Sophos XG: How to configure Destination NAT with Load Balancing for Webserver

The article explains how to configure Load Balancing for traffic from outside the Internet to the company’s system with many Webserver or other services, helping to balance the traffic to the Server system of the company

The article configured according to the following diagram:

How to configure

Step 1: Access to Sophos XG with Admin account

Step 2: Create IP Host for Web Server

Host and Services -> IP Host -> Click Add

  • Name: Webservers
  • In IP Version: Select IPv4
  • In Type: Select IP Range
  • In IP Address: Enter the IP range of the Web Server

-> Click Save

Step 3: Create Firewall rule for DNAT combining Load Balancing

  • Firewall -> Click Add firewall rule -> Choose Business application rule
  • In Application template: Choose DNAT/Full NAT/Load Balancing
  • In Source zones: Choose WAN
  • In Allowed client networks: Choose Any
  • In Destination host/network: Choose WAN Port of Firewall device
  • In Services: Choose HTTP or HTTPS or both
  • In Protected server(s): Choose Range IP of Web servers
  • In Mapped Port: Enter 80 for HTTP or 443 for HTTPS
  • In Protected Zone: Choose network zone have Web servers
  • In Load Balancing: Choose method Load Balancing
    • Round Robin: In this method, requests are served in a sequential manner where the first request is forwarded to the first server, second request to the second server and so on. When a request is received, the device checks to see which was the last server that was assigned a request. It then assigns this new request to the next available server. This method can be used when equal distribution of traffic is required and there is no need for session-persistence
    • First Alive: In this method, all incoming requests are served by the first server (the first IP address that is configured in the IP range). This server is considered as the primary server and all others are considered as backup. Only when the first server fails, the requests are forwarded to the next server in line. This method is used for failover scenarios
    • Random: In this method, the requests are forwarded to the servers randomly. Nevertheless, the device makes sure that all configured servers receive equally distributed load. Hence, this method is also called uniform random distribution. This method can be used when equal distribution of traffic is required and there is no need for session-persistence or order of distribution
    • Sticky IP: In this method, along with the Round Robin distribution of traffic, the device forwards incoming traffic according to the combination of source and destination IP address. All traffic from a particular source is forwarded only to its mapped server. This means that all requests for a given source IP are sent to the same application server instance. This method is useful in cases where all requests or sessions are required to be processed by the same server. For example: banking websites, E-Commerce websites

-> Click Save

** If you have difficulty configuring Sophos products in VietNam, please contact us:

Hotline: 02862711677


Be the first to comment

Leave a Reply

Your email address will not be published.