Policy Based Routing and WAN Load Balancing Example on SonicOS 7.X and SonicOS Enhanced
08/11/2020 
435 
18634
DESCRIPTION:
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
The following example walks you through creating a route policy for two simultaneously active WAN interfaces. For this example, a secondary WAN interface needs to be setup and configured with the settings from your ISP.
Configure the security appliance for load balancing by checking Enable Load Balancing on the Network | System|Failover & LB page. For this example, choose Round-Robin as the load balancing type on the Network | System|Failover & LB page. Click Apply to save your changes.
- Click Policy in the top navigation menu
- Select the Rules and Policies|Routing Rules
- Click the Add button. The Add Route Policy window is displayed.
- Create a routing policy that directs all LAN Subnet sources to Any destination for HTTP service out of the Default Gateway via the X1 interface.
- Click on Save to save the policy.
- Create a second routing policy that directs all LAN Subnet sources to Any destinations for Telnet service out of the X9 Default Gateway via the X9 interface.
These two policy-based routes force all sources from the LAN subnet to always go out the primary WAN when using any HTTP-based application, and force all sources from the LAN subnet to always go out the backup WAN when using any Telnet-based application.
To test the HTTP policy-based route, from a computer attached to the LAN interface, access the public Web sites WhatIsMyIP.com If the HTTP route policy is functioning correctly, site will the primary WAN interface’s IP address and not the secondary WAN interface.
To test the Telnet policy-based route, telnet to route-server.exodus.net and, when logged in, issue the who command. It should display the IP address (or resolved FQDN) of the WAN IP address of the secondary WAN interface and not the primary WAN interface.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Procedure:
The following example walks you through creating a route policy for two simultaneously active WAN interfaces. For this example, a secondary WAN interface (say, X3 or if a Gen4 TZ device, OPT) needs to be setup and configured with the settings from your ISP. Next, configure the security appliance for load balancing by checking Enable Load Balancing on the Manage | Network | Failover & Load Balancing page. For this example, choose Per Connection Round-Robin as the load balancing method on the Manage | Network | Failover & Load Balancing page. Click Apply to save your changes on the Manage | Network | Failover & Load Balancing page.
- Click Manage in the top navigation menu
- Select the Network | Routing page.
- Under Route Policies
- Click the Add button under the Route Policies table. The Add Route Policy window is displayed.
- Create a routing policy that directs all LAN Subnet sources to Any destination for HTTP service out of the Default Gateway via the X1 interface.
- Click on OK to save the policy
- Create a second routing policy that directs all LAN Subnet sources to Any destinations for Telnet service out of the X9 Default Gateway via the X9 interface.
These two policy-based routes force all sources from the LAN subnet to always go out the primary WAN when using any HTTP-based application, and force all sources from the LAN subnet to always go out the backup WAN when using any Telnet-based application.
To test the HTTP policy-based route, from a computer attached to the LAN interface, access the public Web sites WhatIsMyIP.com . If the HTTP route policy is functioning correctly, site will display the primary WAN interface’s IP address and not the secondary WAN interface.
To test the Telnet policy-based route, telnet to route-server.exodus.net and, when logged in, issue the who command. It should display the IP address (or resolved FQDN) of the WAN IP address of the secondary WAN interface and not the primary WAN interface.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Procedure:
The following example walks you through creating a route policy for two simultaneously active WAN interfaces. For this example, a secondary WAN interface (say, X3 or if a Gen4 TZ device, OPT) needs to be setup and configured with the settings from your ISP. Next, configure the security appliance for load balancing by checking Enable Load Balancing on the Network > WAN Failover & LB page. For this example, choose Per Connection Round-Robin as the load balancing method on the Network > WAN Failover & LB page. Click Apply to save your changes on the Network > WAN Failover & LB page.
- Select the Network > Routing page.
- Click the Add button under the Route Policies table. The Add Route Policy window is displayed.
- Create a routing policy that directs all LAN Subnet sources to Any destination for HTTP service out of the Default Gateway via the X1 interface.
- Create a second routing policy that directs all LAN Subnet sources to Any destinations for Telnet service out of the X3 Default Gateway via the X3 interface.
These two policy-based routes force all sources from the LAN subnet to always go out the primary WAN when using any HTTP-based application, and force all sources from the LAN subnet to always go out the backup WAN when using any Telnet-based application.
To test the HTTP policy-based route, from a computer attached to the LAN interface, access the public Web sites WhatIsMyIP.com If the HTTP route policy is functioning correctly, site will display the primary WAN interface’s IP address and not the secondary WAN interface.
To test the Telnet policy-based route, telnet to route-server.exodus.net and, when logged in, issue the who command. It should display the IP address (or resolved FQDN) of the WAN IP address of the secondary WAN interface and not the primary WAN interface.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
