Network and Traffic Management V11-10whatguard

WatchGuard Certified Training
Network and Traffic Management

with Fireware
Fireware and WatchGuard System Manager v11.10
Revised: March 2015

Updated for: Fireware v11.10
Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of WatchGuard Technologies, Inc.
Copyright and Patent Information

Copyright 2015 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or
trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is
covered by one or more pending patent applications.
All other trademarks and tradenames are the property of their respective owners.
Printed in the United States.
TRAINING SUPPORT
www.watchguard.com/training www.watchguard.com/support
training@watchguard.com support@watchguard.com
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
ii WatchGuard Fireware Training

Table of Contents
Course Introduction ................................................................................................................ 1

Training Overview .......................................................................................................... 1
Necessary Equipment and Software ............................................................................ 1
Classroom Network Configuration ................................................................................ 2
Student Device IP Addresses ....................................................................................................... 2
Instructor Device Network Configuration .................................................................................... 3
Configuration Changes for the Instructor Device ....................................................................... 5
(Optional) Set Up a Server to Host FTP and HTTP Downloads ................................................... 6
VLANs ....................................................................................................................................... 7
Introduction .................................................................................................................... 7
What You Will Learn ...................................................................................................................... 7
Exercises ....................................................................................................................................... 7
What VLANs Can Do For You ........................................................................................................ 7
Terms and Concepts You Should Know ....................................................................... 8
VLAN Requirements and Recommendations .............................................................. 9
Before You Begin ......................................................................................................... 10
Firewall Configuration ................................................................................................................. 10
Necessary Equipment and Services ......................................................................................... 10
Configuring the VLAN Switch .................................................................................................... 11
Exercise 1: Two VLANs on the Same Device Interface ................................................ 12
When to Use this Configuration ................................................................................................ 12
Network Topology ....................................................................................................................... 12
Configure the Device ................................................................................................................. 13
Configure the Switch ................................................................................................................. 15
Physically Connect all Devices ................................................................................................... 16
Test the Configuration ................................................................................................................ 16
Exercise 2: One VLAN Bridged Across Two Device Interfaces .................................... 17
When to Use this Configuration ................................................................................................. 17
Physically Connect all Devices .................................................................................................. 21
Test the Configuration ............................................................................................................... 21
Exercise 3: One VLAN Bridged Across Two Device Interfaces (Alternate Configuration)
22
When to Use This Configuration ............................................................................................... 22
Configure the Switches ............................................................................................................. 25
Physically Connect All Devices .................................................................................................. 25
Exercise 4: Two VLANs as External Interfaces on the Same Device .......................... 27
When to Use this Configuration ................................................................................................. 27
iii
Physically Connect All Devices .................................................................................................. 30
Test the Configuration ............................................................................................................... 30
Using VLANs in Device Policies ................................................................................... 31
Apply Firewall Policies to Intra-VLAN Traffic ............................................................................. 31
Aliases ........................................................................................................................................ 31
Exercise 5: Configure VLANs for Wireless Access Points ............................................ 33
When to Use This Configuration ............................................................................................... 33
Frequently Asked Questions ....................................................................................... 38
What You Have Learned .............................................................................................. 38
Traffic Management ............................................................................................................. 39
What You Will Learn ..................................................................................................... 39
Control Bandwidth Use with Traffic Management Actions ........................................ 39
Traffic Management Action Types ............................................................................................ 40
Traffic Management in Policies ................................................................................................ 40
Traffic Management in Application Control ............................................................................. 40
Traffic Management Action Precedence .................................................................................. 40
Monitoring Bandwidth Statistics ................................................................................................ 41
Control Traffic Priority with QoS .................................................................................. 41
About Interface QoS Settings ..................................................................................................... 41
About Policy QoS Settings .......................................................................................................... 41
About Traffic Priority ................................................................................................................... 41
About Outgoing Interface Bandwidth ....................................................................................... 42
Exercise 1: Use a Traffic Management Action to Guarantee Bandwidth ................... 43
Enable Traffic Management and QoS ...................................................................................... 43
Verify the OS Compatibility Setting ........................................................................................... 43
Define Outgoing Interface Bandwidth ...................................................................................... 43
Create a Traffic Management Action ....................................................................................... 44
Modify Policy Configuration ....................................................................................................... 45
Set Up Service Watch ................................................................................................................ 46
See the Results of the Configuration ........................................................................................ 47
Exercise 2: Use a Traffic Management Action to Limit Bandwidth ............................. 50
Re-Define Outgoing Interface Bandwidth ................................................................................ 50
Create a Traffic Management Action ....................................................................................... 51
Modify Policy Configuration ....................................................................................................... 51
See the Results of the Configuration ....................................................................................... 52
Exercise 3: Use Traffic Management with Application Control ................................... 55
Create two Traffic Management Actions .................................................................................. 55
Configure Application Control ................................................................................................... 56
Configure Application Control in Policies ................................................................................. 58
Monitor the Traffic Management Actions in Firebox System Manager .................................. 59
Exercise 4: Use QoS to Mark and Prioritize Traffic ...................................................... 61
Before You Begin ....................................................................................................................... 61
Enable Prioritization by QoS Marking on Interfaces ................................................................ 61
Prioritize Traffic by Policy ........................................................................................................... 63
See the Results of the Configuration ....................................................................................... 64
Link Aggregation ................................................................................................................... 67
Introduction .................................................................................................................. 67
iv WatchGuard Fireware Training

What You Will Learn ................................................................................................................... 67
Course Outline ........................................................................................................................... 67
Terms and Concepts You Should Know ..................................................................... 67
Link Aggregation ........................................................................................................................ 67
Link Aggregation Group (LAG) .................................................................................................. 68
Link Aggregation Interface ........................................................................................................ 68
Link Aggregation Member Interface ........................................................................................ 68
Link Aggregation Modes ........................................................................................................... 69
Link Aggregation Interface Identifiers ...................................................................................... 69
Link Aggregation with Other Networking Features .................................................... 70
Exercise 1: Configure Active-Backup Link Aggregation ............................................... 71
Network Topology ........................................................................................................................ 71
Before You Begin ....................................................................................................................... 72
Add the Link Aggregation Interface .......................................................................................... 72
Add Member Interfaces .............................................................................................................. 74
Connect the Switches ................................................................................................................ 75
Monitor the Link Aggregation Interface .................................................................................... 76
Exercise 2: Static and Dynamic Link Aggregation ....................................................... 78
Topology ...................................................................................................................................... 78
Before You Begin ....................................................................................................................... 78
Add the Link Aggregation Interface .......................................................................................... 79
Add Member Interfaces ............................................................................................................. 80
Configure the Switch and Connect the Device to the Switch .................................................. 81
Connect the Device to the Switch .............................................................................................. 81
Monitor the Link Aggregation Interface ................................................................................... 82
Use Dynamic Mode .................................................................................................................... 82
Exercise 3: Use Link Aggregation with a VLAN ............................................................. 83
Before You Begin ....................................................................................................................... 83
Physically Connect all Devices .................................................................................................. 86
Multi-WAN Methods ............................................................................................................. 89
Introduction .................................................................................................................. 89
What You Will Learn ................................................................................................................... 89
Exercises .................................................................................................................................... 89
What Multi-WAN Can Do For You .............................................................................................. 89
Terms and Concepts You Should Know ..................................................................... 90
Outgoing Traffic and Multi-WAN ................................................................................................ 90
Incoming Traffic ......................................................................................................................... 90
IPSec VPN Traffic ....................................................................................................................... 90
Equal-Cost Multi-Path Routing (ECMP) ..................................................................................... 90
Sticky Connections ..................................................................................................................... 91
Load Balancing Interface Group (LBIG) ................................................................................... 92
Policy-Based Routing ................................................................................................................. 93
Link Monitor Settings ................................................................................................................ 93
Failover/Failback ....................................................................................................................... 94
Fireware Multi-WAN Methods ..................................................................................... 96
The Round-Robin Multi-WAN Method ......................................................................... 96
When to Use It ............................................................................................................................ 96
How It Works .............................................................................................................................. 96
Calculate Weights for Round-robin ............................................................................................ 97
v
How to Configure It .................................................................................................................... 98
When an External Interface Fails .............................................................................................. 99
The Failover Multi-WAN Method ............................................................................... 100
When to Use It .......................................................................................................................... 100
How It Works ............................................................................................................................ 100
How to Configure It .................................................................................................................. 100
When an External Interface Fails ............................................................................................ 100
The Interface Overflow Multi-WAN Method .............................................................. 101
When to Use It .......................................................................................................................... 101
How It Works ............................................................................................................................ 101
The Routing Table Multi-WAN Method ...................................................................... 102
When to Use It .......................................................................................................................... 102
How It Works ............................................................................................................................ 102
Exercises Before You Begin ................................................................................... 103
Necessary Equipment and Services ....................................................................................... 103
Management Computer Configuration ................................................................................... 103
Firewall Configuration .............................................................................................................. 104
Bandwidth Available at Each External Interface ................................................................... 104
Physically Connecting your Devices ........................................................................................ 104
Exercise 1: Demonstrate the Interface Overflow Multi-WAN Method and Sticky
Connections .................................................................................................................. 105
When to Use the Interface Overflow Method ......................................................................... 105
Network Topology ..................................................................................................................... 105
Configure the Device ............................................................................................................... 106
Demonstrate It ......................................................................................................................... 110
Exercise 2: Demonstrate the Failover Multi-WAN Method and Policy-Based Routing ....
114
When to Use the Failover Method ........................................................................................... 114
Demonstrate It ......................................................................................................................... 119
Exercise 3: Demonstrate Load Balancing with the Round Robin Multi-WAN Method ....
120
Demonstrate It ......................................................................................................................... 121
Appendix ..................................................................................................................... 122
How Fireware Makes Multi-WAN Routing Decisions For Outbound Traffic .......................... 122
Multi-WAN Routing Decision Flow Chart ................................................................................ 123
What You Have Learned ............................................................................................ 125
Routing ................................................................................................................................ 127
Introduction ................................................................................................................ 127
What You Will Learn ................................................................................................................. 127
Terms and Concepts .................................................................................................. 128
Route ........................................................................................................................................ 128
Router ....................................................................................................................................... 128
RouteTable ................................................................................................................................ 128
Route Metric ............................................................................................................................. 128
Routing Protocol ....................................................................................................................... 129
vi WatchGuard Fireware Training

Convergence Time ................................................................................................................... 129
Routing Types and Protocols ..................................................................................... 130
Static vs. Dynamic Routing ..................................................................................................... 130
Supported Dynamic Routing Protocols .................................................................................. 130
Dynamic Routing Policies .......................................................................................... 132
Network Link Types .................................................................................................... 133
Asymmetrical Routes Cause Routing Inconsistency ............................................................. 135
Routing and Branch Office VPNs .............................................................................. 136
BOVPN Virtual Interface Routing Scenarios .......................................................................... 137
Failover from a Dynamic Route to a Branch Office VPN ....................................................... 138
Monitoring Tools ........................................................................................................ 139
The Status Report .................................................................................................................... 139
Set the Diagnostic Log Level ................................................................................................... 140
Exercise 1: Configure Static Routing Over a Point-to-Point Link ............................... 142
Add a Static Route to the Site A Device ................................................................................. 143
Add a Static Route to the Site B Device ................................................................................. 144
Review the Route Table ........................................................................................................... 145
Test the Static Route ............................................................................................................... 146
The Disadvantage of Using Only Static Routes ..................................................................... 147
Exercise 2: Configure Dynamic Routing over a Point-to-Point Link .......................... 148
Remove the Static Routes ....................................................................................................... 148
Configure Dynamic Routing with OSPF .................................................................................. 149
Add a New Network at Site B .................................................................................................. 151
Exercise 3: Configure Static Routing Over a Multi-Hop Link ..................................... 153
Before You Begin ..................................................................................................................... 153
Configure the Peer Interfaces ................................................................................................. 154
Configure Static Routes Between the Trusted Networks at Each Site ................................. 154
Exercise 4: Dynamic Routing Over a Multi-Hop Link ................................................. 157
Before You Begin ..................................................................................................................... 157
Configure Static Routes Between the Peer Interfaces .......................................................... 158
Configure Dynamic Routing with BGP .................................................................................... 161
Troubleshooting ....................................................................................................................... 162
FireCluster .......................................................................................................................... 165
Introduction ................................................................................................................ 165
What You Will Learn ................................................................................................................. 165
About FireCluster ....................................................................................................... 165
Terms and Concepts You Should Know ................................................................... 166
Cluster Member ....................................................................................................................... 166
Active/Active Cluster ................................................................................................................ 166
Active/Passive Cluster ............................................................................................................. 166
Load Balance Methods ........................................................................................................... 166
Cluster ID .................................................................................................................................. 167
Cluster Interface ...................................................................................................................... 167
Cluster Interface IP Address .................................................................................................... 167
Management Interface ............................................................................................................ 168
vii
About Failover ............................................................................................................ 168
Causes of FireCluster Failover ................................................................................................. 168
What Happens During a Failover ............................................................................................ 170
Monitoring Tools ........................................................................................................ 171
Firebox System Manager ......................................................................................................... 171
Diagnostic Logging .................................................................................................................. 172
FireCluster Requirements ......................................................................................... 173
Hardware Requirements ......................................................................................................... 173
License Requirements ............................................................................................................. 173
Network Configuration Requirements .................................................................................... 173
Switch and Router Requirements ............................................................................................ 174
FireCluster Pre-Configuration Checklist .................................................................................. 175
Exercise 1: Set Up an Active/Passive Cluster ............................................................ 176
Configure the External Interface to Use a Static IP Address ................................................ 176
Configure the Trusted Interface .............................................................................................. 177
Disable Unused Network Interfaces ....................................................................................... 178
Decide Which Interfaces and Interface Address to Use ....................................................... 179
Connect the Cables .................................................................................................................. 179
Run the FireCluster Setup Wizard ........................................................................................... 180
Reset the Second Device to Factory-Default Settings ........................................................... 188
Discover the Second Cluster Member .................................................................................... 189
Exercise 2: Monitor Cluster Status ............................................................................. 190
Monitor the Cluster .................................................................................................................. 190
Monitor a Cluster Member ...................................................................................................... 191
Exercise 3: Test FireCluster Failover .......................................................................... 192
Force a Failover from Firebox System Manager .................................................................... 192
Trigger a Failover Due to Link Status ...................................................................................... 192
Use the Backup Cluster Interface ........................................................................................... 193
Trigger a Failover Due to Power Failure .................................................................................. 193
Test Failover with Network Traffic ........................................................................................... 193
Use Leave/Join in Firebox System Manager .......................................................................... 193
viii WatchGuard Fireware Training

Fireware Training
Course Introduction
Network and Traffic Management with Fireware
This training is for:

Devices WatchGuard XTM 330 or higher
Device OS versions Fireware v11.10*
Management software versions WatchGuard System Manager v11.10
* The exercises in this course require Fireware with a Pro upgrade, which is included with most device models.
For some 5 Series models (505, 510, 520, 530), you can purchase the Fireware Pro upgrade for your device.
Training Overview
The WatchGuard Fireware Network and Traffic Management with Fireware course covers these topics: About Side Notes
Side notes are extra
VLANs information that is
Traffic Management and QoS not necessary to
understand the
Link Aggregation training. They might
Multi-WAN be configuration or
troubleshooting tips,
Routing
or extra technical
FireCluster information.
This course assumes that you have completed the Fireware Essentials course and that you know how to
set up and configure basic networking features. This Course Introduction describes the software,
hardware, and network environment required to complete the exercises in this training courseware.
Necessary Equipment and Software

Because this course includes networking exercises, the training environment must include the
following network equipment in order to support all of the exercises in this course.
One Firebox for each student (do not use Firebox T10 and XTM 2 Series models)
One WatchGuard Firebox configured by the instructor as the default gateway
Fireware v11.10 or higher installed on each Firebox
One Windows computer per student, with WatchGuard System Manager v11.10 or later installed
Three network hubs or switches, each with enough interfaces for the instructor and all of the
student Firebox devices to connect.
- One switch is the primary external network for the student devices
- One switch is the secondary external network (WAN2) for the student devices in the
Multi-WAN exercises
- One switch is used for the multi-hop link in the Routing exercises
Two managed switches with 802.1Q and 802.3ad support per student, for VLAN and Link
Aggregation exercises. Or students can pair up for these exercises.
FTP Server (optional for some exercises)
1
Classroom Network Configuration
The exercises in this course are designed using RFC 5737 documentation IP addresses to represent
public network IP addresses. The exercises in this training assume the following network configuration:
Figure 1: Training network configuration
Student Device IP Addresses

Students may be assigned a number (10,20,30,etc.) to identify the last IP address octet for their external
addresses, or their third octet for internal addresses in relation to their devices. This allows for similar
configuration among devices and prevents IP address conflicts and subnet overlap.
The student devices are configured with these addresses, where X is the student number:
Eth0 External (WAN1) 203.0.113.X/24, Default Gateway 203.0.113.1
Eth1 Trusted 10.0.X.1/24
Eth2 Optional 172.16.X.1/24
Eth3 External or VLAN Configuration varies by exercise
Eth4, Eth5 - Link Aggregation Configured in Link Aggregation exercises only
The student number is also used in the FireCluster exercises as the cluster ID. We recommend that you
assign student numbers in increments of at least 10, so the cluster ID does not create a virtual MAC
address conflict between multiple FireClusters.
In the exercises, your external interface and trusted interface IP addresses are determined by your
student number. Replace the X in the exercises with your student number.
2 WatchGuard Fireware Training

Instructor Device Network Configuration

Several interfaces on the instructor Firebox must be configured to support the exercises in this course.
The instructor device acts as the default gateway for the primary student external network,
203.0.113.0/24. For the Multi-WAN exercises that require a second external network, we use
192.51.100.1/24. The instructor device acts as the default gateway for both of these networks.
The instructor Firebox is configured with these addresses: You must also
configure a DNS
Eth0 (External) Use appropriate addressing for a training environment with an Internet server, in the
connection. Network >
Eth1 (Trusted) 203.0.113.1/24 The default gateway for the primary external interface on Configuration >
WINS/DNS tab, to
student devices.
allow DNS to operate
Eth2 (VLAN) Send and receive untagged traffic for VLAN10. Also used as the default gateway for from the training
the secondary external interface on student devices when a second WAN interface is configured. environment.
Eth3 (VLAN) Send and receive tagged traffic for VLAN10 and VLAN20. Used when students
For DNS to function
configure a VLAN with an external interface. for students, the
Eth4 (Trusted) 172.16.10.1/30 as the primary IP address, and 172.16.X.1/30 as secondary student Firebox
addresses for the optional networks on each student device. Used to simulate a multi-hop link for devices and
some dynamic routing exercises. computers must also
be configured to use
the DNS server.
Figure 2: Instructor Firebox network interfaces configuration
Course Introduction 3
The instructor device must have 2 VLANs configured:
VLAN10 Trusted 198.51.100.1/24, ID:10 Untagged eth2, tagged eth3
VLAN20 Trusted 192.0.2.1/24, ID:20 Tagged eth3
Figure 3: Instructor Firebox VLAN configuration

The instructor device must have addresses defined on eth4 for the optional networks for all student
devices. These are used for the multi-hop dynamic routing exercises.
Primary (for the Optional network of student 10) 172.16.10.1/30 for s
Secondary (for the Optional network of students 20 and higher) 172.16.X.1/30
Figure 4: Secondary IP addresses for Eth4 on the instructor device, for a total of 8 students

Configuration Changes for the Instructor Device

To make the training network functional for these exercises, the instructor must make three more
configuration changes to the instructor Firebox.
1. Create an Any policy to allow traffic between the trusted interfaces.
Figure 5: Any policy configuration for the instructor Firebox

2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NAT to add a
dynamic entry for Any-Trusted - Any-External.
Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a
dynamic NAT rule for 203.0.113.0/24 Any-External)
Figure 6: NAT configuration for the instructor Firebox
Course Introduction 5
3. To configure the instructor Firebox to simulate a multi-hop link for the routing exercises, you must
add static routes to route traffic to the trusted network on each student device. The next hop for
each is the IP address of the optional interface on each student device.
The gateway corresponds to the primary and secondary networks defined for Eth4 on the instructor device.
Figure 7: Static route configuration for the instructor Firebox for a class with 8 students.
(Optional) Set Up a Server to Host FTP and HTTP Downloads

Several of the exercises in this courseware require that the students download a file from an FTP server
or browse to a web site to observe the results of a configuration change. If your training environment
does not have Internet access, you can use the subsequent steps to help you build an FTP server and a
Web server on an existing Windows 2003 Server on your network, that students can use for the
exercises.
1. Connect the servers network card to the same hub or switch that connects the device external
interface to the Internet router.
Usually, you would connect your device directly to the LAN interface of your Internet router. For
this exercise, you must use a hub or switch to connect the Windows 2003 Server to the external
network of the device.
2. Set up the FTP server.
For more information, see this Microsoft article: http://support.microsoft.com/kb/323384.
3. Create a 350 MB text file named 350mbfile.txt and save it in the ftproot folder. The default
location for this folder is c:\inetpub\ftproot.
To create a file in Windows, at the Command Prompt, type the fsutil command:
fsutil file createnew c:\inetpub\ftproot\350mbfile.txt 358400000
4. Set up the web server on your Windows 2003 Server.

For more information, see this Microsoft article: http://support.microsoft.com/kb/324742
5. Copy the 350mbfile.txt file from the C:\inetpub\ftproot to the C:\inetpub\wwwroot
directory.

Fireware Training
VLANs
Four Ways to Configure VLANs on a Firebox
Introduction
A virtual local area network (VLAN) is a collection of computers on a LAN or LANs that are grouped
together in a single broadcast domain independent of their physical location. A VLAN allows you to
group devices according to function or traffic patterns instead of location or IP address. Members of a
VLAN can share resources as if they were connected to the same LAN.
What You Will Learn

This course explains the concept of a VLAN and describes several different VLAN technologies that are
in use today. You will learn everything necessary to successfully deploy VLANs with your Firebox. We
will present four typical use cases with VLANs, and you will configure the Firebox for each of these
situations.
Exercises
The exercises demonstrate situations in which you would use different VLAN configurations, a
simplified view of the network topology for each setup, and step-by-step procedures for how to
configure each setup. The exercises include:
Two VLANs on the same Firebox interface You can also use
VLANs with link
One VLAN bridged across two Firebox interfaces
aggregation. An
One VLAN bridged across two Firebox interfaces (alternate configuration) exercise for that
Two VLANs as External Interfaces on the same Firebox configuration is
included in the link
Three VLANs for two SSIDs on an AP device aggregation section
The course concludes with frequently asked questions about how to configure firewall policies to of this training.
restrict incoming and outgoing access on VLAN interfaces, or to allow or deny traffic between different
VLANs.
What VLANs Can Do For You

VLANs provide three main benefits:
Increased performance by confining broadcasts.
Each computer you add to a LAN increases the amount of background (broadcast) traffic, which
can reduce performance. With VLANs, you can restrict this traffic and reduce the amount of
bandwidth used by your network.
Improved manageability and simplified network tuning.
When you consolidate common resources into a VLAN, you reduce the number of routing hops
needed for those devices to communicate. You can also manage traffic from each functional group
more easily when each group uses a different VLAN.
7
Increased security options.
By default, members of one VLAN cannot see the traffic from another VLAN. You can apply separate
security policies to VLANs. By contrast, a secondary network on a Firebox interface gives no
additional security because there is no separation of traffic. The Firebox does not filter traffic
between the primary network of an interface and a secondary network on that interface. It
automatically routes traffic between primary and secondary networks on the same physical
interface with no access restrictions.
Terms and Concepts You Should Know

VLAN trunk interface
The physical interface (switch interface or device interface) that connects a VLAN device to another
VLAN device. Some vendors use this term only for a switch interface that carries traffic for more than
one VLAN. We use this as a general term to indicate an Ethernet interface on a VLAN-capable device
that connects the device to another VLAN-capable device.
VLAN ID (VID)
A number from 1 to 4094 associated with the VLAN. Every VLAN you use has a unique number.
Tag
This term has two meanings: one for the verb usage, and one for the noun usage.
[noun] Information that is added to the header of an Ethernet frame. The format of the tag is defined
by the IEEE 802.1Q standard.
[verb] To add a VLAN tag to a data frames Ethernet header. The tag is added by an 802.1Q-compliant
device such as an 802.1Q switch or router, or the Firebox.
Because the physical segment between two 802.1Q devices normally carries only tagged data
packets, we call it the tagged data segment.
Untag
To remove a VLAN tag from a frames Ethernet header. When an 802.1Q device sends data to a
network device that cannot understand 802.1Q VLAN tags, the device untags the data frames.
Because the physical segment between a VLAN device and a device that cannot understand VLAN
tags normally carries only untagged data packets, we call it the untagged data segment.
Tagging and untagging per interface
When you assign VLAN membership for an Ethernet interface on an 802.1Q device, you also tell the
interface whether to send and accept tagged or untagged data frames. Some VLAN devices allow
one Ethernet interface to accept both tagged and untagged frames. This depends on which VLANs
the interface is a member of.
When you configure a Firebox Ethernet interface for VLAN, the interface will accept both tagged
and untagged data frames, but only for VLANs in the trusted, optional, and custom security zones.
For an external VLAN a device VLAN interface will accept only tagged data frames.
Use these two rules to decide whether to configure a switch interface for Tag or Untag:
- If the interface connects to a device that can receive and understand 802.1Q VLAN tags,
configure the switch interface for Tag. Devices you connect to this interface are usually VLAN
switches (managed switches) or routers.
- If the interface connects to a device that cannot receive and understand 802.1Q VLAN tags,
configure the switch interface for Untag. (Such devices will likely strip the VLAN tag from the
Ethernet header, or drop the frame altogether.) Devices you connect to this interface are
usually computers or printers.

