Is any Proxy-Configuration required to have ECMP (Equal-Cost Multi-Path routing) working with the Firewall?
search cancel

Is any Proxy-Configuration required to have ECMP (Equal-Cost Multi-Path routing) working with the Firewall?

book

Article ID: 380032

calendar_today

Updated On:

Products

ISG Proxy

Issue/Introduction

Palo Alto firewalls is used in the customer environment, and the customer is about to enable ECMP (load balance across 2 ISPs) in them. Is any configuration required in the Edge SWG to allow for this? The Edge SWG is deployed in explicit mode, and uses default route to send outbound traffic to the firewalls.

Environment

SG/ASG/ISG-Proxy

Resolution

Since the proxy is used  in explicit mode and the outbound traffic is sent to the firewalls via a default route, the proxy should not require any additional configuration when you enable ECMP (Equal-Cost Multi-Path routing) on the Palo Alto firewalls.

Key Points to Consider:

  1. Proxy Behavior in Explicit Mode:

    • In explicit mode, the proxy is only responsible for forwarding client requests to the next hop, which in your case is the Palo Alto firewalls.
    • Since the traffic will be routed by the firewalls (and ECMP is configured at the firewall level), the load balancing decisions are handled entirely by the firewalls.
    • The proxy does not need to be aware of the load-balancing decisions happening at the firewall level, so no changes should be required on the proxy side.
  2. Default Route and Firewall ECMP:

    • The proxy forwards traffic based on its default route, and if that route points to the Palo Alto firewalls, the ECMP configuration on the firewalls will decide how to distribute traffic across the available ISP links.
    • Since the proxy is not making routing decisions, it will remain unaware of whether traffic is being balanced between multiple ISPs.
  3. Firewall Session Management:

    • Make sure that your firewalls handle session persistence properly across both ISPs, especially if you have SSL interception or any session-based traffic. The firewall should ensure that a single session uses the same ISP path.
    • If the firewalls use session persistence or hash-based load balancing (often based on source/destination IP pairs), this will ensure that individual sessions are not split between ISPs.
  4. Failover Scenarios:

    • If ECMP is also being used for redundancy (failover between ISPs), ensure that there are no long-lived sessions that might be interrupted if one of the ISP links fails.
    • From the proxy’s perspective, it will continue to send traffic to the firewalls via the default route, and the firewall will handle failover.
  5. Verify Routing on the Proxy:

Transparent for the Proxy:

Yes, the ECMP setup should be transparent to the proxy in explicit mode. No specific configuration changes are required on the proxy side.

Recommended Actions:

  • Test Failover Scenarios: Ensure that ECMP handles failover properly between ISPs without breaking ongoing proxy sessions.
  • Monitor Traffic Flow: After enabling ECMP, monitor your firewall traffic logs to ensure traffic from the proxy is being load-balanced as expected.

If everything on the firewall side is properly configured, the proxy should not require any additional changes. Let me know if you need any further clarifications!