Configuring McAfee Next Generation Firewall (Stonesoft) Multi-Link Feature

Overview

Multi-Link is a unique feature for McAfee NGFW. It helps organization reduce cost from buying large bandwidth from ISP. This is done by combining multiple ISP to create a single route for all network traffic.
Aside from reducing cost, it also improves reliability for organization that needs 24/7 operations since its capable enough to switch automatically on active/best ISP link.

Multi-Link also enables organization to have augmented VPN which again help improve operations and reliability.

Last, but not the least, Multi-Link can also be use for inbound traffic. So for example, you can have multiple link/route going to your web server to avoid service downtime for external users/costumers.

For more info, visit McAfee NGFW site here: http://www.mcafee.com/us/products/network-security/next-generation-firewall-technologies/multi-link.aspx

Configuration

Configuring Multi-Link is very simple, you will just need typically a multiple ISP connection and a popcorn (yes a popcorn, watching the logs as being load balance by NGFW by default :-) )

For this tutorial, my environment will have 2 ISP. ISP A will have 50kbps UP and 100kbps DOWN while ISP B will have 100kbps UP and 200kbps DOWN but has 1 extra hop before reaching the internet.

Now that you have an idea about my test environment, let's proceed for the configuration.

Step 1: Configure Physical Interface IP

Provide the IP address that will communicate on external network.

Step 2: Configure NetLinks

Just like adding normal static route, right click on the interface network and choose New -> Static Netlink (as shown below)

Note: There are two types of Netlink. Static and Dynamic, what they do will be discuss on separate tutorial.

A pop-up window will show for NetLink configuration.

Name - The unique name for this NetLink

Gateway - The next-hop IP address (Mostly your ISP router IP)

Network - The network segment given/assigned by your ISP

Probing settings - Useful for identifying active links and measuring the speed of each link.

Note: When adding IP address for probing, it is recommended to put IP address from external server instead of using the ISP router address (i.e. ISP router connection is not reliable since during downtime, you can still probably ping your ISP but does not have internet connection)

Input speed - The incoming bandwidth speed of this ISP

Output speed - The outgoing bandwidth speed for this ISP

Note: Placing a speed is mandatory if you need to configure QoS/load balancing

Click Ok then repeat steps in creating another NetLink for ISP B.

Below is an example of a complete NetLink configuration

Step 3: Creating Outbound Multi-Link

Select Outbound Multi-Link

Add the NetLink created for each ISP

From the NetLink Member window, provide the IP range that can be use by Multi-Link. The above shows that I only want single IP address to be use by my firewall. Leave QoS blank for now and click Ok.

Step 4: Creating NAT Rule

With this rule, it is saying that any outgoing connection will use either of the two ISP connection.

Step 5: Test Configuration

Start browsing and view the logs from SMC. You will notice here that the outgoing traffic is being NATed by different external IP of the firewall.

And that's it! You now have Multi-Link enabled for Outbound traffic.

I will update again this post to show you how I configured NGFW to solve the following scenario. Should you have request for certain scenario, do leave your comment. :-)

Scenario A: Apply Load Balancing
Scenario B: Restrict Specific Traffic from Specific Link
Update 1:
I combined Scenario A and B to this single post: Advance Setting for McAfee NGFW Multi-Link