Time to refresh

It has been almost 2 years since my last update here. I am now back and will start with new and interesting topics. If anyone of you have questions or topics you want me to discuss, please comment below and I shall see what I can do. ;-)

My area of interest right now is giving first how to design an "adaptive" security infra with regards to the dynamic business requirements nowadays.

McAfee Next Generation Firewall (Stonesoft): Load balancing and QoS using Multi-Link

Overview

McAfee Multi-Link is a very useful feature for organization that need reliable and scalable internet connection. It's reliable since it allows user to have seamless internet connectivity during downtime of their primary ISP. It is scable since organization can easily add a new ISP over their existing without downtime.

The following videos will show you how to configure Multi-Link in various requirements

Note: For diagram, kindly reference to this post: http://nidofortified.blogspot.com/2014/06/configuring-mcafee-next-generation.html

Requirement 1: I want to make sure all High Priority traffic to pass on my ISP with larger bandwidth

In this video, I will show you how to use Multi-Link ratio mode with QoS.

I change my ISP A netlink bandwidth information from 100kbps into 300kbps

After security engine refresh, notice now that the NAT source IP change.

Requirement 2: I want to use QoS on my firewall policy

If you want to make sure that specific rule is being route on your most reliable or larger pipe ISP,

Make sure first that you applied QoS on your rule.

After that. Modify your Multi-Link to choose which ISP will handle your QoS.

Refresh security engine and verify it on your log viewer.

So that's it for now, if you have any question or have requirements you need to check if NGFW can support, just leave a comment. :-)

Configuring McAfee Next Generation Firewall (Stonesoft) Multi-Link Feature

Overview

Multi-Link is a unique feature for McAfee NGFW. It helps organization reduce cost from buying large bandwidth from ISP. This is done by combining multiple ISP to create a single route for all network traffic.
Aside from reducing cost, it also improves reliability for organization that needs 24/7 operations since its capable enough to switch automatically on active/best ISP link.

Multi-Link also enables organization to have augmented VPN which again help improve operations and reliability.

Last, but not the least, Multi-Link can also be use for inbound traffic. So for example, you can have multiple link/route going to your web server to avoid service downtime for external users/costumers.

For more info, visit McAfee NGFW site here: http://www.mcafee.com/us/products/network-security/next-generation-firewall-technologies/multi-link.aspx

Configuration

Configuring Multi-Link is very simple, you will just need typically a multiple ISP connection and a popcorn (yes a popcorn, watching the logs as being load balance by NGFW by default :-) )

For this tutorial, my environment will have 2 ISP. ISP A will have 50kbps UP and 100kbps DOWN while ISP B will have 100kbps UP and 200kbps DOWN but has 1 extra hop before reaching the internet.

Now that you have an idea about my test environment, let's proceed for the configuration.

Step 1: Configure Physical Interface IP

Provide the IP address that will communicate on external network.

Step 2: Configure NetLinks

Just like adding normal static route, right click on the interface network and choose New -> Static Netlink (as shown below)

Note: There are two types of Netlink. Static and Dynamic, what they do will be discuss on separate tutorial.

A pop-up window will show for NetLink configuration.

Name - The unique name for this NetLink

Gateway - The next-hop IP address (Mostly your ISP router IP)

Network - The network segment given/assigned by your ISP

Probing settings - Useful for identifying active links and measuring the speed of each link.

Note: When adding IP address for probing, it is recommended to put IP address from external server instead of using the ISP router address (i.e. ISP router connection is not reliable since during downtime, you can still probably ping your ISP but does not have internet connection)

Input speed - The incoming bandwidth speed of this ISP

Output speed - The outgoing bandwidth speed for this ISP

Note: Placing a speed is mandatory if you need to configure QoS/load balancing

Click Ok then repeat steps in creating another NetLink for ISP B.

Below is an example of a complete NetLink configuration

Step 3: Creating Outbound Multi-Link

Select Outbound Multi-Link

Add the NetLink created for each ISP

From the NetLink Member window, provide the IP range that can be use by Multi-Link. The above shows that I only want single IP address to be use by my firewall. Leave QoS blank for now and click Ok.

Step 4: Creating NAT Rule

With this rule, it is saying that any outgoing connection will use either of the two ISP connection.

Step 5: Test Configuration

Start browsing and view the logs from SMC. You will notice here that the outgoing traffic is being NATed by different external IP of the firewall.

And that's it! You now have Multi-Link enabled for Outbound traffic.

I will update again this post to show you how I configured NGFW to solve the following scenario. Should you have request for certain scenario, do leave your comment. :-)

Scenario A: Apply Load Balancing
Scenario B: Restrict Specific Traffic from Specific Link
Update 1:
I combined Scenario A and B to this single post: Advance Setting for McAfee NGFW Multi-Link