No announcement yet.

Https sticky sessions

  • Filter
  • Time
  • Show
Clear All
new posts

  • Https sticky sessions

    When load-balancing across two WAN links the traffic from a client to a server changes source IP (as seen by the server). For some webmail sites or banking sites the users get rejected because of this. Other firewalls have the option for sticky https sessions, meaning that the https session from one host behind the firewall is always beeing routed throught the same WAN gateway.
    A workaround I now use is to devide the subnet in smaller segments and route the https traffic per segmet through a fixed gateway but I'd rather have the GB-ware do this by itself.
    Is it possible to add such a function? Or is it there and am I just looking over it?

  • #2
    Hello arjanbovee,

    This is currently known behavior of Gateway Sharing and you have already demonstrated the only workaround. Gateway Sharing uses a round robin algorithm to forward packets out of the configured gateways. This round robin algorithm is session/connection based rather than IP address based. Since many sites require that a browser make multiple outbound connections in order to load a web page, these connections, with Gateway Sharing enabled, will be NATed to different public IP addresses and be denied by web sites with a more secure focus.

    There is currently a feature request in our system for several improvements to Gateway Sharing. Your comments have been added to this feature request.


    • #3
      Hello arjanbovee,

      Thank you for your feedback.

      I have discussed your comments with our development team and they are discussing the possibility of an IP based gateway sharing instead of session based, as it stands now.

      As was stated previously, currently your work around of using a policy based route is the best option for your situation.

      Thanks again for your feedback and please feel free to to suggest any other options you feel would be useful in the GB-OS environment.


      • #4
        From the release notes in 6.2.01 there is an enhancement for gateway sharing:

        2.1.2 Added logic to make a host using gateway sharing to always use same gateway.


        • #5
          Yes, GB-OS 6.2.01 includes host based logic to always force a particular host out the same gateway. The round robin logic is still applied, however per host and not per connection.


          • #6
            If you have two different EXTERNAL (WAN) speeds (for example GW1=100Mbps en GW2=500Mbps) than it is nice to give a load balance distribution (Example: 20% GW1, 80% GW2)


            • #7
              This can already by accomplished using Outbound Security Policies and Traffic Shaping. Simply configure Traffic Shaping Objects within [Configure -> Network -> Traffic Shaping] and apply the object to any Outbound Security Policy.


              • #8
                I'm aware about traffic shaping outbound security policies, but can you explain how to configure a weighted distribution on the load balancer instead of simple round robin?


                • #9
                  GB-OS does not include a weighted distribution (only round robin algorithm is currently possible) with regards to gateway sharing. A feature request for more granular gateway sharing configuration options will be submitted to our development team. Thank you for your feedback and suggestions to improve GB-OS.