NAT and the Correction Layer on a VSX Gateway
In a VSX Gateway, the guidelines in NAT and the Correction Layer on a Security Gateway apply to each Virtual System individually.
For best results, manage an entire session by a specified Virtual System on the same Security Group Member.
When a Virtual Switch (junction) connects several Virtual Systems, the same session can be handled by one Virtual System on one Security Group Member, and by another Virtual System on a different Security Group Member.
When a packet reaches a Virtual System from a junction, the system VSX Stateless Correction Layer checks the distribution again according to the Distribution Mode configured on the WRP interface. It can decide to forward the packet to a different Security Group Member.
In addition, on each Virtual System, the stateful Correction Layer can forward session packets, similar to the Security Gateway.
All forwarding operations have a performance impact. Therefore, the Distribution Mode configuration should minimize forwarding operations.
To achieve optimal distribution between Security Group Members in a Security Group in VSX mode:
NAT Rules |
Guidelines |
---|---|
Not using NAT rules on any Virtual System |
Set the Distribution Mode to General. |
Using NAT rule on at least one Virtual System |
|