Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Champion
Champion

Layer 4 Distribution - Yes or No?

So it would appear that Layer 4 Distribution is enabled by default but the overall consensus seems to be to disable it unless you need it.  Is that still true in R81.10 or is that an outdated recommendation?  The issues that lead to that recommendation seemed to involve messing up the availability of SGM-offered web portals like UserChecks and the Captive Portal/Identity Awareness.  Looks like at one point L4 would mishandle fragmented traffic but that got fixed recently.  

Assuming this recommendation to disable L4 unless needed still holds true, would these scenarios be an accurate and complete representation of why you would need L4 in R81.10:

      • There is a small amount of diverse source and destination IP addresses traversing the Security Group, but there are large amount of source ports in use by protocols such as HTTP, HTTPS, and possibly DNS. This results in the Security Group’s load becoming heavily unbalanced between the SGMs.

      • The Security Group is NATting a very high percentage of traffic passing through it which is typical of a perimeter gateway, but not for a gateway inside the internal network or located in a Data Center.

Thanks!

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
5 Replies
RickLin
Advisor

Interesting topic, I also would like to know what is recommended setting(enable or disable), and if R&D will try to change the mechanism in the roadmap?

0 Kudos
Lari_Luoma
Employee
Employee

Hi Tim,

Current recommendation is to keep L4 distribution disabled unless there is a specific reason to enable it. The first scenario you mentioned is usually the case when you should consider enabling it. In a network with diverse IP-address space, L4 distribution doesn't give much benefit anyway.

In the second scenario the question is about the distribution mode. In the perimeter environment you should use auto-topology (default) and in internal gateway general mode.

 

 

0 Kudos
Timothy_Hall
Champion
Champion

That's what I thought, thanks.  Just seems a little odd that L4 is enabled by default but the recommendation is to disable it.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Lari_Luoma
Employee
Employee

I agree, seems odd to me too. 🙂

the_rock
Champion
Champion

I think what @Lari_Luoma said makes perfect sense. If you think about it logically, really, even in complex environment, there is probably no need to enable this unless really necessary. 

0 Kudos