VLAN Requirements and Recommendations
Switches
When you configure a Firebox Ethernet interface for VLAN, the switches that you connect to the
device interface must be able to use VLAN tags as defined in IEEE 802.1Q. A switch of this type is
commonly called a managed switch or an 802.1Q switch.
Types of VLANs
VLANs can use different parameters to assign membership:
- 802.1Q VLANs (used by the Firebox)
The Institute of Electrical and Electronic Engineers (IEEE) publishes the 802.1Q standard to
define the format of VLAN tags. This standard lets you use VLANs with any vendors
equipment that conforms to 802.1Q standards.
- MAC address-based VLANs use the physical address on a computers network interface card
to put it in the correct logical group.
- VLANs based on multicast groups put computers into VLANs based on whether the
computer has subscribed to a particular multicast group.
- Protocol-based VLANs put computers into VLANs based on the communication protocol
each uses (such as IP, IPX, DECnet, or AppleTalk).
VLAN Requirements and Recommendations

To use a VLAN with a Firebox:
If your Firebox is configured in drop-in mode, you cannot use VLANs.
If your Firebox is configured in bridged mode you cannot configure VLANs on the device.
- The device in bridge mode can pass VLAN tagged traffic between 802.1Q bridges or
switches.
- You can configure a device in bridge mode to be managed from a VLAN that has a specified
VLAN tag.
Each VLAN interface can send and received untagged traffic for only one trusted or optional VLAN.
For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN-10, it
cannot also send and receive VLAN traffic for any other VLAN at the same time. Also, a VLAN
interface cannot be configured to send and receive untagged traffic for an external VLAN.
Multi-WAN configuration settings are applied to VLAN traffic. However, it can be easier to manage
bandwidth when you use only physical interfaces in a multi-WAN configuration.
Your device model and license controls the number of VLANs you can create. To see the number of
VLANs you can add to your Firebox, Open Policy Manager and select Setup > Feature Keys. Find
the row labeled Total number of VLAN interfaces.
We recommend that you do not create more than 10 VLANs that operate on external interfaces.
Too many VLANs on external interfaces affect performance.
All network segments you want to add to a VLAN must have IP addresses on the VLAN network.
VLANs 9
Before You Begin
Before you begin the exercises, you must:
1. Make sure the switches that connect to the Firebox do not use Spanning Tree Protocol. Disable this
protocol for any switch interface that connects to a device Ethernet interface.
2. Know how to configure your VLAN switch. You should be familiar with how to configure your VLAN
switch. Consult the documentation from the device manufacturer for help.
Firewall Configuration
If your Firebox is not yet configured, run the Quick Setup Wizard first to configure it.
Use the Routed mode for the Quick Setup Wizard. (You cannot use VLANs with Drop-in mode or
Bridge mode.) The Quick Setup Wizard with Routed mode has these defaults:
- The external Interface 0 is configured and enabled with static IP address 203.0.113.X/24.
Replace X in the external IP address with the student number your instructor gives you.
- The trusted Interface 1 is configured and enabled with IP address 10.0.X.1/24.
Replace X in the trusted IP address with the student number your instructor gives you.
- All of the other interfaces are set to Disabled.
- There are five policies in Policy Manager: FTP, Ping, WatchGuard WebUI, WatchGuard, and
Outgoing.
The trusted interface (Interface 1) is not a member of any VLAN in any of the exercises.
The management computer is connected directly to the trusted interface with an Ethernet cable.
Make sure your management computer has an IP address in the same subnet as the trusted
interface, with the correct subnet mask. Make sure the default gateway for the computer is the
trusted interface IP address.
Necessary Equipment and Services

Management computer
Use a computer with WSM version 11.9 or higher software installed to configure the Firebox. This
computer is connected to the device trusted interface in all exercises.
Two additional computers
To test traffic flow with the VLANs you send traffic between two computers. Each computer is
connected to a VLAN switch or to the Firebox itself, depending on the exercise.
You can also use the management computer for one of the two computers to test traffic flow
between VLANs.
WatchGuard Firebox with Fireware v11.10 or higher
In the exercises, we assume that you ran the Quick Setup Wizard to configure the Firebox and you
selected Routed mode (not Drop-in or Bridge mode).
802.1Q VLAN switches
- One switch for Exercises 1 and 2
- Two switches for Exercise 3 and 4
- One switch for Exercise 5
Ethernet cables
At a minimum, to complete all the exercises you must have:
- Six Ethernet cables To interconnect the devices altogether.

Before You Begin
Configuring the VLAN Switch

Each physical interface on a VLAN switch is generally classified as one of two types:
VLAN Access port
A switch interface of this type removes VLAN tags from data frames before it sends them to the
device attached to it. The interface also adds a VLAN tag to untagged frames it gets from the
connected device.
You connect computers, printers, and other networked devices to this type of interface.
Configure this type of switch interface for untag mode.
VLAN Trunk port
A switch interface of this type preserves any VLAN tags in the data frames it receives. It also
preserves VLAN tags when it sends tagged data frames to the device attached to it.
You connect other VLAN-capable devices such as VLAN switches and routers to this type of
interface. You also connect this type of interface to a Firebox interface configured to accept tagged
data frames.
Configure this type of switch interface for tag mode.
Select the VLAN ID Numbers

By default, each interface on most new, unconfigured switches belongs to VLAN number 1. Because
this VLAN exists on every interface of most switches by default, the possibility exists that this VLAN can
accidentally span the entire network, or at least very large portions of it.
We recommend you use a VLAN ID number other than 1 for any VLAN that passes traffic to the Firebox.
About the PVID

Some switch manufacturers require you to assign a Port VLAN ID (PVID) to each interface. The PVID
number determines the VLAN ID number that the switch adds to the untagged packets it gets from
devices connected to the interface. If you do not configure a PVID for an interface, it is possible that the
switch can tag the data packets it gets on that interface with the default VLAN ID of 1. This is the case
even if you configure the interface to untag for a different VLAN ID number.
When you change the PVID setting on a switch interface to a PVID number that matches a VLAN
number, the switch adds a VLAN tag for that VLAN to untagged packets it receives on this interface. If
your switch uses PVID numbers, be sure to configure each switch interface that connects a computer to
use the correct PVID number.
VLANs 11
Exercise 1: Two VLANs on the Same Device Interface
When to Use this Configuration

A Firebox interface is a member of more than one VLAN when the switch that connects to that
interface carries traffic from more than one VLAN.
You use multiple VLANs on one Firebox interface when you want to split a device interface into
multiple broadcast domains or multiple security zones. When you separate the traffic from different
functional groups before it enters the device interface, you get two major benefits:
Broadcast traffic is confined within each VLAN, which reduces congestion.
You can make access policies to allow limited traffic or no traffic between the VLANs. You also
control access from each VLAN to other parts of your network and to the Internet.
Compare the second benefit to the situation when you configure a Firebox interface as a physical
interface (instead of as a VLAN) with a secondary network also configured on the interface: The device
does not filter traffic between the primary network of an interface and a secondary network on that
interface. The primary network is not protected from a secondary network on that interface.
Network Topology
This exercise shows how to connect one switch that carries traffic from two different VLANs to one
Firebox interface. In the subsequent diagram, the computers are connected to the 802.1Q switch, and
the switch is connected to Firebox interface 3. The switch carries traffic from two different VLANs.
Figure 1: Network topology for Exercise 1

Before You Begin
Configure the Device

1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the VLAN tab.
Figure 2: VLAN tab of Network Configuration dialog box

3. Click Add and create a new VLAN.
4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces.
For this example, type VLAN10.
5. (Optional) In the Description text box, type a description.
For this example, type Accounting.
6. In the VLAN ID text box, type or select a number for the VLAN.
For this example, select 10.
7. From the Security Zone drop-down list, select the security zone for the VLAN. Security zones
For this example, select Trusted. correspond to aliases
for interface security
8. In the IP Address text box, type the IP address of the VLAN gateway. zones. For example,
For this example, type 192.168.10.1/24. VLANs of type
Any computer in this new VLAN must use this IP address as its default gateway. Trusted are handled
9. (Optional) Configure DHCP for the new VLAN. by policies that use
the alias
a. Select Use DHCP Server.
Any-Trusted as a
b. In the Address Pool section, click Add. source or destination.
c. Type or select the Starting Address and the Ending Address. VLANs can be defined
as Trusted, Optional,
For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 for
or Custom.
the Ending Address.
d. Click OK.
The new address pool appears in the Address Pool list.
10. Click OK.
The new VLAN appears.
Figure 3: VLAN tab with new VLAN10

11. Click Add and create another new VLAN.
12. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For this
example, type VLAN20.
VLANs 13
For this example, type Sales.
15. From the Security Zone drop-down list, select the security zone for the VLAN.
For this example, select Optional.
16. In the IP Address text box, type the IP address of the VLAN gateway.
For this example, type 192.168.20.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.
17. (Optional) Configure DHCP for the new VLAN.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
the Ending Address.
d. Click OK.
The new address pool appears in the Address Pool box.
18. Click OK.
Both VLANs now appear.
Figure 4: Two new VLANS: VLAN10 and VLAN20

19. Select the Interfaces tab.
20. Select Interface 3 and click Configure.
21. From the Interface Type drop-down list, select VLAN.
Because you cannot The Interface Type Configuration section appears on the IPv4 tab. Both new VLANs appear in the list.
add a secondary 22. Select Send and receive tagged traffic for selected VLANs.
network to a VLAN
interface, the 23. In the Member column, select the check boxes for VLAN10 and VLAN20.
Secondary tab
remains unavailable
here.
You can add

secondary networks
to each of the VLAN
members. To do this,
edit the VLAN
members in the VLAN
tab.
Figure 5: The Member column shows which VLANs the interface is a member of.
24. Click OK.
This interface now appears as type VLAN in the list of interfaces.

Before You Begin
25. Check your work.

The Interfaces tab should look like this.
Figure 6: Firebox Interface 3 is now type VLAN

The VLAN tab should look like this.
Figure 7: VLAN tab after the VLANs are defined
26. Click and save this configuration to the device.

Or, select File > Save > To Firebox.
Configure the Switch

Refer to the instructions from your switch manufacturer to configure your switch.
1. Add two VLANs to the 802.1Q switch configuration. As a general rule,
Set the VLAN ID numbers for these VLANs to 10 and 20. remember that the
physical segment
2. Configure the switch interface that connects the switch to the device interface 3. between this switch
a. Disable Spanning Tree Protocol on any switch interface that connects to the device. interface and the
b. Configure this interface on the switch to be a member of both VLANs 10 and 20. Firebox is a tagged
data segment. Traffic
c. Configure this interface to tag for both VLANs. that flows over this
d. If necessary for your switch operating system, configure the switch mode to trunk. segment must use
e. If necessary for your switch operating system, set encapsulation mode to 802.1Q. 802.1Q VLAN tagging.
Some switch
3. Configure the switch interfaces that connect computers in VLAN10 to the switch. manufacturers refer
a. Configure each switch interface that will connect a computer in VLAN10 to be a member of to a switch interface
VLAN10. that is configured like
b. Configure these interfaces to untag for VLAN10. Step 2 a trunk port or
trunk interface.
4. Configure the switch interfaces that connect computers in VLAN20 to the switch.
a. Any switch interface that will connect a computer in VLAN20 must be a member of VLAN20.
b. Configure these interfaces to untag for VLAN20.
VLANs 15
As a general rule, Physically Connect all Devices
remember that the
physical segment 1. Connect one end of an Ethernet cable to the device interface 3.
between a switch
2. Connect the other end of the Ethernet cable to the interface on the switch that you configured to
interface and a
computer (or other
tag for VLANs 10 and 20 (to the VLAN trunk interface of the switch).
networked device) 3. Connect a computer to the interfaces on the switch that you configured to untag for VLAN10.
that connects to it is
an untagged data
4. If you configured VLAN10 to use the DHCP server, configure the computers network card to use
segment. Traffic that DHCP to get an IP address automatically.
flows over this For more information, see Step 9 on page 13.
segment does not
have VLAN tags. 5. If you did not configure the VLAN to use the DHCP server, configure the computers network card
Most switches sold with an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the
today have interfaces computers default gateway to the device VLAN IP address, 192.168.10.1.
that can auto-sense
MDI/MDI-X for the 6. Repeat Steps 13 to connect a computer to a switch interface that you configured to untag for
Ethernet connection. VLAN20.
When the interface
senses a physical link, Test the Configuration
it automatically
configures itself to be From the computer in VLAN10, you should be able to ping the computer in VLAN20, as well as ping the
a normal or uplink VLAN10 computer from the VLAN20 computer. The two computers can ping each other because the
interface. If you do not default settings of the Ping policy allow Any-Trusted and Any-Optional to send ICMP echo requests to
get link lights on the Any.
Ethernet interfaces
with one type of No other traffic is allowed between the two VLANs unless there is a policy that specifically allows it. The
Ethernet cable basic configuration loaded by the Quick Setup Wizard does not allow any other traffic between the
(straight-through or VLANs.
crossover), try the
other type of Ethernet
cable.

Before You Begin
Exercise 2: One VLAN Bridged Across Two Device Interfaces

The primary benefit of this configuration is the ability to bridge a VLAN between computers connected
to a VLAN switch and computers directly connected to the Firebox. A typical network topology is this:
You have a relatively large number of computers connected by way of a VLAN switch to one device
interface.
You have a single computer (or a small group of computers) that must share the same resources as
the first group, but it is physically separated from the first group.
It is more convenient or cost-effective to connect the smaller group directly to the device.
To solve the challenge of putting all these computers into one logical group, you configure the Firebox
with a VLAN that bridges two device interfaces:
One device interface tags for the VLAN.
This interface connects, by way of an Ethernet cable, to the VLAN switch that links the majority of
the computers in this logical group.
The other device interface untags for the VLAN.
This interface has a direct Ethernet connection to one computer (or a small group of computers) in
the logical group. This second connection can be a shared media connection such as a hub
connected to the interface, or a single computer connected to the interface with a crossover
Ethernet cable.
With this configuration, all the computers can easily share resources, and their broadcasts are confined
to the VLAN.
VLANs 17
Network Topology
The untagged Firebox This exercise shows how to connect a switch to one Firebox interface, and computers to another
interface in Figure 8 Firebox interface. Figure 8 shows that the computers connected to the switch and to device interface 4
(Interface 4, with one
are in the same VLAN.
computer connected)
operates in much the
same way as an
untagged switch port
on a VLAN switch.
Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.

The New VLAN Configuration dialog box appears.
5. (Optional) In the Description text box, type a description of the VLAN.
6. In the VLAN ID text box, select a number for the VLAN.
For this example, type 10.
For this example, select Trusted.

