Technical data
Configuring FWLB for NAT Firewalls
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 7 - 17
ServerIron-A(config-rs-fw4NAT)# exit
The following commands configure the firewall group. The server fw-group 2 command changes the focus of the
CLI to firewall group 2.
The sym-priority command specifies the priority of this ServerIron with respect to the other ServerIron for the
firewalls in the firewall group. The priority can be from 0 – 255. The ServerIron with the higher priority is the default
active ServerIron for the firewalls within the group.
NOTE: If you specify 0, the CLI removes the priority. When you save the configuration to the startup-config file,
the sym-priority command is removed. Use this method to remove the priority. You cannot remove the priority
using the no sym-priority command.
The fw-name <firewall-name> command adds the firewalls to the firewall group. Notice that the firewall entries for
the hidden NAT addresses are not added.
SI-ActiveA(config)# server fw-group 2
SI-ActiveA(config-tc-2)# sym-priority 255
SI-ActiveA(config-tc-2)# fw-name fw1
SI-ActiveA(config-tc-2)# fw-name fw2
The fwall-info commands add the paths between this ServerIron and the other ServerIrons through the firewalls.
The paths enhance performance by ensuring that a given traffic flow (source and destination IP addresses) always
travels through the same firewall. In configurations that use asynchronous firewalls, the paths enhance
performance by eliminating excess authentications. In this configuration, each ServerIron has two paths to each of
the two firewalls. The fifth path goes to the router.
The paths are required, even if the firewalls are synchronized.
The first parameter with each command is a path ID. The second parameter is the port number of the ServerIron
port that connects the ServerIron to the firewall in the path.
The third parameter is the IP address of the ServerIron at the other end of the path or, for paths to routers, the IP
address of the router’s interface with the ServerIron. Note that each ServerIron has a path to each of the
ServerIrons in the other pair, but does not have a path to its own standby pair.
The fourth parameter is the IP address of the firewall or router interface with this ServerIron. Notice that the
ServerIron has two paths for each firewall. One of the paths goes to the active ServerIron in the other pair. The
other path goes to the standby ServerIron in the pair. In the case of the path to the router, the third and forth
parameters have the same value.
SI-ActiveA(config-tc-2)# fwall-info 1 1 3.3.3.20 192.168.1.2
SI-ActiveA(config-tc-2)# fwall-info 2 2 3.3.3.20 192.168.1.3
SI-ActiveA(config-tc-2)# fwall-info 3 1 4.4.4.20 192.168.1.2
SI-ActiveA(config-tc-2)# fwall-info 4 2 4.4.4.20 192.168.1.3
SI-ActiveA(config-tc-2)# fwall-info 5 8 192.168.1.1 192.168.1.1
SI-ActiveA(config-tc-2)# exit
The commands below add static entries to the ServerIron’s MAC table for the firewall interfaces. The high-priority
and router-type parameters are required for FWLB.
SI-ActiveA(config)# vlan 1
SI-ActiveA(config-vlan-1)# static-mac-address abcd.4321.2498 ethernet 1 high-
priority router-type
SI-ActiveA(config-vlan-1)# static-mac-address abcd.4321.a53c ethernet 2 high-
priority router-type
SI-ActiveA(config-vlan-1)# exit
NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default port-
based VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the
entry applies to that VLAN and not to the default VLAN.
The commands below globally enable firewall balancing. The “0” parameter is required and enables the ServerIron
to provide FWLB for all packets of the specified type (TCP or UDP). The write memory command saves the
configuration changes made by all these commands to the ServerIron’s startup-config file.