Symantec Enterprise Firewall – Solutions Guide for Load Balanced NAT Issues

<!– /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:”"; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:”Times New Roman”; mso-fareast-font-family:”Times New Roman”;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} /* List Definitions */ @list l0 {mso-list-id:572855412; mso-list-type:hybrid; mso-list-template-ids:-1186181492 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l0:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l1 {mso-list-id:1128162760; mso-list-type:hybrid; mso-list-template-ids:-592835512 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l1:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l2 {mso-list-id:1157769049; mso-list-type:hybrid; mso-list-template-ids:1523214700 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l2:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l3 {mso-list-id:1258293677; mso-list-type:hybrid; mso-list-template-ids:-1536103412 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l3:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l4 {mso-list-id:1437094087; mso-list-type:hybrid; mso-list-template-ids:1230905382 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l4:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l5 {mso-list-id:1599633008; mso-list-type:hybrid; mso-list-template-ids:-493076830 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l5:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l6 {mso-list-id:1631399832; mso-list-type:hybrid; mso-list-template-ids:417990644 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l6:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} @list l7 {mso-list-id:1964076882; mso-list-type:hybrid; mso-list-template-ids:-135861800 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;} @list l7:level1 {mso-level-tab-stop:.5in; mso-level-number-position:left; text-indent:-.25in;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} –>

I wrote this document for a customer back in 2005 when I was a Symantec Consultant – posting it from 2008 in the right time period.

Solutions Guide for Load Balanced NAT Issues

These are solutions to possible load balancing issue you may encounter with the Symantec Firewall load balancing methods. The assumption is problems you would encounter going from an internal network to an Internet host or network. These problems also rarely occur and are usually an issue depending on the security of the remote host.

Scenario: Multiple TCP connections on the same port leaving with different outside NAT addresses causes the remote server to reject the connection.

Example: HTTPS connections that do not use a client side cookie.

Solutions:

  1. We can use stateful failover for the TCP traffic and all traffic would leave as the VIP address. The downside is some increased load on all the firewalls in the cluster.
  2. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  3. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  4. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  5. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  6. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  7. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.


Scenario: A connection that requires multiple TCP destination ports.

Example: Passive mode FTP (which the FTP daemon can handle this without modification; lack of a more common protocol as an example is not immediately available.)

Solutions:

  1. We can use stateful failover for the TCP traffic and all traffic would leave as the VIP address. The downside is some increased load on all the firewalls in the cluster.
  2. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  3. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  4. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  5. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  6. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  7. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: A mixture of UDP and TCP traffic.

Example: This is usually seen in custom applications such as streaming media where the connection starts on TCP and migrates over to UDP for media delivery.

Solutions:

  1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: TCP and IP traffic mixture.

Example: Microsoft’s PPTP VPN. This product uses port 1723 TCP and IP type 47 to pass traffic.

Solutions:

  1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.


Scenario: UDP connections using multiple ports

Example: No known examples available for reference.

Solutions:

  1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: UDP and IP traffic mixture.

Example: This traffic would mostly be associated with IPSEC VPN traffic.

Solutions:

  1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.

Scenario: Multiple IP types only connections.

Example: No known examples available for reference.

Solutions:

  1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.


Scenario: A connection using TCP, UDP, and IP types all in conjunction.

Example: Older VPN connections that did not adhere to the IPSEC standard.

Solutions:

  1. Have a one to one NAT configured, this would correct that issue as the client would always be seen as the NAT address you configured. The downside is that you need a public IP address for every machine you would do this for.
  2. We can use original client address. The downside of this would require you to have publicly routable addresses going to the outside of the firewall. It would also allow the outside world to see your internal networking schema.
  3. Pass the traffic through a filter. The downside is that this passes below the proxy level and tight controls would need to be in place to maintain security. Also you would need publicly routable IP addresses or NAT the traffic on the upstream router. If you use public addresses internal and do not on the router it would allow the outside world to see your internal networking schema.
  4. Use traffic grouping, this ensures all traffic to the configured host goes through only one firewall at a time. The downside is administration level is higher due to the need of configuring remote hosts manually.
  5. Hardware Load balancer. The downside is that this is out of Symantec’s control and immediate scope. It would require reliance on a third party product.
  6. Manually route traffic through only one firewall. This would have the traffic corrected by having traverse one firewall only. The downside is administration level required to perform this. Another issue is if the firewall that is passing the traffic goes down the connection would not work or network administrators would have to configure a route change on the router directing this traffic.
June 27, 2005 – 12:46 pm | By Creeva | Posted in Security, Technology | Tagged , , , , , , , , , | Comments (0)