Configure Global WAN Settings
Applies To: Cloud-managed Fireboxes
Global WAN settings control how the cloud-managed Firebox routes outbound traffic when multiple external networks are configured. In the Global WAN settings, you can configure the Firebox with one of these multi-WAN actions:
- Failover — The Firebox routes outbound connections through one external network at a time. Connections fail over to another network only when the primary network connection is down.
- Round-Robin — The Firebox distributes routing of outbound connections through multiple external networks at the same time. You can configure the proportion of load the Firebox routes to each network.
In the global WAN settings, you select which networks participate in routing for the global WAN action. You must select at least two networks.
If all networks selected for Global WAN are down, but at least one non-participating network is up, the Firebox routes outbound connections through the non-participating external network that has the lowest routing distance (metric).
If all external networks are selected for Global WAN, and all external networks are down, the Firebox makes a best effort to route traffic based on the routing table. In this scenario, the Firebox usually tries to route the traffic through the first external network.
Default Global WAN Settings
When you add a second external network, the Global WAN tile appears on the Networks configuration page, in the WAN Settings section.
To edit global WAN settings, from WatchGuard Cloud:
- Select Configure > Devices.
- Select the cloud-managed Firebox.
- Click Device Configuration.
- Click the Networks tile.
The Networks configuration page opens. - To edit global multi-WAN settings, click the Global WAN tile.
The Global WAN page opens.
By default, the Multi-WAN action is set to Failover and it includes all external networks.
Configure the Failover Action
When you configure global WAN settings with the Failover action, the Firebox routes outbound connections through one external network at a time. One external network is primary, and the others are backup networks. The Firebox routes outbound connections to the primary external network, if it is available. If the primary network connection is down, the Firebox sends new connections to a backup network.
When the primary network connection becomes active again, the Firebox routes all new outbound connections to the primary external network. The Failback setting controls whether existing connections fail back to the primary network immediately, gradually, or not at all.
To configure the Failover action, from WatchGuard Cloud:
- On the Global WAN page, from the Method drop-down list, select Failover.
- From the Failback drop-down list, select an option to specify how the Firebox handles connections when failback occurs:
- Immediate — Stop all active connections immediately.
- Gradual — Continue to route traffic for active connections through the failover network.
- Don't Failback — Continue to route active and new connections through the failover network.
- To select which networks participate in WAN failover, select the check box for each network. You must select at least two networks.
- The first network in the list is the primary network. To change the network order, click the move handle for a network and drag it up or down in the list.
- To save configuration changes to the cloud, click Save.
Configure the Round-Robin Action
When you configure multi-WAN with the Round-Robin option, the Firebox looks at its internal route table to check for specific static routing information for each connection. To determine whether a specific route exists for the destination of a packet, the Firebox examines the list of routes from the top to the bottom of the route table. The list is sorted by distance (metric) from lowest to highest cost. You can see the list of routes in the route table on the Live Status > Networks page, on the Routes tab. If no specific route is found, the Firebox distributes the traffic load among its external networks. The Firebox uses the average of sent (TX) and received (RX) traffic to balance the traffic load across all external networks you specify in your Round-Robin configuration.
By default, the Firebox routes an equal load of outbound traffic through each network. To change the proportion of load the Firebox routes through each network, you can change the weight assigned to each network. By default, each network has a weight of 1. If you assign a weight of 2 to a network, you double the proportion of traffic that routes through that interface compared to an interface with a weight of 1.
Sticky connection settings make sure that, if the Firebox routes a packet through an external network, any future packets between the source and destination address pair use the same external network for a specified period of time. By default, connections use the same interface for three minutes.
To configure the Round-Robin action, from WatchGuard Cloud:
- In the Global WAN page, from the Action drop-down list, select Round-Robin.
- To change the amount of time a connection must stay on the same interface, edit these settings:
- TCP Sticky Connection — The sticky connection timeout for TCP traffic
- UDP Sticky Connection — The sticky connection timeout for UDP traffic
- Others Sticky Connection — The sticky connection timeout for non-TCP and non-UDP traffic
- To select which networks participate in Round-Robin, select the check box for each network. You must select at least two networks.
- To change the weight for a participating interface, click the Weight column and select or type a new value.
- To save configuration changes to the cloud, click Save.