StoneBlog.stonesoft.com

Link aggregation or “network interface bonding” in linux terms, means a standard way to aggregate multiple physical network interfaces as a one. StoneGate firewalls will have a support for aggregated interfaces starting from version 5.2.

Continue reading »

written by Tero Jantunen - 1,282 views \\ tags: 5.2, Feature Previews, firewall, High Availability, Interface configuration, Link aggregation, load balancing, SMC

The most common place for an IPS is right behind the edge firewall, where it inspects anything that goes through the firewall.  Firewall filters out most of the inbound crap, which is too obviously unnecessary to even inspect with IPS.  This is a fairly straightforward setup, you just connect the inline IPS’s between the firewall and the internal switch.  Cross cables from the firewall to the IPS and straight from the IPS to the switch and you’re done.  StoneGate IPS, while in inline mode, looks like a cable to the network.  It does not alter allowed traffic in any way, so deployment is simple.

Clustering the firewall does not seem to change much – you just add an IPS (or an inline pair) for each additional firewall node.  Quite straightforward still.

Let’s now stop and think for a minute.  What does this setup mean, how does it work?

Continue reading »

written by olli - 4,563 views \\ tags: clustering, IPS, load balancing

Some details about StoneGate MultiLink VPN and Load Balancing.

Goal is to explain a bit how it works to avoid false expectations.

Link selection is done per packet.
This means that single tcp/udp connection can change link during it’s lifetime.
This provides transparent connection failover of links when using Multi-Link VPN, but this does not mean that consecutive packets would be intelligently routed over different links in order to provide increased bandwidth.

Results, especially on multiple connections, is a de facto aggregation of multiple links performances with transparent failover (the latter is not possible with MultiLink ISP).

For example: there is a customer who has two sites (Site A and Site B) and there is a 1 Mbps connection between them. When the customer put StoneGate Multi-Link VPN there and added another 1Mbps ISP connection, the performance did not double to 2Mbps when it was tested. Why is that?

Because,

1. StoneGate Multi-Link VPN does provide load balancing based on host pairs. This customer had only one host on both sites and these hosts were changing messages between each other.
2. From StoneGate’s point of view this is one connection and this one connection is using the fastest ISP link. All connections between these two hosts will be using same ISP link. StoneGate cannot split one connection between several ISP links. That is why customer got 1Mbps performance instead of 2Mpbs.
3. This is a special case, because normally customers would have several hosts that are connected through Multilink VPN connection. Then StoneGate will and can load balance each host pair through different ISPs. Then customer would get on the average near 2Mpbs capacity as total capacity between sites.
4. You should remember that each separate VPN tunnel in this case has maximum speed of 1Mbps (because each ISP link had 1Mbps speed). But if you look at total capacity between the Site A and Site B then it would be 2 Mbps.
5. In laymen terms maximum speed stays at 1Mpbs when you add another ISP and use StoneGate Multi-Link VPN, but capacity doubles.

Maybe a good analogy is highway where you have 70 miles per hour speed limit. If you add another lane to highway then the speed limit is same (70 miles per hour), but you will get twice as many cars there.

Roar!

written by RoarinPenguin - 1,593 views \\ tags: load balancing, multilink, VPN