cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dvillanueva
Level 7
Report Inappropriate Content
Message 1 of 2
‎10-25-2019 11:09 AM

MWG Load balancing

Jump to solution

Hi,

 

I need so help, i got 2 physical appliance and I want to configure in Proxy HA clustering. I already configure proxy HA but not load balancing between they happend. We I turn off the director Proxy HA in one appliance the load pass to the other appliance (backup); but when I turn in on again the load pass to the director, and no load balancing between the 2 appliance happen. Does any one knows wich configuration do I need to do.

 

Thanks

0 Kudos
Reply
1 Solution

Accepted Solutions
aloksard
Employee
Employee
Report Inappropriate Content
Message 2 of 2
‎10-25-2019 08:33 PM

Re: MWG Load balancing

Jump to solution

Hi,

What is your current MWG version?

 

Please refer below link for Proxy HA configuration:-

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Understanding-Proxy-HA/ta-p/553435

 

Load Balancing

The Director node is receiving traffic from the clients and redirects it to scanning nodes on the kernel level using a built-in load sharing algorithm which takes into account resource usage and active number of connections. So if one scanning node is overloaded, the other will get more traffic to compensate. Generally load balancing is source-IP sticky, meaning the same client should reach the same scanning node. Normally, the active director is also an active scanning node.

 

Reasons why one box is getting all the traffic:-

  • No “Port redirects” configured on the director node. If there is no port redirect the network driver on the director node will not redirect the traffic, but handle it locally.
  • All traffic is coming from the same source IP because there is a downstream proxy or a NATing device in place. Proxy HA load balancing is source IP sticky.
  • The director does not know about other scanning nodes, you will need to review the HA configuration – use mfend, perhaps they are on different subnets?

 

 

Please check output of below commands:-

 

1) mfend-lb -s     (  This command is used to see the current HA status.)

 

2) mwg-mon -v -c

 

mwg-mon

    • A health-check process that monitors the Proxy HA redirect ports you defined to ensure that they are available to accept incoming traffic.
    • if a redirect port is not listening, then mwg-mon detects this as a failure and load balancing will cease.
    • monitors all of the port redirects as a whole and not individually

 

Regards

Alok Sarda

View solution in original post

0 Kudos
Reply
1 Reply
aloksard
Employee
Employee
Report Inappropriate Content
Message 2 of 2
‎10-25-2019 08:33 PM

Re: MWG Load balancing

Jump to solution

Hi,

What is your current MWG version?

 

Please refer below link for Proxy HA configuration:-

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Understanding-Proxy-HA/ta-p/553435

 

Load Balancing

The Director node is receiving traffic from the clients and redirects it to scanning nodes on the kernel level using a built-in load sharing algorithm which takes into account resource usage and active number of connections. So if one scanning node is overloaded, the other will get more traffic to compensate. Generally load balancing is source-IP sticky, meaning the same client should reach the same scanning node. Normally, the active director is also an active scanning node.

 

Reasons why one box is getting all the traffic:-

  • No “Port redirects” configured on the director node. If there is no port redirect the network driver on the director node will not redirect the traffic, but handle it locally.
  • All traffic is coming from the same source IP because there is a downstream proxy or a NATing device in place. Proxy HA load balancing is source IP sticky.
  • The director does not know about other scanning nodes, you will need to review the HA configuration – use mfend, perhaps they are on different subnets?

 

 

Please check output of below commands:-

 

1) mfend-lb -s     (  This command is used to see the current HA status.)

 

2) mwg-mon -v -c

 

mwg-mon

    • A health-check process that monitors the Proxy HA redirect ports you defined to ensure that they are available to accept incoming traffic.
    • if a redirect port is not listening, then mwg-mon detects this as a failure and load balancing will cease.
    • monitors all of the port redirects as a whole and not individually

 

Regards

Alok Sarda

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC