Create Access rules for inbound load balancing

You can apply Server Pool load balancing to the firewall configuration by adding the Server Pool to an IPv4 Access rule in the Firewall Policy.

When the rule matches traffic, the Server Pool uses NAT to change the destination IP address to the IP address of the server that the firewall selects for the connection. Reverse NAT (for the replies the server sends back to the client) is handled automatically. No separate NAT rule is required.

The IPv4 Access rules specify which traffic is directed to the Server Pool.

Note the following:
  • The Server Pool does automatic NAT from the external addresses you configured in the Server Pool element to the addresses of the included servers. Make sure that there are no overlapping NAT rules in the policy. You can add a NAT rule that disables further NAT for matching connections (empty NAT cell), if necessary.
  • If you want to balance traffic that arrives through a VPN using a Server Pool, NAT must be enabled in the properties of the VPN element (NAT is disabled by default for traffic that uses a VPN).
  • You must create a separate rule for each Server Pool.
  • If the same Server Pool provides more than one service, you must create a separate rule for each Service.
  • You must enable Connection Tracking for the rule that directs traffic to the Server Pool. The Server Pool uses NAT, which does not work without Connection Tracking.

  For more details about the product and how to configure features, click Help or press F1.


  1. Open the Firewall Policy for editing and add an IPv4 Access rule.
  2. Configure the rule to match the Source, Destination, and Service of the traffic you want to direct to the Server Pool.
    Note: Each rule must contain only one Service.
  3. Set the Action to Allow and enable Connection Tracking in the Action Options.
    The following example rules direct traffic from outside networks to the HTTP Server Pool and to the HTTPS Server Pool.
    Source Destination Service Action
    NOT internal Expression HTTP Server Pool HTTP Allow Connection tracking: normal
    NOT internal Expression HTTPS Server Pool HTTPS Allow Connection tracking: normal
  4. If you are using static DNS entries, save and Install the Firewall Policy to transfer the changes.