Before You Begin
the Ending Address.
d. Click OK.
10. Click OK. The Interfaces
The new VLAN is added. column is blank for a
new VLAN because no
Firebox interfaces
have been assigned to
it yet. You assign the
VLAN to Firebox
interfaces in the next
steps.
Figure 9: VLAN10 on the VLAN tab

11. To make device Interfaces 3 and 4 members of the new VLAN, select the Interfaces tab.
14. Select Send and receive tagged traffic for selected VLANs. You configure
interface 3 to handle
15. In the Member column, select the check box for VLAN10. tagged VLAN traffic,
because it connects to
a VLAN switch that
sends it traffic with
VLAN tags.
Figure 10: Select the check box to make the interface a member of the VLAN
16. Click OK.
17. Double-click Interface 4 and configure it to untag for VLAN10.
VLANs 19
You can only select 19. At the bottom of the dialog box, select the Send and receive untagged traffic for selected VLAN
one VLAN for check box. From the adjacent drop-down list, select VLAN10 (192.168.10.1/24).
untagged traffic.
This option is not
available if you
choose a VLAN that
has external specified
as the zone. You
cannot configure an Figure 11: Make Interface 4 an untagged switch port
interface to send and
receive both tagged 20. Click OK and check your work.
and untagged traffic
The Interfaces tab should now look like this.
when a VLAN is
configured as an
external zone.
If you do not want
computers connected
to a Firebox interface
to be part of a VLAN,
then do not configure
the interface to be of
type VLAN. Instead,
configure the
interface to be of type
Trusted or Optional.
Figure 12: Firebox interfaces 3 and 4 now appear as type VLAN

Figure 13: The VLAN interface used by interfaces 3 and 4

The VLAN settings list includes information about which interface tags and which interface untags
for a particular VLAN. It uses either boldface type or normal type for the numbers in the Interfaces
column:
- boldface type entries are Untag
- normal type entries are Tag.
21. Save this configuration to the Firebox.

Before You Begin

1. Configure the switch interface that connects the switch to the Firebox interface 3.
a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure this interface on Switch A to be a member of VLAN10.
c. Configure this interface to tag for VLAN10.
d. If necessary for your switch operating system, configure the switch mode to trunk.
e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.
2. Configure the switch interfaces that connect computers to the switch.
3. Configure the other switch interfaces to be members of VLAN10 and to untag for VLAN10. Some switch
manufacturers call an
As a general rule, remember that the physical segment between this switch interface and the interface configured
device is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN this way either a
tagging. trunk port or a trunk
interface.
As a general rule, remember that the physical segments between each of the other switch
interfaces and the computers (or other networked devices) that connect to them are untagged
data segments. Traffic that flows over these segments does not have VLAN tags.
Physically Connect all Devices

1. Connect one end of an Ethernet cable to the Firebox interface 3.
tag for VLAN10 (to the VLAN trunk interface of the switch).
3. Connect a computer to the one of the interfaces on the switch that you configured to untag for
VLAN10.
DHCP to get an IP address automatically.
See Step 9 on page 19.
5. If you did not configure the VLAN to use the DHCP server, configure the computers network card
with an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the
computers default gateway to the device VLAN IP address 192.168.10.1
6. Repeat these steps to connect a computer to device interface 4.
Test the Configuration

You should be able to send a ping from the computer connected to the switch to the computer
connected to device interface 4, and from the computer connected to device interface 4 to the
computer connected to the switch. The two computers can communicate as though they were
connected to the same physical LAN.
VLANs 21
Exercise 3: One VLAN Bridged Across Two Device Interfaces
(Alternate Configuration)
When to Use This Configuration

You might use a configuration like this if your organization is spread across multiple locations. For
example, suppose your network is on the first and second floors in the same building. Some of the
computers on the first floor are in the same functional group as some of the computers on the second
floor. You want to group these computers into one broadcast domain so that they can easily share
resources, such as a dedicated file server for their LAN, host-based shared files, printers, and other
network accessories.
You connect the computers on one floor to one VLAN switch, and connect that switch to a Firebox
interface. You connect the computers on the other floor to one VLAN switch, and connect that switch
to another Firebox interface. This puts all of the computers into one LAN.
One of the main benefits in this setup is cost savings: it is not necessary to connect another device to
combine the traffic from the two switches before it enters the device. The device combines the traffic,
and lets you apply strict security policies between the VLANs, the rest of your network, and untrusted
segments such as the Internet. This saves you the cost of a different device, such as a router or a layer 3
switch.
Network Topology
This exercise shows how to connect two 802.1Q switches, both of which send traffic from the same
VLAN, to two different Firebox interfaces. The subsequent shows how computers are connected to
802.1Q switches, and how the switches are connected to the device. Two 802.1Q switches connected
to device interfaces 3 and 4 carry traffic from the same VLAN.

Before You Begin
Note

The VLAN settings list is empty because you have not defined any VLANs
5. (Optional) In the Description text box, type a description of the VLAN.
6. In the VLAN ID text box, select a number for the VLAN. For this example, type 10.
the Ending Address.
d. Click OK.
10. Click OK.
Figure 15: The VLAN tab with new VLAN10

11. To make device Interfaces 3 and 4 members of the new VLAN, select the Interfaces tab.
Or, double-click the interface.
VLANs 23
Interface 3 will be a 14. Select Send and receive tagged traffic for selected VLANs.
tagged VLAN
interface because it 15. In the Member column, select the check box for VLAN10.
connects to a VLAN
switch that sends it
traffic with VLAN tags.
Figure 16: Select the check box to make the interface a member of the VLAN
16. Click OK.
17. Repeat Steps 1116 for Interface 4 to make that interface a member of VLAN10.
The Interfaces tab should look like this:.
Figure 17: Interfaces 3 and 4 are both type VLAN

The numbers in the The VLAN tab should look like this:.
Interfaces column
use normal type to
indicate that these are
tagged interfaces. If
the interfaces are
configured as
untagged switch
ports, the entry
appears in bold type.
Figure 18: The VLAN tab shows that interfaces 3 and 4 are members of VLAN10
19. Click and save this configuration to the device.

Or, select File > Save > To Firebox.

Before You Begin
Configure the Switches

Switch A
a. Configure this interface on Switch A to be a member of VLAN10.
b. Configure this interface to send traffic with the VLAN10 tag.
c. If necessary, set the switch mode to trunk.
d. If necessary, set the encapsulation mode to 802.1Q.
As a general rule, remember that the physical segment between this switch interface and the Some switch
Firebox is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN manufacturers refer
tagging. to an interface that is
configured like this as
2. Configure the switch interfaces that connect computers to the switch. a trunk port or a trunk
interface.
Configure the other switch interfaces to be members of VLAN10. You must also configure these
interfaces to send untagged traffic for VLAN10.
Switch B
Repeat the previous steps to configure Switch B:
1. Configure the switch interface that connects the switch to the device interface 4.
b. Configure one interface on Switch B to be a member of VLAN10.
c. Configure this interface to send traffic with the VLAN10 tag.
d. If necessary, set the switch mode to trunk.
e. If necessary, set the encapsulation mode to 802.1Q.
As a general rule, remember that the physical segment between this switch interface and the
Firebox is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN
tagging.
2. Configure the switch interfaces that connect computers to the switch.
3. Configure the other switch interfaces to be members of VLAN10. You must also configure these
interfaces to send untagged traffic for VLAN10.
Physically Connect All Devices

1. Connect one end of an Ethernet cable to the device interface 3.
2. Connect the other end of this Ethernet cable to the interface on Switch A that you configured to
tag for VLAN10 (to the VLAN trunk interface of Switch A).
3. Connect one end of an Ethernet cable to the device interface 4.
4. Connect the other end of this Ethernet cable to the interface on Switch B that you configured to
tag for VLAN10 (to the VLAN trunk interface of Switch B).
5. Connect a computer to the one of the interfaces on Switch A that you configured to untag for
VLAN10.
VLANs 25
See Step 9 on page 23.
computers default gateway to the device VLAN IP address 192.168.10.1
8. Repeat these steps to connect a computer to Switch B.
Testing the Connection

You should be able to ping from a computer connected to Switch A to a computer connected to Switch
B, and from a computer connected to Switch B to a computer connected to Switch A. Because they are
in the same VLAN, the two computers can communicate as if they were connected to the same physical
LAN.

Before You Begin
Exercise 4: Two VLANs as External Interfaces on the Same Device

You use VLANs as External interfaces when your service provider gives you Internet and MPLS
connections on a single Ethernet cable, logically separated by VLANs. Rather than connecting the cable
to a managed switch, then to separate physical interfaces on your Firebox, you can connect the cable
directly to a single physical interface configured as a trunk on your device.
Network Topology
This exercise simulates two service provider connections ISP-1 (VLAN 10) and ISP-2 (VLAN 20) carried
by a single trunk port of the switch to one Firebox interface. In the subsequent diagram, the WAN
connection is connected to the 802.1Q switch, and the trunk port of the switch (Switch A) is connected
to device interface 3.
Note
VLANs 27
3. Click Add to create a new VLAN.
example, type External-VLAN10.
5. (Optional) In the Description text box, type a description. For this example, type ISP-1.
6. In the VLAN ID text box, type or select a number for the VLAN. For this example, select 10.
Security zones 7. From the Security Zone drop-down list, select the security zone for the VLAN. For this example,
correspond to aliases select External.
for interface security
zones. For example, 8. Select Use Static IP.
VLANs of type 9. In the IP Address text box, type the IP address. For this exercise, type 198.51.100.X/24.
External are Replace the X in the IP address with the student number your instructor gives you. For example, if
handled by policies
that use the alias
your student number if 10, type 198.51.100.10/24
Any-External as a 10. In the Default Gateway type the gateway address. For this exercise, type 198.51.100.1.
source or destination. This configuration must have a corresponding upstream connection that is the default gateway
(198.51.100.1).
11. Click OK.
12. Click Add and create another new VLAN.
example, type External-VLAN20.
14. (Optional) In the Description text box, type a description. For this exercise, type ISP-2.
15. In the VLAN ID text box, type or select a number for the VLAN. For this example, select 20.
16. From the Security Zone drop-down list, select the security zone for the VLAN. For this example,
select External.
17. Select Use Static IP.
18. In the IP Address text box, type the IP address. For this example, type 198.0.2.X/24. Replace
the X in the IP address with the student number your instructor gives you. For example, if your
student number if 10, type 198.0.2.10/24
19. In the Default Gateway type the gateway address. For this exercise, type 198.0.2.1.
This configuration must have a corresponding upstream connection that is the default gateway (198.0.2.1).
20. Click OK.
The new VLANs appear.
Figure 20: VLAN tab with new External-VLAN10 and External-VLAN20


Before You Begin
22. Select Interface 3. Click Configure.

The Interface Type Configuration section appears on the IPv4 tab. Both new VLANs appear in the list.
24. Select Send and receive tagged traffic for selected VLANs.
25. In the Member column, select the check boxes for External-VLAN10 and External-VLAN20.
Figure 21: The Member column shows which VLANs this interface is a member of.
26. Click OK.
The Interfaces tab should look like this.
Figure 22: Interface 3 is now type VLAN

Figure 23: VLAN tab after the VLANs are defined

28. Save this configuration to the device.
VLANs 29
Add VLANS to the switch that connects to your ISP. In the diagram, this is labeled Switch A.
Refer to the instructions from your switch manufacturer to configure VLAN tagging on your switch.
1. Add two VLANs with the ID numbers 10 and 20 to the 802.1Q switch configuration.
b. Configure this interface on the switch to be a member of both VLANs 10 and 20.
c. Configure this interface to tag for both VLANs.
d. If necessary for your switch operating system, set the switch mode to trunk.
e. If necessary for your switch operating system, set the encapsulation mode to 802.1Q.
3. Configure the switch interface that connects ISP-1 in VLAN10 to the switch.
a. Configure the switch interface that will connect to ISP-1 to be a member of VLAN10.
b. Configure this interface to untag for VLAN10.
4. Configure the switch interface that connects ISP-2 in VLAN20 to the switch.
a. Configure the switch interface that will connect to ISP-2 to be a member of VLAN20.
b. Configure this interface to untag for VLAN20.
As a general rule, remember that the physical segment between this switch interface and the Firebox is
a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN tagging.
Some switch manufacturers refer to a switch interface that is configured like Step 2 a trunk port or
trunk interface.
As a general rule, remember that the physical segment between a switch interface and the networked
device that connects to it is an untagged data segment. Traffic that flows over this segment does not
have VLAN tags.
You can use another Physically Connect All Devices
Firebox to simulate
ISP-1 and ISP-2 1. Connect one end of an Ethernet cable to the device interface 3.
connections.
Configure a Trusted
interface with an IP
tag for VLANs 10 and 20 (to the VLAN trunk interface of the switch).
Address of 3. Connect the interface on the switch that you configured to untag for VLAN10 to the upstream
198.51.100.1/24 and internet connection of ISP-1.
another Trusted
interface with an IP 4. Connect the interface on the switch that you configured to untag for VLAN20 to the upstream
Address 198.0.2.1/24 internet connection of ISP-2.
on another Firebox.
Make sure that these Test the Configuration
subnets
(198.51.100.0/24 and From the management computer or any computer on the trusted zone, you should be able to access
198.0.2.0/24) are the Internet. Create an HTTP Policy and enable logging for the allowed packets. You should see which
included on the External interface each packet uses to reach the destination. You may also enable logging on the
Dynamic NAT and Outgoing and Ping policies to try using other protocols. This should log which External Interface each
that these translate to
Any-External to get an
packet used reach its destination.
Internet connection.

