Contents

Related Topics

Configure a Link Monitor Host

You can choose the method and frequency you want the Firebox to use to find the status of each WAN interface.

In Fireware v12.1 or higher, if you do not configure a link monitor host, the Firebox pings the interface default gateway, usually the ISP (Internet Service Provider) modem or router, when the Enable link monitor check box is selected. This check box is selected by default for all interfaces except modem interfaces. Link monitor is not enabled by default for modems to prevent unwanted bandwidth consumption.

In Fireware v12.0.2 or lower, if you do not configure a link monitor host, the Firebox pings the interface default gateway, usually the ISP (Internet Service Provider) modem or router, to find the interface status.

A ping to the default gateway is not a reliable test of Internet connectivity. If the ISP equipment just beyond the modem cannot connect to the Internet, but the default gateway still responds to a ping, the Firebox does not detect the interface as failedbecause the gateway is the only test of connectivity. In some multi-WAN modes, this can cause a lot of traffic loss, because the Firebox continues to send packets through a dead interface that shows available because the connected modem or router responds to a ping.

In Fireware v12.1 or higher, modems are configured as external interfaces that can participate in multi-WAN. For more information about modem interfaces, see About Modem Interfaces.

Recommendations

We recommend that you configure at least one link monitor host for each external interface. Select targets that have a record of high uptime, such as servers hosted by your ISP. If there is a remote site that is critical to your business operations, such as a credit card processing site or business partner, it might be worthwhile to ask the administrator at that site if there is a device that you can use as a monitoring target to verify connectivity to their site.

Identify a good ping link monitor target

  • To find a good link monitor target, you can run a tracert task to an external IP address to locate a ping target beyond the modem or router, on the ISP network, preferably two to three hops out. The DNS servers provided by your ISP might work well for this.
  • Ping an IP address, not a domain name. A ping to a domain name requires DNS, and can cause a false indication of interface failure if there is a problem with the DNS server.
  • Specify a different link monitor host for each external interface. If you specify the same IP address or domain name for all external interfaces, a failure of that remote host causes all of your external interfaces to fail.

Select a TCP link monitor target carefully

  • Do not specify a TCP link monitor target unless the company that hosts the target agrees. If you specify TCP to monitor a link to a remote host, the company that manages the remote host might block traffic from the Firebox because it considers the idle TCP connections a possible scan or attack.

If you specify a domain name for a ping or TCP link monitor target, and the external interface is configured with a static IP address, you must configure a DNS server. The DNS server resolves the domain name of your link monitor target. You do not have to configure a DNS server if the external interfaces are configured for DHCP or PPPoE. For more information, see Add WINS and DNS Server Addresses.

About the Route Table Update Interval

If a link monitor host does not respond, it can take from 40–60 seconds for the Firebox to update the route table. When the same link monitor host starts to respond again, it can take from 1–60 seconds for your Firebox to update the route table.

The update process is much faster when your Firebox detects a physical disconnect of the Ethernet port. When this happens, the Firebox updates the route table immediately. When your Firebox detects the Ethernet connection is established again, it updates the route table within 20 seconds.

Define a Link Monitor Host

To define a link monitor host, from Fireware Web UI:Closed
  1. Select Network > Multi-WAN.
    The Multi-WAN Configuration page appears.

Screen shot of the multi-WAN settings

  1. Select the interface and click Configure.
    The Configure Link Monitor dialog box appears.
  2. If the interface is a modem, and you want the modem interface to monitor the default gateway or another source that you specify, you must select the Enable Link Monitor check box.
    This check box is selected by default for interfaces that are not modems.

Screen shot of the Link Monitor Details dialog box

  1. To specify which link monitor methods the Firebox uses to verify the status of each external interface, select one or more of these check boxes:
  • Ping — Type the IP address or domain name for the Firebox to ping to verify the interface status.
  • TCP — Type the IP address or domain name of a computer that the Firebox can negotiate a TCP handshake with to verify the status of the WAN interface.
  • Both ping and TCP must be successful to define the interface as active — The interface is considered inactive unless both a ping and TCP connection complete successfully.

If an external interface is a member of a FireCluster configuration, a multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond. If you add a domain name for the Firebox to ping, and any one of the external interfaces has a static IP address, you must configure a DNS server, as described in Add WINS and DNS Server Addresses.

  1. To specify how often the Firebox verifies the status of the interface, in the Probe interval text box, type or select the amount of time in seconds.
    The default setting is 15 seconds.
  2. To change the number of consecutive probe failures that must occur before failover to the next specified interface occurs, in the Deactivate after text box, type or select the number of failures.
    The default setting is three (3). After the selected number of failures, the Firebox starts to send traffic through the next specified interface in the multi-WAN failover list.
  3. To change the number of consecutive successful probes through an interface that must occur before an interface that was inactive can become active again, in the Reactivate after text box type or select the number of successful probes.
  4. Click OK.
  5. Repeat Steps 2–8 for each external interface.
  6. Click Save.
To define a link monitor host, from Policy Manager:Closed
  1. In the Network Configuration dialog box, select the Multi-WAN tab.
    The Multi-WAN Configuration dialog box appears.

Screen shot of the multi-WAN settings in Policy Manager

  1. Select the Link Monitor tab.
  2. From the External Interfaces list, select an interface.
    The Settings information changes dynamically to show the settings for that interface.
  3. If the interface is a modem, and you want the modem interface to monitor the default gateway or another source that you specify, you must select the Enable Link Monitor check box.
    This check box is selected by default for interfaces that are not modems.
  4. To specify which link monitor methods the Firebox uses to verify the status of each external interface, select one or more of these check boxes:
  5. Ping — Type the IP address or domain name for the Firebox to ping to verify the interface status.
  6. TCP — Type the IP address or domain name of a computer that the Firebox can negotiate a TCP handshake with to verify the status of the WAN interface.
  7. Both ping and TCP must be successful to define the interface as active — The interface is considered inactive unless both a ping and TCP connection complete successfully.

If an external interface is a member of a FireCluster configuration, a multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond. If you add a domain name for the Firebox to ping, and any one of the external interfaces has a static IP address, you must configure a DNS server, as described in Add WINS and DNS Server Addresses.

  1. To specify how often the Firebox verifies the status of the interface, in the Probe Interval text box, type or select the amount of time in seconds.
    The default setting is 15 seconds.
  2. To change the number of consecutive probe failures that must occur before failover to the next specified interface occurs, in the Deactivate after text box, type or select the number of failures.
    The default setting is three (3). After the selected number of failures, the Firebox starts to send traffic through the next specified interface in the multi-WAN failover list.
  3. To change the number of consecutive successful probes through an interface that must occur before an interface that was inactive can become active again, in the Reactivate after text box type or select the number of successful probes.
  4. Repeat Steps 3–6 for each external interface.
  5. Click OK.
  6. Save the Configuration File.

See Also

Read the Firebox Route Tables

About Multi-WAN

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.