Advanced Session Distribution Algorithms for Destination NAT

When a destination NAT address is a dynamic IP address that returns more than one address, select the method the firewall uses to distribute incoming NAT sessions among the addresses.
In a destination NAT policy rule, when the destination address type is
Dynamic IP (with session distribution)
(which supports IPv4 addresses only), the translated address can be an address group or address object that uses an IP netmask, IP range, or FQDN, any of which can return multiple addresses from DNS. The firewall distributes incoming NAT sessions among the multiple addresses based on the
Round-Robin
method or one of several new methods:
Source IP Hash
,
IP Modulo
,
IP Hash
, and
Least Sessions
.
  1. Create an address object.
    1. Select
      Objects
      Addresses
      and
      Add
      an address object by
      Name
      .
    2. For
      Type
      , select one of the following and enter the required information:
      • IP Netmask
        —Enter an IPv4 address, optionally followed by a slash and prefix length.
      • IP Range
        —Enter two IPv4 addresses separated by a hyphen (-).
      • FQDN
        —Enter the FQDN.
    3. Click
      OK
      .
    1. On the
      Translated Packet
      tab, in the Destination Address Translation section, select
      Dynamic IP (with session distribution)
      as the
      Translation Type
      .
    2. For
      Translated Address
      , select the address object you configured.
    3. In case the dynamically-assigned, translated address results in more than one address, select the
      Session Distribution Method
      the firewall uses to distribute new NAT sessions among those addresses:
      • Round Robin
        —(default) Assigns new sessions to IP addresses in rotating order. Unless you have a reason to change the distribution method, Round Robin distribution is likely suitable.
      • Source IP Hash
        —Assigns new sessions based on hash of source IP address. If you have traffic coming from a single source IP address, then select a method
        other than
        Source IP Hash.
      • IP Modulo
        —The firewall takes into consideration the source and destination IP address from the incoming packet; the firewall performs an XOR operation and a modulo operation; the result determines to which IP address the firewall assigns new sessions.
      • IP Hash
        —Assigns new sessions based on hash of source and destination IP addresses.
      • Least Sessions
        —Assigns new sessions to the IP address with the fewest concurrent sessions. If you have many short-lived sessions, Least Sessions will provide you with more balanced distribution of sessions.
      session_dist_algorithms.png
    4. Click
      OK
      .
  2. Commit
    your changes.

Recommended For You