Using VLANs in Device Policies
Apply Firewall Policies to Intra-VLAN Traffic

You can configure more than one device interface as a member of the same VLAN. By default, policies
are not applied to traffic that passes through the firewall between hosts on different interfaces that are
on the same VLAN. If you want to apply policies to VLAN traffic between local interfaces you must edit
the VLAN settings for that VLAN to enable it.
For example, you might want to do this if the VLAN member interfaces connect to networks for two
departments, and you want to control whether users on one interface can have access to network
resources on the other interface.
1. Select Network > Configuration.
3. Double click the VLAN to edit.
4. At the bottom of the Edit VLAN dialog box, select the Apply firewall policies to intra-VLAN
traffic check box.
5. Save the configuration to the device.
If you want to apply policies to intra-VLAN traffic, make sure that no alternate path exists between the
source and destination. The VLAN traffic must go through the device for firewall policies to apply.
Intra-VLAN policies are applied by IP address, user, or alias. If the intra-VLAN traffic does not match any
defined policy, the traffic is denied as unhandled packets. Intra-VLAN non-IP packets are allowed.
Aliases
When you add the new VLAN, the VLAN name appears as a new alias in the list of Firebox aliases.
To open the Aliases dialog box, select Setup > Aliases.
Figure 24: The aliases list

You can use this alias in Firebox policies to specify the new VLAN.
VLANs 31
For example, to specify that users in Trusted-VLAN30 are allowed to make SSH connections to a server
in the trusted network with IP address 10.0.1.56, configure an SSH policy as shown in the subsequent
image.
Figure 25: SSH policy

Three other aliases can include a VLAN Any-Trusted, Any-Optional, and Any-External:
If you configure the VLAN in the Trusted security zone, then the Any-Trusted alias includes the
VLAN. The Any-Trusted alias includes VLANs that use the Trusted security zone, and all networks
connected to a device interface of type Trusted.
If you configure the VLAN in the Optional security zone, then the Any-Optional alias includes the
VLAN. The Any-Optional alias includes VLANs that use the Optional security zone, and all networks
connected to a device interface of type Optional.
If you configure the VLAN in the External security zone, then the Any-External alias includes the
VLAN. The Any-External alias includes VLANs that use the External security zone, and all networks
connected to a device interface of type External.
If you configure the VLAN in the Custom security zone, then the VLAN is not included in the
Any-Trusted, Any-Optional, or Any-External aliases. As a result, traffic for the VLAN is not handled
by the policies that use these aliases. You must add the VLAN interface name to the policy so that
the policy applies to traffic for that VLAN.

Exercise 5: Configure VLANs for Wireless Access Points

WatchGuard AP devices, such as the AP100, AP102, and AP200, are wireless access points that you can
connect to the trusted, optional, or custom network of a Firebox. The connected AP devices are
managed by the Fireware Gateway Wireless Controller. You configure AP devices with one or more
SSIDs that wireless users can connect to. In this exercise you configure VLANs for use with AP device
SSIDs. You also configure an untagged VLAN for management connections to the AP device.
Note
This exercise includes steps to manually add an AP device to the Firebox configuration. It is not
necessary for you to have an AP device to complete this exercise.
When to Use This Configuration

You can optionally use VLAN tagging for AP device SSIDs if you want your AP deployment to meet one
or both of these requirements:
You want to separate the traffic for users connected to different SSIDs
You want to apply different policies to the traffic for different SSIDs
This exercise shows how to configure VLANs to separate traffic for trusted and guest wireless users.
Network Topology
This exercise simulates the situation where you have an AP device with two SSIDs, one SSID for trusted
wireless users, and another for guest wireless users.
Figure 26: AP device connected to a VLAN interface

For this exercise, you must configure three VLANs, a tagged VLAN for each SSID, and an untagged VLAN
for AP device management:
VLAN 10 for trusted wireless users (Tagged VLAN, Trusted security zone)
VLAN 20 for guest wireless users (Tagged VLAN, Custom security zone)
VLAN 30 for management connections to the AP device (Untagged VLAN, Trusted security zone)
When you enable VLAN tagging for an AP device, you can connect the AP device directly to a device
interface, or to a switch configured to handle traffic for the same VLAN IDs. For this exercise, we assume
the AP device is directly connected to Eth6.
Note
VLANs 33
Configure VLANs
1. In Policy Manager, select Network > Configuration.
3. Add a new VLAN with these settings:
- Name: VLAN10-Trusted-W
- VLAN ID: 10
- Security Zone: Trusted
- IP Address: 192.168.10.1/24
- DHCP Server Address Pool: 192.168.10.10 - 192.168.10.100
In this exercise, you 4. Add a new VLAN with these settings:
configure the VLAN - Name: VLAN20-Guest-W
for wireless guest
users in the Custom
- VLAN ID: 20
security zone. You - Security Zone: Custom
could instead use the - IP Address: 192.168.20.1/24
Optional zone, if that
is appropriate for your
- DHCP Server Add dress Pool: 192.168.20.10 - 192.168.20.100
network. 5. Add a new VLAN with these settings:
- Name: VLAN30-AP-Mgmt
- VLAN ID: 30
- Security Zone: Trusted
- IP Address: 192.168.30.1
- DHCP Server Add dress Pool: 192.168.30.10 - 192.168.30.100
6. Verify that the list of configured VLANs looks like this:
Figure 27: The VLAN tab with three VLANs configured

8. Select Eth6. Click Configure.
This is the interface for the network to which the Access Point will be connected.

10. Configure this interface to send and receive tagged traffic for VLANs 10 and 20.
Figure 28: The tagged VLANs, one Trusted and one Custom
11. Configure this interface to send and receive untagged VLAN traffic for VLAN 30.
Figure 29: The untagged VLAN for AP management

12. Close the Network Configuration dialog box.
Configure AP SSIDs and Access Point
Add the SSIDs for Trusted and Guest Wireless Users
1. In Policy Manager, select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears.
2. Select the Enable the Gateway Wireless Controller check box. Click OK.
3. Type a pairing passphrase for your AP devices.
This is the passphrase used for management connections to the AP device. For this exercise, type wgwap.
4. In the SSIDs tab, click Add.
The Add SSID dialog box appears.
5. In the Network Name (SSID) text box, type Trusted-Wireless.

6. Select the Enable VLAN tagging check box.
7. In the VLAN ID text box, type 10, the VLAN ID of the VLAN10-Trusted-W VLAN.
8. Select the Security tab.
The security mode you select is not important to this exercise, but it is a good practice to configure the
security settings when you create an SSID.
9. From the Security Mode drop-down list, select WPA/WPA2 (PSK).
VLANs 35
10. In the Passphrase text box, type the passphrase that trusted wireless users must know to connect
to this SSID.
11. Click OK.
12. Repeat the previous steps to add a second SSID with these properties:
- Network Name (SSID): Guest-Wireless
- VLAN ID: 20
- Security: WPA/WPA2 (PSK), with a passphrase for wireless guest users
When you are finished, the SSIDs tab contains SSIDs for trusted and guest wireless users.
Figure 30: Two configured SSIDs
Add an AP Device
If you have an AP So that you can complete the configuration without an AP device, this exercise includes steps to
device you can manually add an AP100 wireless access point to the Gateway Wireless Controller
connect it to the VLAN
interface you just 1. Select the Access Points tab.
configured, and pair it
to the Firebox.
2. Click Add.
3. Type the default pairing passphrase, wgwap. Click OK.
Click Help in Policy The Add Access Point dialog box appears.
Manager for detailed
instructions.
Figure 31: Settings for a manually added AP device, with Management VLAN tagging enabled
4. In the Serial Number text box, type the serial number of an Access Point device. If you dont have
an Access Point device, you can just type any string of 13 letters and numbers. For this exercise,
type AP10012345678.
5. Do not select the Enable Management VLAN tagging check box. Management traffic to this AP
device will use VLAN30, which is an untagged VLAN..

6. In the list, add the Trusted-Wireless and Guest-Wireless SSIDs. The Gateway Wireless
Controller on the
Firebox uses the
untagged VLAN to
discover and manage
the WatchGuard
Access Point. You can
also use this VLAN if
Figure 32: Two SSIDs added to the SSID list you want to connect
to the Access Point
7. Click OK. Web UI.
The AP device is added to the Access Points list.
Figure 33: The manually added Access Point

8. Click OK.
Configure Policies for the Custom VLAN

Because VLAN 20 is in the Custom security zone, traffic from that VLAN is not allowed by the policies
that use the Any-Trusted and Any-Optional aliases. In this exercise you edit the Outgoing policy to
allow traffic from the custom VLAN interface for wireless guest users. In an actual deployment, you
might want to create separate policies to allow specific types of traffic for wireless users who connect
to the wireless guest network.
1. Edit the Outgoing policy. The requirement to
create or edit policies
2. In the From list of this policy, add VLAN20-Guest-W. Because VLAN20-Guest-W is in the Custom is not unique to VLAN
security zone, it is not included in the Any-Trusted and Any-Optional aliases in this policy. interfaces. Whenever
you configure an
interface as Custom,
you must also
configure policies to
allow traffic for that
interface.
Figure 34: The Outgoing policy with the VLAN20-Guest-W custom VLAN added
VLANs 37
Frequently Asked Questions
If I want to allow traffic to a VLAN from a device outside the VLAN, do I need a policy for it?
Yes.
By default, the Firebox does not allow traffic to a device in any VLAN. To allow this traffic, add a
policy for it and include the VLANs alias name in the To section.
If I want to allow traffic that starts in a VLAN and leaves the VLAN, do I need a policy for it?
Yes.
Traffic is not allowed to leave a network protected by the Firebox unless there is a policy to allow it.
However, the default configuration the Quick Setup Wizard creates for the Firebox includes the
Outgoing policy, which allows traffic from Any-Trusted to the external network.
If your VLAN uses the Trusted security zone, any device in the VLAN can use the Outgoing policy to
send traffic to the external network. This is because a VLAN that uses the Trusted security zone is
included in the Any-Trusted alias.
If I want to allow traffic that starts in one VLAN and goes to another VLAN, do I need a policy
for it?
Yes.
By default, devices in one VLAN cannot see the traffic from another VLAN. You can apply separate
security policies to VLANs.
If I want to allow traffic that starts in a VLAN and goes to a device in the same VLAN, do I need
a policy for it?
No.
If a computer connected to Switch A sends traffic to a computer connected to Switch B (see
Figure 14 on page 22 in Exercise 3), and both computers are in the same VLAN, the Firebox does
not filter this traffic. In this setup, the Firebox serves as a VLAN bridge between the two computers
and the two switches. The two computers communicate as if they were in the same physical LAN,
not separated by the Firebox.
How many VLANs can I use?
The number of VLANs you can add to your configuration is 50 to 500, depending on the Firebox
model. To verify the number of VLANs you can add to your device:
1. From Policy Manager, select Setup > Feature Key.
The Firebox Feature Key dialog box appears.
2. Scroll down to find the Total Number of VLAN Interfaces row.
The number of available VLANs appears in the Value column.
Out of the above number of VLANs how many External VLANs can I use?
The recommended maximum number of External VLANs is ten.
What You Have Learned

In this module you have learned:
What a VLAN is.
Some benefits of using VLANs in your network.
How VLANs work on the Firebox.
How to configure a Firebox to use VLANs in five different configurations.

Fireware Training
Traffic Management
Traffic Shaping and Prioritization
What You Will Learn

Many organizations have mission-critical, real-time network applications that must take priority over
other traffic. You can use bandwidth restrictions and reservations, together with prioritization, to make
sure critical applications have the bandwidth they need. In this module, you learn how to:
Create Traffic Management actions to guarantee or restrict bandwidth
Apply Traffic Management actions to policies and applications
Prioritize traffic by QoS marking or policy
Use Service Watch and Traffic Management monitoring to see your changes at work
All exercises in this course module were designed for a controlled environment using a LAN network.
Real-world tests introduce volatility and latency associated with the Internet. Tests run in such an
environment can produce unexpected results.
Control Bandwidth Use with Traffic Management Actions

Traffic Management enables you to set the maximum bandwidth available for different types of traffic,
and to guarantee a minimum amount of bandwidth for specific traffic flows. Although the Firebox has
no control over the rate at which packets arrive at a given interface, you can use Traffic Management
settings to:
Guarantee Bandwidth
Set the minimum bandwidth to guarantee for traffic managed by a Traffic Management action.
Limit Bandwidth
Set the maximum bandwidth to allocate to traffic managed by a Traffic Management action.
Bandwidth limits and guarantees apply only if the necessary bandwidth is available through the
interface that handles the traffic.
Traffic Management configuration is very flexible, and enables you to control traffic by policy,
application, traffic direction, and source IP address. For example, you can use Traffic Management
actions to:
Limit bandwidth for HTTP for all users on the trusted interface to the Internet
Guarantee 10 Mbps bandwidth for HTTP traffic for a specific user or group
Guarantee or limit bandwidth used by specific applications or application categories
Limit the bandwidth for a group
Limit the bandwidth used for FTP per source IP address
39
Traffic Management Action Types
There are three types of Traffic Management actions.
All Policies
The action applies to the combined bandwidth of all policies that use it. If the action is used for
multiple policies, all policies share the bandwidth guarantee or maximum specified in the action.
Per Policy
The action applies individually to each policy that uses it. If the action is used for multiple policies,
the bandwidth maximum or guarantee specified in the action applies separately to each policy.
Per IP Address
The action applies individually to each client source IP address. When you configure a Per IP Address
action, you also specify the Maximum Instance, which is the number of client source IP addresses
that the bandwidth constraints in the action can individually apply to.
If the number of concurrent clients that use a Per IP Address action is larger than the Maximum
Instance, clients with different source IP addresses begin to share the bandwidth specified in the
action. A round-robin algorithm determines which source IP addresses share bandwidth. Recently
connected source IP addresses share bandwidth with source IP addresses that have been
connected longest.
If you apply a Per IP Address action to multiple policies, the action applies to each client source IP
address for the combined traffic handled by all policies that use the action. It functions similar to an
All Policies action, except on a per-IP address basis.
Traffic Management in Policies

In a policy, you can configure two Traffic Management actions, a Forward Action and a Reverse Action.
The Forward Action applies to traffic that originates from the addresses in the From list (source) in the
policy. The Reverse Action applies to traffic that originates from the To list (destination).
If a policy uses the same Traffic Management action for traffic in both directions, the action applies to
the combined bandwidth of traffic in both directions.
Traffic Management in Application Control

If you have an Application Control subscription, you can also use Traffic Control actions to control the
bandwidth used by applications and application categories. If you apply a Traffic Control action to an
application category, all applications in the category share the bandwidth specified in the Traffic
Management action.
In Application Control, there is no separate forward and reverse action. Traffic Management actions
apply to application traffic in both directions for all policies that use the Traffic Management action.
Traffic Management Action Precedence

It is possible that more than one Traffic Management action could apply to traffic. For example, you
could configure the HTTP policy to use a Traffic Management action, and you could also configure
Application Control to use a Traffic Management action for video streaming applications that use HTTP.
If multiple Traffic Management actions could apply, the most specific action is used. The order that
actions are applied, from most to least specific is:
1. Application
2. Application category
3. Policy

Control Traffic Priority with QoS
Monitoring Bandwidth Statistics

You can see bandwidth statistics for each Traffic Management action in the Firebox System Manager
Traffic Management tab, and the Fireware XTM Web UI Traffic Management System Status page.

