Getting started with inbound traffic management
Server Pool elements provide inbound traffic management for traffic to servers in the protected network.
A Server Pool is a built-in load balancer in the NGFW Engine that distributes incoming traffic between a group of servers. Server Pools primarily provide load balancing and high availability for two or more servers that offer the same service. You can also us Server Pools with Multi-Link to control which NetLink incoming traffic uses so that clients can access the Server Pool through multiple Internet connections.
Inbound traffic management can:
- load-balance incoming traffic between several servers to even out their workload
- monitor the status of each server so that the traffic is not directed to servers that are unavailable or overloaded
- send dynamic DNS (DDNS) updates to a DNS server to prevent incoming traffic from attempting to use a non-functioning NetLink in a Multi-Link configuration.
Clients make their incoming connections to the external addresses of the Server Pool. The NGFW Engine decides which server handles the connection and uses NAT to translate the public IP addresses to the private IP address of that server.
The Firewall uses the internal IP address of each member of the Server Pool to select which server handles which traffic that arrives at the Server Pool’s external address. When you define a Host element, you enter the IP address that the firewall uses to contact the server.
The server load is distributed to the Server Pool members based on each server’s availability. The server availability can be monitored by periodically sending ICMP echo requests (ping) or by periodically sending TCP strings to check that the expected response is returned. You can also use Server Pool Monitoring Agents installed on each server for advanced monitoring of server availability and status.
If the server availability monitoring reports a server failure, the server is removed from the Server Pool and the connections are distributed to the remaining servers. When a server is removed from the Server Pool, traffic from existing connections might still be sent to the server, but new connections are not sent to the failed server. When a previously unavailable server comes back online, existing connections are not redistributed, but some of the new connections that are opened are again directed to the server that rejoins the pool.
Inbound traffic management has the following limitations:
- DDNS updates have no access control, so the communications must be secured in other ways.
- Only IPv4 addresses are supported for DNS servers for DDNS updates.
- Standby servers cannot be defined for a Server Pool. Only load balancing between the servers in the Server Pool is supported.
- Only TCP and UDP protocols are supported for Server Pools.
- Server Pool Monitoring Agents only support IPv4 addresses.