Name
- From the Translated Source IP list, select Original Source IP.
-
To edit the VPN Traffic Intelligence settings, click Edit/Show. The TI Transport Selection window opens.
- From the TI Learning Policy list, select Master.
- From the Primary Transport Class list, select the primary transport class.
- From the Primary Transport ID list, select the ID for the primary transport.
- From the Secondary Transport Class list, select the same transport class used for the primary transport.
-
From the Secondary Transport ID list, select the ID for the secondary transport.
- Click OK.
- Click Send Changes and Activate.
Step 3. Create a Custom Connection Object for the TI Slave
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
- In the left menu, click Connections.
- Right-click the table and select New Connection. The Edit/Create a Connection Object window opens.
- Enter a Name.
- From the Translated Source IP list, select Original Source IP.
- To edit the VPN Traffic Intelligence settings, click Edit/Show. The TI Transport Selection window opens.
- From the TI Learning Policy drop-down list, select Slave.
- Click OK.
- Click Send Changes and Activate.
Step 4. Modify Access Rule on the Firewall Acting as TI Master
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
- Click Lock.
- Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic you want to balance:
- Action – Select Pass.
- Bi-Directional – Select the check box to apply the rule in both directions.
- Source – Select a network object for all local networks.
- Service – Select a service object from the list.
- Destination – Select the network object containing the remote networks.
- Connection Method – Select the connection object for the TI master created in step 2.
- Click OK.
- Click Send Changes and Activate.
Step 5. Modify Access Rule on the Firewall Acting as TI Slave
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
- Click Lock.
- Right-click the ruleset and select New > Rule to create an access rule to match the VPN traffic you want to balance:
- Action – Select Pass.
- Bi-Directional – Select the check box to apply the rule in both directions.
- Source – Select a network object for all local networks.
- Service – Select a service object from the list.
- Destination – Select the network object containing the remote networks.
- Connection Method – Select the connection object for the TI slave created in step 3.
- Click OK.
- Click Send Changes and Activate.
Traffic matching these access rules and using the VPN transports are now balanced per packet within the transport class.