Uplink Balancing
With the uplink balancing function you can combine more than one Internet uplink, either for having backup uplinks available or for using load balancing among multiple uplinks. Combining up to 32 different uplinks is supported. Note that with BasicGuard subscription, only two uplinks can be combined.
Uplink balancing is automatically enabled when you assign a default gateway to an interface in addition to an already existing interface with a default gateway. All interfaces possessing a default gateway will be added to the Active Interfaces box and uplink balancing automatically organizes the balancing between those interfaces from then on. Any other interface with a default gateway will automatically be added, too.
On the Multipath Rules tab you can define specific rules for the traffic to be balanced.
To manually set up uplink balancing, proceed as follows:
-
Enable uplink balancing.
Click the toggle switch.
The toggle switch turns amber and the Uplink Balancing area becomes editable.
-
Select active interfaces.
Add one or more interfaces by clicking the Folder icon and dragging interfaces from the object list. With multiple interfaces, traffic coming from clients is balanced by source, i.e., all traffic coming from one source uses the same interface, whereas traffic from another source can be sent to another interface. If one of the interfaces is unavailable, traffic will be taken over by the remaining interface(s).
Note – Initially, when uplink balancing has been enabled automatically, the Active Interfaces list already contains all interfaces having a default gateway. If you remove an interface from the list, the Default gateway checkbox of the interface will automatically be unselected. Thus, every interface having a default gateway has to be either on this list or on the Standby Interfaces box below. However, you can add interfaces without default gateway and enter the default gateway address later on.
Note – The sequence of the interfaces is important: In configurations where only one interface can be used, and for packets sent from Sophos UTM on AWS itself, by default the first available active interface is used. You can change the interface sequence by clicking the Sort icons in the box.
Using the Edit Scheduler icon on the box header, you can set individual balancing behavior and interface persistence of the active interfaces:
Weight: Weight can be set from 0 to 100 and specifies how much traffic is processed by an interface relative to all other interfaces. A weighted round robin algorithm is used for this, a higher value meaning that more traffic is routed to the respective interface. The values are evaluated relative to each other so they need not add up to 100. Instead, you can have a configuration for example, where interface 1 has value 100, interface 2 has value 50 and interface 3 has value 0. Here, interface 2 gets only half the traffic of interface 1, whereas interface 3 only comes into action when none of the other interfaces is available. A value of zero means that always another interface with a higher value is chosen if available.
Persistence: Interface persistence is a technique which ensures that traffic having specific attributes is always routed over the same uplink interface. Persistence has a default timeout of one hour.
-
Select standby interfaces (optional).
Here, you can optionally add failover interfaces that should only come into action if all active interfaces become unavailable. In this case, the first available standby interface in the given order will be used. You can change the interface sequence by clicking the Sort icons in the box.
-
Change monitoring settings (optional).
By default, Automatic monitoring is enabled to detect possible interface failures. This means that the health of all uplink interfaces is monitored by having them contact a specific host on the Internet at an interval of 15 seconds. By default, the monitoring host is the third ping-allowing hop on the route to one of the root DNS servers. However, you can define the hosts for monitoring the server pool yourself. For these hosts you can select another service instead of ping, and modify the monitoring interval and timeout.
If the monitoring hosts do not send a response anymore, the respective interface is regarded as dead and not used anymore for distribution. On the Dashboard, in the Link column of the interface, Error will be displayed.
Note – Automatically, the same monitoring settings are used for both uplink monitoring (Uplink Monitoring > Advanced) and uplink balancing (Interfaces > Uplink Balancing).
-
Click Apply.
Your settings will be saved.
The switch turns green.
A new virtual network interface named Uplink Interfaces is automatically created and now available for use by other functions of Sophos UTM on AWS, e.g. IPsec rules. The virtual network interface Uplink Interfaces comprises all uplink interfaces added to the interface list.
Additionally, a new network group named Uplink Primary Addresses is automatically created and now available for use by other functions of Sophos UTM on AWS, e.g. firewall rules. It refers to the primary addresses of all Uplink Interfaces.
In case of an interface failure, open VPN tunnels can be automatically re-established over the next available interface provided DynDNS is used or the remote server accepts the IP addresses of all uplink interfaces. As a prerequisite, the IPsec rule must use the Uplink Interfaces as Local interface.
Defining Monitoring Hosts
To define hosts for monitoring the server pool yourself, proceed as follows:
-
Unselect the Automatic monitoring checkbox.
The Monitoring hosts box becomes editable.
-
Add monitoring hosts.
Select or add one or more hosts that you want to use for monitoring instead of random hosts. If an interface is monitored by more than one host, it will only be regarded as dead if all monitoring hosts do not respond in the defined time span. For how to add a network definition, see Definitions & Users > Network Definitions > Network Definitions.
Note – If a selected host is bound to an interface, it will only be used to monitor this interface. If a host is not bound to an interface, it will be used to monitor all interfaces. Interfaces not covered by the selected hosts will be monitored by automatic monitoring.
Click the Monitoring Settings icon in the box header to set the monitoring details:
Monitoring type: Select the service protocol for the monitor checks. Select either TCP (TCP connection establishment), UDP (UDP connection establishment), Ping (ICMP Ping), HTTP Host (HTTP requests), or HTTPS Host (HTTPS requests) for monitoring. When using UDP a ping request will be sent initially which, if successful, is followed by a UDP packet with a payload of 0. If ping does not succeed or the ICMP port is unreachable, the connection is regarded as down.
Port (only with monitoring types TCP and UDP): Port number the request will be sent to.
URL (optional, only with monitoring types HTTP/S Host): URL to be requested. You can use other ports than the default ports 80 or 443 by adding the port information to the URL, e.g., http://example.domain:8080/index.html. If no URL is entered, the root directory will be requested.
Interval: Enter a time interval in seconds at which the hosts are checked.
Timeout: Enter a maximum time span in seconds for the monitoring hosts to send a response. If all monitoring hosts of an interface do not respond during this time, the interface will be regarded as dead.
-
Click Apply.
Your settings will be saved.