Although the Firebox has no control over the QoS marking of packets that arrive at a given interface,
you can use QoS settings to:
Manage QoS Marking by interface or policy
Fireware supports two types of QoS marking: IP Precedence (also known as Type of Service) and
Differentiated Service Code Point (DSCP). You can use QoS Marking on a per-interface or per-policy
basis. When you define QoS Marking for an interface, packets leaving that interface are marked.
QoS Marking for a policy marks traffic that uses the policy and overrides any QoS Marking
configured on an interface.
Prioritize traffic based on QoS Marking
Traffic prioritization using QoS Marking allows the firewall to operate as part of a network-wide
QoS solution. Prioritization in Fireware is equivalent to ToS levels 0 to 7, where 0 is routine priority
(default) and 7 is the highest priority using strict priority queuing.
Assign custom levels of priority to policies
Custom prioritization by policy allows you to override the priority that would be given by QoS
marking, without modifying the marking itself. This enables Fireware to elevate or lower priority of
traffic within a policy without impacting how the packet is prioritized on the rest of the network.
About Interface QoS Settings

On each interface, you can configure a QoS marking type: IP Precedence (ToS) or DSCP. You can then
choose to Preserve the existing marking, Clear the existing marking, or Assign a new one. Remember that
the QoS Marking behavior occurs for packets leaving the interfaces and does not apply to packets
entering the interface. Interfaces set to Prioritize traffic based on QoS Marking will use the marking
configuration for prioritization.
About Policy QoS Settings

Within each policy, you can override the per-interface QoS settings. In addition to QoS Marking
options, you also have the ability to configure prioritization by a custom ToS value, giving a different
priority to this policy than the QoS Marking without modifying the marking itself.
About Traffic Priority

The networking industry has many different algorithms to prioritize network traffic. Fireware uses strict
priority queuing to handle priority. Prioritization in Fireware is equivalent to ToS levels 0 to 7, where 0 is
routine priority (default) and 7 is the highest priority. When enabled, traffic prioritization always occurs,
but there is nothing to prioritize until the Firebox interface has queued traffic.
Traffic Management 41
You can set traffic priority for each policy on the Advanced tabs QoS tab. Use this table as a guideline
when you assign priorities:
While DSCP can be configured for QoS marking, the ToS equivalent Class Selector value is used for
prioritization. This gives the IP Precedence, DSCP, and Custom Value options equivalent 0-7 priorities.
For more information on QoS, see the Fireware Help.
About Outgoing Interface Bandwidth

You can optionally give each interface a bandwidth limit, known as Outgoing Interface Bandwidth. This
limit is applied to the traffic that is transmitted by that interface.
To limit the speed of uploads from your private networks to the Internet, you can set the Outgoing
Interface Bandwidth on the external interface.
To limit the bandwidth used by downloads to your trusted network, you can set the Outgoing
Interface Bandwidth on the trusted interface.
If you configure an interface a bandwidth limit, Fireware refuses packets that exceed the limit. One
reason to set the Outgoing Interface Bandwidth is to restrict throughput to make sure that queuing
occurs on the interface, as you will see in Exercise 3.
When you set Outgoing Interface Bandwidth on the external interface, you should set your LAN
interface bandwidth based on the minimum link speed supported by your LAN infrastructure.
Note
For the Outgoing Interface Bandwidth setting, make sure to set your speeds in kilobits or megabits
per second (Kbps or Mbps) rather than kilobytes or megabytes per second (KBps or MBps).

Exercise 1: Use a Traffic Management Action to Guarantee

Bandwidth
Some applications require a minimum bandwidth to operate smoothly and effectively. Real-time
connections can be disrupted if other applications begin to transmit data. For example, a large FTP
download could degrade or disrupt an HTTP session during bandwidth saturation, which could result
in choppy video in a YouTube download. This exercise shows how to guarantee minimum bandwidth
that is shared between more than one policy. When configured this way, all policies compete for the
same bandwidth.
Requirements for this exercise:
One computer connected to the Firebox trusted interface.
An HTTP and FTP server connected to the external interface with a switch, or Internet access.
Each Firebox must be configured using the WAN1 and Trusted interface configuration described in
the Course Introduction.
Enable Traffic Management and QoS

1. Select Setup > Global Settings.
The Global Settings dialog box appears.
2. Select the Networking tab.
3. Select the Enable all traffic management and QoS features check box. Click OK.
You must complete this step before you can configure any Traffic Management settings.
Figure 1: Global setting to enable Traffic Management and Quality of Service
Verify the OS Compatibility Setting

If you edit a configuration opened from a Firebox that uses Fireware v11.9 or higher, the OS
Compatibility setting will already be set correctly. If you have created a new configuration file, you must
set the OS Compatibility setting before you configure Traffic Management.
1. Select Setup > OS Compatibility.
2. Select 11.9 or higher.
This enables configuration of features that are new or different in Fireware v11.9 and higher.
Define Outgoing Interface Bandwidth

Because your computers on the trusted network download files from a server on the external network,
you define Outgoing Interface Bandwidth on the device trusted interface. You do not need to define
Outgoing Interface Bandwidth on the external interface for this exercise.
2. Edit the trusted interface (Interface 1).
3. Select the Advanced tab.
4. Set the Outgoing Interface Bandwidth to 1500 Kbps. Click OK.
The Outgoing Interface Bandwidth limits the Trusted interface transmission rate.
5. Close the Network Configuration dialog box and return to Policy Manager
Create a Traffic Management Action

1. Select Setup > Actions > Traffic Management.
The Traffic Management Actions dialog box appears.
2. Click Add.
The New Traffic Management Action Configuration dialog box appears.
3. In the Name text box, type Min500Kbps.
We will use this action to guarantee bandwidth for a group of policies.
In the Traffic 4. In the Guaranteed Bandwidth text box, type 500.
Management
settings, 1 Kbps is
equal to 1024 bits per
second.
Figure 2: A Traffic Management action to guarantee minimum bandwidth for all policies that use it

Modify Policy Configuration

To apply the traffic management action to guarantee minimum bandwidth for HTTP downloads, you
enable it as the Reverse action in the HTTP policy.
1. Click .
Or, select Edit > Add Policy.
The Add Policies dialog box appears.
2. Expand the Packet Filters folder and select HTTP. Click Add.
The New Policy Properties dialog box appears.
4. From the Reverse drop-down list, select Min500Kbps.
Figure 3: The HTTP policy Advanced tab with traffic management enabled for reverse traffic
5. Click OK to return to the Add Policies dialog box.
The Add Policies dialog box appears.
6. In the Packet Filters list, select DNS.
Make sure you do not select DNS-proxy in the Proxies list.
7. Click Add.
The New Policy Properties dialog box appears.
9. From the Reverse drop-down list, select Min500Kbps.
10. Click OK to return to the Add Policies dialog box. Click Close.
11. Right click the Outgoing policy and select Disable Policy.
Figure 4: The icons in the Action column show that Traffic Management is enabled in the HTTP and DNS
policies, and the Outgoing policy is disabled.
Set Up Service Watch

1. Open WatchGuard System Manager and connect to your device.
2. Start Firebox System Manager, and select the Service Watch tab.
3. Right-click anywhere in the window and select Settings.
The Settings dialog box appears.
Figure 5: Select the color settings and graph scale

4. From the Chart Type drop-down list, select Bandwidth.

5. From the Graph Scale drop-down list, keep the default value setting, Auto-Scale.
6. In the Show list, select all policies not used in this exercise and click Remove.
Keep only the DNS, FTP, and HTTP policies.
7. Click OK.
The Service Watch tab now shows data for only the DNS, FTP, and HTTP policies
See the Results of the Configuration

Both the DNS and the HTTP policy use the same Traffic Management action, Min500Kbps. When
necessary, the policies that use this action will have a minimum of 500Kbps between them, otherwise
this bandwidth will be available for other policies.
1. Close all programs. Results can vary if other applications on your computer have access to the
network.
2. With your computer connected to the trusted interface, start an FTP session to download a large
file.
If you are unable to identify a sufficient public FTP resource, follow the previous steps to set up a
server on your external interface. You can use either the command line, Internet Explorer, or an FTP
client of your choice to make the connection.
3. Select the Service Watch tab.
The graph shows that the FTP transfer takes all of the available bandwidth. This should be
approximately equal to the value you set for Outgoing Interface Bandwidth on the Trusted
interface (1500 Kbps).
Figure 6: Monitoring bandwidth usage in Service Watch

4. On the same computer you used for the FTP transfer, start watching a YouTube video or your
favorite HTTP video site.
If you use a local web server, to use the 350MB file in the root of C:\inetpub\wwwroot folder, use
this URL:
http://<web server IP address>/350mbfile.txt
Make sure the FTP transfer is still active before you start the HTTP transfer.
5. In Service Watch, look at the amount of bandwidth that is used by both policies.
After you start the HTTP transfer, the amount of bandwidth used by the FTP transfer is reduced, to
allow at least 500Kbps for DNS and HTTP.
Figure 7: FTP cannot use all the bandwidth if it is needed for HTTP traffic

6. Select the Traffic Management tab.

Here you can see a graph of the total bandwidth managed by each rule. The Usage for this
action is 0% because
the action has no
maximum defined.
Usage is the Rate
divided by the
Maximum.
Figure 8: The Traffic Management tab shows statistics about the traffic management action. You can also
click the graph to see statistics for any point.
7. Click the Traffic Management action name in the Action column to see which policies use this
action.
Figure 9: The pop-up shows that this action is used by two policies as the reverse action.
Exercise 2: Use a Traffic Management Action to Limit Bandwidth
When you use multiple internal interfaces, it might not be appropriate to reduce the Outgoing
Interface Bandwidth on a Trusted or Optional interface, because this would prevent transfers between
internal interfaces from using their link speed. You can achieve similar results by restricting the
bandwidth of policies that would consume bandwidth needed for more important business functions.
This exercise is intended to be completed after Exercise 1 and follows the same requirements.
Re-Define Outgoing Interface Bandwidth

Because your computers on the trusted network download files from a server on the external network,
you define Outgoing Interface Bandwidth on the device trusted interface. You do not need to define
Outgoing Interface Bandwidth on the external interface for this exercise.
1. Select Network > Configuration
2. In the Interfaces list, select Trusted (Interface 1). Click Configure.
The Interface Settings dialog box appears.
Figure 10: Advanced interface settings

When you select 0 Kbps, Fireware uses the physical link speed to determine the available bandwidth.
5. Close the Network Configuration dialog box.

Create a Traffic Management Action

We will use this action to limit bandwidth for a group of policies.
2. Click Add.
3. In the Name text box, type Max1000Kbps.
Figure 11: This traffic management action limits bandwidth

4. Click OK.
5. Close the Traffic Management Actions dialog box.
Modify Policy Configuration

1. Edit the FTP policy.
Figure 12: Configure the policy to use the Traffic Management action you just configured as the Reverse
action
3. From the Traffic Management drop-down list, select Max1000Kbps.
4. Click OK.
The FTP policy is now limited to a maximum of 1000Kbps.
With the FTP policy restricted to 1000Kbps, other policies will have the remaining bandwidth available.
If we assume that the downstream bandwidth of the external interface was 1500Kbps, this
configuration leaves 500Kbps available for HTTP and DNS. While this configuration does not restrict the
Trusted interface to 1500Kbps, the FTP policy cannot use additional bandwidth, even if it is available.
network.
file.
If you are unable to identify a sufficient public FTP resource, follow the steps in Exercise 1 to set up
a server on your external interface. You can use either the command line, Internet Explorer, or an
FTP client of your choice to make the connection.
3. Open Firebox System Manager and select the Service Watch tab.
The graph shows that the FTP transfer takes only the allotted bandwidth (1000Kbps).
Figure 13: Monitoring bandwidth usage in Service Watch

this URL: http://<web server IP address>/350mbfile.txt

5. In Service Watch, look at the amount of bandwidth that is used by both policies. After you start
the HTTP transfer, the amount of bandwidth used by the FTP transfer could be reduced, however
500Kbps is available for the HTTP and DNS connections.
Figure 14: Monitoring bandwidth usage for FTP and HTTP traffic
6. Now, apply the Max1000Kbps Traffic Management as the Reverse action in the HTTP policy.
Because this is an All Policies traffic Management action, the traffic management action is applied to the
combined bandwidth of all policies where it is assigned.
8. Start additional HTTP and FTP connections while you monitor Service Watch.
Figure 15: The traffic management action is applied to the combined bandwidth of the FTP and HTTP policies
to which it is assigned.
9. Edit the Max1000Kbps Traffic Management action.
10. From the Type drop-down list, select Per Policy.

