How to Configure Destination NAT translation type Dynamic IP (with session distribution) to load balance traffic

To distribute inbound traffic to internal backend servers based on multiple methods like Round Robin, Source IP Hash, IP Modulo, IP Hash, and Least Sessions.

• PaloAlto Firewalls
• Supported PAN-OS
• Destination NAT

Topology:


Prerequisite: FQDN must be pre-configured on the local DNS-Server which should resolve to all the private IPs of internal real servers, in this example, it's 192.168.1.10 and 192.168.1.20

1. Login to GUI of PaloAlto firewall 

• Navigate to Objects -> Addresses -> Click on "Add", Create an object with the type FQDN, and enter the domain name which resolves to multiple private IPs of the internal server.

• Click Add again and create an object for public IP with the type IP Netmask and enter the public IP

2.    Navigate Policies - > NAT -> Click "Add" , create a NAT policy Rule 

• Under "Original Packet" select source and destination zone as external zone, select source as any, and destination address as the public IP address of the servers

• Under  "Translated Packet" -> Destination Address Translation -> Select Translation type as  "Dynamic IP (with session distribution)", select Translated address as "FQDN object created which resolves to private IP's of internal server's, select the translated port of the internal server and select the "Session Distribution Method" (by default "Round Robin" method is selected 

These are the "Session Distribution Methods" available to distribute the traffic between the servers

• Round Robin—(default) Assigns new sessions to IP addresses in rotating order. Unless your environment dictates that you choose one of the other distribution methods, use this method.
• Source IP Hash—Assigns new sessions based on a hash of source IP addresses. If you have incoming traffic from a single source IP address, then select a method other than Source IP Hash.
• IP Modulo—The firewall takes into consideration the source and destination IP address from the incoming packet; the firewall performs an XOR operation and a modulo operation; the result determines to which IP address the firewall assigns new sessions.
• IP Hash—Assigns new sessions using a hash of the source and destination IP addresses.
• Least Sessions—Assigns new sessions to the IP address that has the fewest concurrent sessions. If you have many short-lived sessions, Least Sessions provides you with a more balanced distribution of sessions.