True loadbalancing is not in the SSG feature set.  But you can get an approximation of this by setting up both internet services with a default route that has the same metric and preference.  The firewall will round robin the connections then that use these two services.

Do you use BGP and your own IP adresses ?

Then you could perhaps use BGP to decide on IP level what goes were.

Else divide services up per ISP.

Hi,

You should also enable Equal Cost Multipath for this to work:

set vrouter <name> max-ecmp-routes 2 (up to 4 routes with the same pref/metric are supported).

I do not recommend to use ECM on the NATted connections, because:

"When ECMP is enabled and the outgoing interfaces are different and in NAT mode (apparently they mean not the interface mode but NAT as such. EC) , applications, such as HTTP, that create multiple sessions will not work correctly. Applications, such as telnet or SSH, that create one session should work correctly." (C&E, Routing)

Also:

"If the outgoing interfaces do not belong to the same zone and the return packet goes to a zone other than the intended one, a session match cannot occur and the traffic may not go through." (C&E, Routing)

I would recommend to use both connections as an Active/Standby with some load sharing using SBR (is simpler) and/or PBR.

Kind regards,

Edouard

Is this is supported in a HA configuration of two SSG 140?

Hi,

ECM/SBR/PBR will work the same way on a NSRP-cluster.

It is the same, unless you are talking active/active, that requires a different design approach.