Can I disable global Load Balancing if only one WAN is used on the firewall?
03/26/2020 
82 
11773
DESCRIPTION:
Can I disable global Load Balancing if only one WAN is used on the firewall? What are the dependencies of Load Balancing being enabled globally for SonicOS?
RESOLUTION:
It is never recommended to disable Failover & LB globally.
Failover and LB (FLB) actively monitors WAN connections and act accordingly on failure/recovery of the WAN interface(s). You should think of the overall effect as a system-wide response to failure/recovery of WAN connections. Even if you only have one WAN, you still benefit because of faster recovery procedures performed on that one WAN as normal part of FLB.
It keeps status data for the WAN interfaces that can be queried by interested parties whenever they want. Some SonicOS apps request asynchronous notification from FLB whenever a failure/recovery event happens on an interface they are interested in (normally, the Primary WAN) and those apps may perform some app-defined function which is outside the scope of FLB.
This is what FLB does when a WAN interface failure had been detected (linkDown or probing-failure or no-IP-settings):
- Graceful shutdown of interface
- Trigger the disabling of routes associated with failed interface (except for the ones marked "do not disable on link down")
- Flush dynamic ARP entries using the failed interface
- Flush the cache entries using the failed interface as outbound interface
- Update WAN default route to point to an alternate WAN, if available. Update status data. (this is part of recovery procedure)
- Address Objects used by other apps such as CASS gets updated as well
- Security Services depend on this for failover capability
- Notify interested parties (VPN, BWM, CASS, DDNS, DNS)
- Actively monitor status of failed interface, attempt recovery such as restarting WAN connection
This is what FLB does when a WAN interface recovery had been detected (linkUp or probing-success or IP-change):
- On linkUp, jump-start the interface connection. In most cases, this would be in connected state already, but if not, FLB attempts to push it to start. It may do graceful shutdown and restart if a hung condition is detected (timer based).
- Once connectivity is confirmed (simple linkUp or probing), trigger enabling of routes associated with the interface
- Add ARP entries (if any are needed)
- Send out unsolicited ARP response (for interface) to update neighboring devices.
- If needed, update the WAN default route (e.g. preempt) to use the best available WAN. Update status data.
- Address Objects used by other apps such as CASS gets updated as well
- Security Services depend on this for failover capability
- Notify interested parties (VPN, BWM, CASS, DDNS, DNS)
- Continue monitoring status of interface.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