12. Restart the FTP download and the video over HTTP, if necessary to generate more traffic.
13. In Service Watch, look at the amount of bandwidth that is used by both policies.
The maximum bandwidth now applies individually to each policy.

Exercise 3: Use Traffic Management with Application Control

You can use Traffic Management actions with Application Control when you want to limit the
bandwidth used by certain applications or application categories. This can be a good alternative to
blocking application use completely. In this exercise, you use Application Control to limit the
bandwidth used by streaming media applications to 100 Kbps per user.
Note
To complete this exercise, your device must have a feature key that enables Application Control.
Create two Traffic Management Actions

You will use these actions to limit bandwidth for applications
2. Click Add.
3. In the Name text box, type Max100Kbps.
4. From the Type drop-down list, select Per IP Address.
5. Set the Maximum bandwidth to 100 Kbps.
Figure 16: This traffic management action limits bandwidth per client IP address
6. Click OK.
7. To add another Traffic Management action, click Add.
8. In the Name text box, type Max2Mbps.
9. From the Type drop-down list, select Per IP Address.
10. Set the Maximum bandwidth to 2 Mbps.
Figure 17: This traffic management action limits bandwidth per client IP address
11. Click OK.
12. Close the Traffic Management Actions dialog box.
Configure Application Control

Next, you configure an Application Control action to use the Traffic Management action.
1. Select Subscription Services > Application Control.
2. Click Add.
3. In the Name text box, type Limit_Streaming.
4. Click Select by Category.
The Select by Category dialog box appears.
Figure 18: The Select by Category dialog box

5. Select the Streaming Media check box. From the adjacent drop-down list select Max100Kbps.

6. Click OK.
This action now uses the selected Traffic Management action for all streaming media applications. Because
this is a Per IP Address action, each user gets a total of 100 Kbps bandwidth for all streaming media
applications.
7. From the Category drop-down list, select Streaming Media.
The list of applications is filtered to show just the streaming media applications.
Figure 19: The action for Streaming Media applications is set by the application category
If you want to set a different Traffic Management action, or disable Traffic Management for an
application in the category, you can edit the action for the individual application. Application-specific
actions take precedence over application category actions. For example, if you want to make an
exception for Adobe Flash, you can configure a separate action for that application.
Note
To override a Traffic Management action for a specific application in the category, you must assign a
different Traffic Management action to the application. If you disable Traffic Management an
application in the category, the Traffic Management action for the category still applies to traffic for
that application.
1. Select the Adobe Flash application and click Edit.
2. From the Set the action for all behaviors drop-down list, select Allow.
When you set the action to Allow, the Traffic Management check box and the Traffic Management action
configured for the category are automatically selected. To override the Traffic Management action configured
for the application category, you must select a different Traffic Management action for this application.
3. Select the Max2Mbps Traffic Management action.
Figure 20: Application Control settings for a single application.

4. Click OK.
The Adobe Flash application now uses a different Traffic Management action than other streaming media
applications.
5. Click OK to add the Application Control action.
Configure Application Control in Policies

After you add the Application Control action, you must enable Application Control in proxy policies
that handle the application traffic. Most streaming media is handled by HTTP, so for this exercise you
add an HTTP-proxy policy that uses this Application Control action.
1. Select Edit > Add Policy.
2. Expand the Proxies list, and select the HTTP-proxy.
3. Click Add.
4. Select the Enable Application Control check box.
5. From the adjacent drop-down list, select Limit_Streaming.
Figure 21: The Application Control setting in a proxy policy

6. Click OK to add the policy.
7. Click Close.

Monitor the Traffic Management Actions in Firebox System Manager

1. Connect to the device with Firebox System Manager.
2. Select the Traffic Management tab.
The statistics for the Max 100Kbps rule appear in the table. These statistics are the combined statistics for all
clients in this Per IP Address rule. Note that the maximum is the
3. Expand the Max1000Kbps action
Statistics for each client appear.
Figure 22: The Traffic Management tab with details for a Per IP Address Traffic Management action.
4. Start a streaming video from YouTube or your favorite video site.
The statistics appear for the client, and in the overall statistics for the action.
5. In a web browser, connect to the Web UI for your device on the trusted interface at On the Traffic
https:\\<trusted-ip-address>:8080. Management System
Your trusted IP address should be 10.0.X.1, where X is your student number. Status page in the
Web UI the graph
6. Log in with the admin or status user account credentials. shows the newest
data on the right side.
This is the opposite of
the graph in the
Traffic Management
tab in Firebox System
Manager.
7. Select System Status > Traffic Management.
The Traffic Management System Status page shows a similar table and graph, and shows the IP address of
each client.
Figure 23: The Traffic Management System Status page in the Fireware XTM Web UI.
8. Log out of the Web UI.

Exercise 4: Use QoS to Mark and Prioritize Traffic

Bandwidth reservation and restriction can be useful to ensure performance with known bandwidth
requirements. When the bandwidth necessary for a critical application is variable or otherwise
unknown, Quality of Service (QoS) allows you to prioritize traffic despite the uncertainty.
The requirements for this exercise are the same as for Exercise 1 and 2. If you have completed a
previous exercise, disable any traffic management action applied to your policies.
Before You Begin

Before you begin this exercise, you must:
Enable Traffic Management and QoS features
Disable previous Traffic Management actions
Disable the Outgoing policy
Configure HTTP, FTP, and DNS policies
Configure Service Watch to monitor only the DNS, HTTP, and FTP packet filter policies
If you have not already completed these steps, see the previous procedures in Exercises 1 and 2.
Enable Prioritization by QoS Marking on Interfaces

1. Select Network > Configuration
2. In the Interfaces list, select Trusted (Interface 1). Click Configure.
4. Select the Prioritize traffic based on QoS Marking check box.
This setting enables the prioritization of queued packets as they egress from the interface. From here, the
markings can be cleared, preserved, or a new IP Precedence or DSCP marking can be applied.
Figure 24: Enable Traffic Management and QoS Marking
This restricts throughput to make sure that queuing occurs on the trusted interface to illustrate the use of
prioritization.
6. In the Interfaces list, select External (Interface 0). Click Configure.
Figure 25: Prioritize traffic based on QoS Marking

8. Select the Prioritize traffic based on QoS Marking check box.
9. Click OK.
10. Click OK to close the Network Configuration dialog box and return to Policy Manager.

Prioritize Traffic by Policy

1. Double-click the HTTP policy.
The Edit Policy Properties dialog box appears.
3. Select the QoS tab.
4. Select the Override per-interface settings check box.
5. Configure the QoS settings to Assign an IP Precedence value of 2 (Immediate), and Prioritize Note that the same
Traffic Based On QoS Marking. QoS marking options
seen within interface
configuration are
available by policy.
Also, if you want to
mark packets for your
network at a value
different from your
prioritization, you can
prioritize traffic by
Custom Value and
choose a higher or
lower priority than
the marking.
Figure 26: Override the per-interface settings in the HTTP policy Advanced settings
6. Click OK to return to Policy Manager
7. Double-click the DNS policy.
9. Select the QoS tab.
10. Select the Override per-interface settings check box.
11. Modify the settings to Assign an IP Precedence value of 2 (Immediate), and Prioritize Traffic
Based On QoS Marking.
12. Click OK to return to Policy Manager.
Both the DNS and HTTP policies are prioritized higher than other traffic. While this configuration does
not dedicate specific bandwidth, the prioritization does improve the performance of these policies
when there is network congestion.
network.
file.
3. Select the Service Watch tab.
The graph shows that the FTP transfer takes all of the available bandwidth. This should be
approximately equal to the value you set for Outgoing Interface Bandwidth on the Trusted
interface (1500 Kbps).
Figure 27: Monitor the FTP bandwidth in Service Watch

this URL: http://<web server IP address>/350mbfile.txt

5. On the Service Watch tab, look at the amount of bandwidth that is used by both policies.
Figure 28: Monitor the bandwidth usage in Service Watch

After you start the HTTP transfer, the amount of bandwidth used by the FTP transfer is reduced, to
allow more bandwidth for the higher priority DNS and HTTP traffic.

You have learned that you can use bandwidth restrictions and reservations, together with
prioritization, to make sure critical applications have the bandwidth they need.
In this module, you learned how to:
Create Traffic Management actions to guarantee or restrict bandwidth
Use Traffic Management actions with Application Control
Prioritize traffic by QoS marking or policy
Use Service Watch to see your changes at work
Fireware Training
Link Aggregation
Increase Interface Aggregate Throughput and Redundancy
Introduction
A link aggregation (LA) interface is a group of physical interfaces that you configure to work together as
a single logical interface. You can use a link aggregation interface to increase the aggregate
throughput beyond the capacity of a single physical interface, and to provide redundancy if there is a
physical link failure.
What You Will Learn

This course explains the concept of link aggregation and describes how to configure different link
aggregation interface modes. It also describes some ways that you can use link aggregation with other
networking features.
Course Outline
The exercises provide step-by-step procedures for how to set up several link aggregation
configurations. The exercises include:
Configure a link aggregation interface in active-backup mode
Configure a link aggregation interface in static mode
Configure a link aggregation interface in dynamic mode
Configure a link aggregation interface as a member of a VLAN
Link Aggregation
Link Aggregation, also known as Port Trunking, Port Teaming, Ethernet Trunking, or Link Bundling,
refers to the concept of grouping multiple ethernet ports to function as a single connection between
networked devices.
Link Aggregation provides two main benefits.
Provides graceful recovery from link failures
For all link aggregation types, if a single interface in a link aggregation group fails, traffic can flow
through the other member interfaces in the link aggregation group.
Increases aggregate throughput between devices
For static or dynamic link aggregation, traffic flows over all member interfaces. This increases the
aggregate throughput, because different traffic flows are load balanced between different
member interfaces. Because each traffic flow uses a single interface, the maximum throughput for
a single connection does not increase beyond the bandwidth of a single interface. But the
aggregate bandwidth increases because different traffic flows can use different member interfaces.
67
Link Aggregation Group (LAG)
A link aggregation group, or LAG, is a group of Ethernet interfaces configured as a group for the
purposes of link aggregation. When you configure a link aggregation on a Firebox, it is called a link
aggregation interface. The term LAG is also used by some switch vendors to refer to link aggregation in
general.
Link Aggregation Interface

A link aggregation interface is a logical interface that includes one or more physical member interfaces.
It is a LAG on the Firebox.
To configure a link aggregation interface, your Firebox must be configured in mixed routing mode. You
can set the link aggregation interface type to External, Trusted, Optional, VLAN, or Bridge. You can use a
link aggregation interface in most of the same ways that you use a physical interface. For example, you
can use it in the configuration of policies, multi-WAN, VLANs, VPNs, DHCP, and PPPoE.
In Policy Manager, you configure link aggregation interfaces in the Link Aggregation tab in the
Network Configuration dialog box.
Requirements and Limitations

Link Aggregation requires Fireware v11.7 or higher. You can configure link aggregation on any Firebox
that runs Fireware v11.7 or higher, with these exceptions.
XTMv devices do not support link aggregation.
XTM 25, 26, and 33 devices do not support dynamic link aggregation mode.
You cannot use link aggregation on an active/active FireCluster.
Link aggregation interface configuration is very similar to the configuration of any other interface.
There are only a few interface settings that you cannot configure for a link aggregation interface:
MAC access control
QoS, Traffic Management, and most other advanced interface settings
Link Aggregation Member Interface

Each physical interface that is assigned to a link aggregation interface is a link aggregation interface
member. Before you can assign a physical interface to a link aggregation interface, you must set the
physical interface Type to Link Aggregation. Then you select which Link Aggregation interface the
physical interface is a member of.
The number of member interfaces you can assign to a link aggregation interface is limited only by the
number of available physical interfaces on your Firebox.
All interfaces that are members of the same link aggregation interface must support the same
maximum link speed.

