Use Case: Deploy a NLB Using the VM-Series Firewall

In this example, the client is in a different zone compared to the rest of the resources.
Step 1:
The ingress routing table directs the traffic towards the LBs in the direction of client to server. In this case, since the client is in a different zone, the traffic source for the routing table is the VPC Zone.
Step 2:
The Load Balancer sends the packets to one of the firewalls. Since the FW DP subnets and the server subnet are in the same VPC, they can reach each other through the default gateways.
You need not configure custom routing on the firewall if the DP interface is configured as DHCP. If the static IP is configured on the DP interface, then the default route needs to be configured on the FW.
Step 3:
Attach the Interface management profile that permits HTTP/HTTPS probes to the DP interface.
Step 4:
Configure the security policy to allow the ingress traffic.
Step 5:
For the return traffic moving in the direction of server to client, there must be an egress routing table attached to the subnet of the server, directing the traffic (destined to the client) to the LB. The LB forwards the packet to the same FW as the traffic in the other direction. The FW will forward the packet via its default gateway to the client.

Recommended For You