- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Can I disable global Load Balancing if only one WAN is used on the firewall?
03/26/2020 
93 People found this article helpful
99,715 Views
Description
Can I disable global Load Balancing if only one WAN is used on the firewall? What are the dependencies of Load Balancing being enabled globally for SonicOS?
Resolution
It is never recommended to disable Failover & LB globally.
Failover and LB (FLB) actively monitors WAN connections and act accordingly on failure/recovery of the WAN interface(s). You should think of the overall effect as a system-wide response to failure/recovery of WAN connections. Even if you only have one WAN, you still benefit because of faster recovery procedures performed on that one WAN as normal part of FLB.
It keeps status data for the WAN interfaces that can be queried by interested parties whenever they want. Some SonicOS apps request asynchronous notification from FLB whenever a failure/recovery event happens on an interface they are interested in (normally, the Primary WAN) and those apps may perform some app-defined function which is outside the scope of FLB.
This is what FLB does when a WAN interface failure had been detected (linkDown or probing-failure or no-IP-settings):
- Graceful shutdown of interface
- Trigger the disabling of routes associated with failed interface (except for the ones marked "do not disable on link down")
- Flush dynamic ARP entries using the failed interface
- Flush the cache entries using the failed interface as outbound interface
- Update WAN default route to point to an alternate WAN, if available. Update status data. (this is part of recovery procedure)
- Address Objects used by other apps such as CASS gets updated as well
- Security Services depend on this for failover capability
- Notify interested parties (VPN, BWM, CASS, DDNS, DNS)
- Actively monitor status of failed interface, attempt recovery such as restarting WAN connection
This is what FLB does when a WAN interface recovery had been detected (linkUp or probing-success or IP-change):
- On linkUp, jump-start the interface connection. In most cases, this would be in connected state already, but if not, FLB attempts to push it to start. It may do graceful shutdown and restart if a hung condition is detected (timer based).
- Once connectivity is confirmed (simple linkUp or probing), trigger enabling of routes associated with the interface
- Add ARP entries (if any are needed)
- Send out unsolicited ARP response (for interface) to update neighboring devices.
- If needed, update the WAN default route (e.g. preempt) to use the best available WAN. Update status data.
- Address Objects used by other apps such as CASS gets updated as well
- Security Services depend on this for failover capability
- Notify interested parties (VPN, BWM, CASS, DDNS, DNS)
- Continue monitoring status of interface.
Related Articles
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
- Firewalls > NSa Series > WAN Failover & LB
- Firewalls > NSv Series > WAN Failover & LB
YES
NO