Add Active or Backup Gateway for Load Balancing and Gateway Failover
Posted by Alejandro Sanado on 24 June 2010 02:04 PM
Today organizations require stable, redundant and fast ISP links to run business 
critical applications. To achieve constant and secure availability to the Internet
and to avoid network vulnerability, organizations prefer to have multiple ISP links. 
Multiple ISP links provisions network administrator to configure failover and load balancing
over Internet links.

Cyberoam supports load balancing and failover for multiple ISP links based on number of
WAN ports available in the Appliance

This document explains procedure to add secondary ISP link and configure load balancing 
and gateway failover with the following sections:

    * Add a New Gateway
    * Load Balancing and Failover (Active-Active)
    * Configure Backup Gateway (Active-Backup)
    * Configure Gateway Failover

Network scenario:

Consider the hypothetical network in which one ISP link is terminated on Port B and 
Administrator wants to terminate another ISP link on Port D. 
Below given IP schema is configured on Cyberoam.



Port A

IP Address

Subnet Mask



Port B

IP Address

Subnet Mask



Gateway Details

ISP Name


IP Address

Port C

IP Address

Subnet Mask



Port D

Port D is an unbound port  so zone type for port D is set to ‘None’

DNS Configuration

Primary DNS

Add a New Gateway


    * An unbound physical port should be available on Cyberoam. An unbound port is one, which is not assigned to any security zone.

Following are the steps to add a new Gateway:

   1. Log on to Web admin console 
2. Click to run the Network Configuration Wizard.
   3. Under Zone and Network Configuration section, using “Next” button go to
       port D and configure following values:

·         Select ‘Use Static IP’

·         IP Address:

·         Subnet Mask:

·         Zone: WAN

Gateway Details 

·         ISP Name: Cyberoam_1

·         IP Address:

   4. Click Next to proceed 
   5.  Click 

It will take few minutes to save the configuration details. Cyberoam will take some time to restart, 
wait for sometime before clicking the URL to access the Web Admin console.

   6. If the gateway is added successfully, it will be enabled automatically and its 
       status would be “Active” and weight as 1.You can confirm the gateway status from 
       Web Admin console, System à Gateway à Manage Gateway(s) page
Load Balancing and Failover (Active-Active)

  As the newly added gateway “Cyberoam_1” is operating as ‘Active’ gateway, 
  Cyberoam will automatically distribute the traffic between both the links. Cyberoam 
  employs weighted round robin algorithm for load balancing to enable maximum utilization
  of capacities across the various links.

To achieve failover for the Active-Active gateways, one has to define the failover condition 
for each gateway.

In the considered example, if the “Default” gateway goes down and failover condition is 
defined then the entire traffic will be processed by the “Cyberoam_1” gateway and vice versa.

Please refer Configure Failover Condition section to define fail over rules for the active gateway.

Configure Backup Gateway (Active-Backup)

A gateway can be configured to operate as a Backup gateway. Backup gateway comes up 
when any of active gateways goes down. Hence, load balancing will not be done in case 
of active- back up scenario.

To configure backup gateway

   1. Go to System à Gatewayà Manage Gateways
   2. Click Gateway Name to be configured as back up gateway
   3. Under Gateway Details section change Gateway Type to “Backup”

4. Configure Backup Gateway Details as per below image

nitially traffic will not pass through the backup gateway. When any of active gateways
fails then only traffic will be routed to backup gateway with inherited weight of failed active gateway

Configure Failover Condition 

   1. Log on to Web admin console
   2. Go to System à Gatewayà Manage Gateways
   3. Click Gateway Name to configure failover condition. By default, Cyberoam creates
       Ping rule for every gateway. Cyberoam periodically sends the ping request  to check
       health of the link and if link does not respond, traffic is automatically sent through 
       another available link. Click checkbox to enable default failover rule.
   4. Click Add to add multiple failover conditions in the failover rule
   5. Configure failover rule as per below image:
Initially traffic will not pass through the backup gateway. When any of active gateways
fails then only traffic will be routed to backup gateway with inherited weight of failed active gateway

Configure host must be represented by the computer or Network device which
is permanently running or most reliable.

   6.  Click Save to save failover rule and gateway configuration

In below screen shot active gateway has been failed and entire traffic is routed
through back up gateway Cyberoam_1 
During a link failure, Cyberoam regularly checks the health of a given connection, 
assuring fast reconnection when Internet service is restored.When the connection is 
restored and gateway is up again, without the administrator’s intervention, traffic is 
again routed through the Active gateway.In other words, backup gateway fails back on 
Active gateway. 
(5 vote(s))
Not helpful

Comments (0)
Post a new comment
Full Name:
CAPTCHA Verification 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).