Link Aggregation Modes

You can configure a link aggregation interface in one of three modes. For all modes, a member
interface can be active only when the member interface link status is up. Whether a member interface
is active depends on both the link status of the physical interface and the link aggregation mode.
Dynamic (802.3ad)
All physical interfaces that are members of the link aggregation interface can be active. The same
member interface is always used for traffic between a given source and destination. The devices at
both sides use Link Aggregation Control Protocol (LACP) to negotiate which physical link to assign a
traffic flow to. LACP is described in the IEEE 802.3ad dynamic link aggregation specification.
Dynamic mode provides load balancing and fault tolerance.
Static
All physical interfaces that are members of the link aggregation interface can pass traffic at the
same time. The same member interface is always used for traffic between a given source and
destination based on source/destination MAC address and source/destination IP address. Static
mode provides load balancing and fault tolerance.
Active-backup
In this mode, at most only one member interface in the link aggregation group is active at a time.
The other member interfaces in the link aggregation group become active only if the active
interface fails. This mode provides fault tolerance for connections to network switches that do not
support link aggregation, but it does not provide load balancing.
To use dynamic or static link aggregation, you must also configure a link aggregation group on the
connected managed switch.
Both static and dynamic link aggregation modes can detect physical link failures within the LAG and
continue sending traffic through the other member interfaces. LACP can also detect some types of
switch or port failures that do not result in the loss of a link, which means that dynamic mode provide a
more resilient LAG. We recommend that you use dynamic link aggregation mode instead of static
mode, if your managed switch supports it.
Link Aggregation Interface Identifiers

Each link aggregation interface is identified by an interface number that starts with the prefix bond
followed by a number. The term bond is used because a link aggregation interface is a logical bond of
two or more interfaces.
Link aggregation interface identifiers are numbered consecutively in the order the link aggregation
interfaces were added. For example, if you enable two link aggregation interfaces, the first one you add
is identified as bond0 and the second is identified as bond1. Link aggregation identifiers appear in the
Firebox System Manager Front Panel tab, Status Report tab, routes table, and in log messages.
Link Aggregation 69
Link Aggregation with Other Networking Features
You can use a link aggregation interface in most of the same ways that you use a physical interface. For
example, you can use it in the configuration of policies, VLANs, multi-WAN, VPN, DHCP, and PPPoE.
You can use a link aggregation interface with most other networking features, just as you would use a
physical interface:
Multi-WAN
VLAN
FireCluster (active/passive only)
VPNs
Dynamic Routing
Network Address Translation (NAT)
Secondary networks
You cannot configure link aggregation interfaces to use these features:
Traffic Management
Quality of Service (QoS)
MAC Access control

Exercise 1: Configure Active-Backup Link Aggregation

You can configure a link aggregation interface in active-backup link aggregation mode to provide a
backup connection to the Firebox. This use of link aggregation provides redundancy, but not increased
throughput. Computers connected to either switch can communicate with the Firebox even if one of
the links goes down. The effective topology is that of cascaded switches connected to the active
member interface.
Network Topology
In this exercise you will configure Eth3 and Eth4 as members of a new link aggregation interface. After The topology used in
you configure the link aggregation interface, you connect the physical interface members to two this exercise only
works for a link
different unmanaged switches that are also connected to each other. Because the link aggregation
aggregation interface
interface is configured in active-backup mode, only one of the member interfaces is active at a time. in active-backup
mode.
It is important that
both interfaces are
not active at the same
time, or this topology
causes a network
routing loop.
Figure 1: Active-backup link aggregation interface when the interface connected to Switch A is active.
Figure 2: Active-backup link aggregation interface when the interface connected to Switch B is active.
Link Aggregation 71
If two Firebox devices If each student does not have two switches, two students can share a pair of switches. This network
share the same topology is not something you would do on a production network, but may be necessary for training
switches for this
purposes. If students must share switches, the cable configuration look like this.
exercise, each device
could report spoofing
errors if it receives
traffic from the
network configured
on the other device.
This does not affect
the exercise.
Figure 3: Link aggregation active-backup topology for two students sharing two switches. For each link
aggregation group, either member interface could be the active interface.
Before You Begin

Before you begin this exercise:
Make sure you have two unmanaged switches, or that you have configured your switches in
unmanaged mode.
Disable any VLANs enabled in a prior exercise.
Make sure the device is configured with these interface settings:
- Eth0 (External) is 203.0.113.X/24
- Eth1 is a trusted interface, with the IP address 10.0.X.1/24.
- Eth3 and Eth4 are disabled.
Replace the X in the IP addresses with your student number.
Add the Link Aggregation Interface

1. Open the configuration for your Firebox in Policy Manager.
2. Select Network > Interfaces.
3. Click the Link Aggregation tab.
Figure 4: Link aggregation interfaces appear here

4. Click Add.
The New Link Aggregation Interface Configuration dialog box appears. Notice that the MAC
Access Control tab
does not appear here.
Link aggregation
interfaces does not
support that feature.
Most of the settings

that would appear in
the Advanced tab for
a physical interface
are also not available
for link aggregation
interfaces.
Figure 5: Configure the link aggregation interface in Active-backup mode

5. In the Name (Alias) text box, type a name for this interface. For example, LA-Optional.
6. (Optional) In the Description text box type a description of this interface.
7. From the Mode drop-down list, select Active-backup.
8. From the Type drop-down list, select Optional.
9. In the IP Address text box, type 172.16.X.1/24.
Replace X in the address with your student number.
10. Click OK.
The new link aggregation interface appears on the Link Aggregation tab.
Figure 6: The configured link aggregation interface
Link Aggregation 73
Add Member Interfaces
After you create the link aggregation interface, you must assign at least one member interface. The
number of interfaces you can add is limited only by the available physical interfaces on your Firebox.
For this exercise, you add two member interfaces.
1. Click the Interfaces tab.
2. Select interface 2 and click Configure.
3. Set the Interface Type to Link Aggregation.
If a link aggregation The configured link aggregation interface appears in the list.
interface is not
already configured,
click New Link
Aggregation to create
a new one.
Figure 7: A link aggregation interface member

4. In the Member column, select the link aggregation interface you just configured.
5. Click OK.

9. Click OK.
Interfaces 2 and 3 are now configured as type LA (Link Aggregation).
Figure 8: The interfaces of type LA are the two link aggregation member interfaces
The link aggregation interface shows interfaces 2 and 3 as members.
Figure 9: The interfaces column shows which physical interfaces are members
Connect the Switches

If your switches support managed and unmanaged mode, make sure your switch is configured for
unmanaged mode.
1. Use a cross-over Ethernet cable to connect the two switches together.
For some switches, a cross-over cable might not be required to connect the switches together.
2. Use an Ethernet cable to connect interface 2 to one switch.
3. Use an Ethernet cable to connect interface 3 to the other switch.
Link Aggregation 75
Monitor the Link Aggregation Interface
It is not necessary to 1. Disconnect the management computer from eth1 and connect it to an interface on one of the
connect the switches.
management
computer to the 2. Change the IP address of the management computer to an IP address on the 172.16.X.0/24
switch to monitor the network configured on your link aggregation interface.
link aggregation 3. In WatchGuard System Manager, use the IP Address of the link aggregation interface, 172.16.X.1, to
interface. We do so in
this exercise in order
connect to the device. Replace X with your student number.
to generate some 4. Expand the Firebox Status tree to see the interface status.
traffic over the link The link aggregation interface is listed as bond0. The physical interface members are listed below it.
aggregation
interface.
Figure 10: The bond0 interface in WatchGuard System Manager

5. Select Tools > Firebox System Manager to start Firebox System Manager.

6. Expand Interfaces to show information for eth2, eth3, and bond0.
Figure 11: The bond0 and member interfaces in Firebox System Manager
7. Since this is an active-backup link aggregation interface, traffic goes through only one interface at
a time. Look at the sent and received statistics to see which interface is currently active. In the
example shown here, eth2 has sent only one packet, so we know that eth3 is the active interface.
If several computers were connected and sending traffic through the switch, traffic from all
computers would still go through only one interface at a time, because this link aggregation
interface is configured in active-backup mode.
8. Unplug the cable connected that connects the currently active interface to the switch.
Even if your management computer is connected to the switch you just unplugged from the Firebox, your
connection to the Firebox is not interrupted. Traffic for the link aggregation interface goes through the other
switch to the other member interface.
9. Click the Status Report tab.
10. Scroll down to the Network Configuration section.
The link status of the bond0 interface is up, even though the link status of a member interface is down.
Figure 12: The Network Configuration status in the Status Report

11. Reconnect the second link aggregation member interface to the second switch.
Watch the link status refresh in the status report.
Link Aggregation 77
Exercise 2: Static and Dynamic Link Aggregation
In this exercise, you configure a link aggregation interface in static mode, and connect managed switch
interfaces that are also configured as a link aggregation group. Then you change this configuration to
dynamic mode (802.3ad).
Both static and dynamic modes load balance traffic across all member interfaces. The difference is in
how the individual traffic flows are distributed across the interfaces.
Topology
This exercise requires a Firebox and a managed switch.
Figure 13: Link aggregation between a device and a switch.
Before You Begin

Connect the management computer to Eth1 for the start of this exercise. You might need to
change the network settings on your computer if you assigned it a static IP address for the previous
exercise.
Make sure you have a managed switch, started in managed mode.
Remove any VLAN or link aggregation interfaces configured in a previous exercise.
Disconnect the Firebox from any switches.
Make sure the Firebox is configured with these interface settings:
Replace the X in the IP addresses with the student number.

Add the Link Aggregation Interface

1. Open the configuration for your Firebox in Policy Manager.
2. Select Network > Interfaces.
4. Click Add.
The New Link Aggregation Interface Configuration dialog box appears.
Figure 14: A static link aggregation interface

5. In the Name (Alias) text box, type a name for this interface. For example, LA-Trusted.
6. (Optional) In the Description text box type a description of this interface.
7. From the Mode drop-down list, select Static.
8. From the Type drop-down list, select Trusted.
Replace X in the address with your student number.
10. Click OK.
The new link aggregation interface appears on the Link Aggregation tab.
Figure 15: A link aggregation interface with no member interfaces
Link Aggregation 79
Add Member Interfaces
Next, you add the member interfaces.
1. Click the Interfaces tab.
The configured link aggregation interface appears in the list.
Figure 16: You must add at least one member interface to the link aggregation interface
5. (Optional) In the Interface Name text box, change the interface name to something that indicates
this is part of a trusted link aggregation interface.
6. Click OK.
10. (Optional) In the Interface Name text box, change the interface name to something that indicates
this is part of a trusted link aggregation interface.
11. Click OK.
Interfaces 2 and 3 are now configured as type LA (Link Aggregation).
Figure 17: Interfaces 2 and 3 configured as link aggregation interfaces


The link aggregation interface shows interfaces 2 and 3 as members.
Figure 18: Verifying the interface members

Configure the Switch and Connect the Device to the Switch

Refer to the instructions from your switch manufacturer for the steps to configure your switch.
1. On the managed switch, configure a link aggregation group with two interfaces as members.
The interfaces must support the same link speeds as the member interfaces on the Firebox.
2. If link aggregation on the switch can be configured as either dynamic or static, supports both static
and dynamic link aggregation modes, configure the LAG to use static mode.
3. Make sure that the link speed for the link aggregation group on the switch match the settings on On XTM 505, 510, 520,
the Firebox. On the device, you can configure the link speed in the Advanced tab when you edit a or 530 devices,
interface 0 (Eth0)
link aggregation interface. The default setting is Auto Negotiate.
supports a lower
maximum link speed
(100 Mbps) than the
other interfaces (1000
Mbps). If you use Eth0
as a member of a link
on these models, you
must set the Link
Speed to 100 Mbps or
lower in the link
configuration and on
the connected
network switch.
Figure 19: Link speed options for a link aggregation interface
If you configure the link aggregation interface on the Firebox to use a specific link speed, make sure
that you also configure the link aggregation group on the switch to use the same speed.
Connect the Device to the Switch

1. Connect interface 2 to one of the LAG member interfaces on the switch.
2. Connect interface 3 to the other LAG member interface on the switch.
Link Aggregation 81
Monitor the Link Aggregation Interface
It is not necessary to 1. Disconnect the management computer from eth1 and connect it to an interface on the switch.
connect the
management 2. Change the IP address of the management computer to an IP address on the 172.16.X.0/24
computer to the network configured on your link aggregation interface.
switch to monitor the 3. In WatchGuard System Manager, use the IP Address of the link aggregation interface, 172.16.X.1, to
link aggregation connect to the device. Replace X with your student number.
interface. We do so in
this exercise in order 4. Start Firebox System Manager.
to generate some 5. Expand Interfaces to show information for eth2, eth3, and bond0.
traffic over the link
aggregation 6. Even though this is a static link aggregation interface, traffic goes through only one interface when
interface. only one computer is sending traffic through the interface.
In static mode, if several hosts are connected and sending traffic through the switch, traffic from
different hosts would go through different interfaces in the LAG.
7. If you have another computer available:
a. Connect the second computer to the switch and configure it with an IP address on the on the
172.16.X.0/24 network.
b. On the second computer, start a process, such as ping, to generate traffic to the 172.16.X.0/24
network. For example, you could ping the trusted interface at 10.0.10.X.
8. Watch the interface statistics in Firebox System Manager.
When traffic is coming from multiple hosts, you should see traffic statistics changing for both member
interfaces.
9. Unplug one of the cables that connects the device to the switch.
The computers connected to the switch should maintain their connection, even though the link status of a
member interface is down.
Use Dynamic Mode

Now that you have seen how static mode works, you can modify the link aggregation configuration on
the switch and on the Firebox to use dynamic mode.
Refer to the instructions from your switch manufacturer to see if your switch supports dynamic link
aggregation mode, and how to configure it.
1. In Policy Manager, edit the existing static link aggregation interface.
2. Change the Mode from Static to Dynamic (802.3ad).
4. On the switch, change the link aggregation group to use dynamic mode instead of static mode.
5. Monitor the link aggregation interface in Firebox System Manager.
It looks the same as when it was running in dynamic mode.
In Firebox System Manager,
6. In Firebox System Manager, click the Traffic Monitor tab.
If there is any misconfiguration, if you connect to the wrong switch port, or if your switch does not
support dynamic mode, you see errors in Traffic Monitor. For example, you could see the error
Check the configuration to verify that all adapters are connected to 802.3ad compliant switch ports.

Exercise 3: Use Link Aggregation with a VLAN

You can use a link aggregation interface, configured in any mode, as a VLAN interface. This can provide
higher aggregate throughput and redundancy for your VLAN connections. In this exercise, you
configure a link aggregation interface as a member of a VLAN.
Network Topology
This exercise shows how to configure a link aggregation interface as a member of a VLAN. In the The VLAN part of this
network diagram, the computers are connected to the 802.1Q switch, that has a link aggregation group exercise is similar to
exercise 1 in the VLAN
defined. The switch interfaces in the link aggregation group are connected to member interfaces of a
section of this
link aggregation interface on the Firebox. On the device, the link aggregation interface is configured as training, except that
a member of the VLAN. in this exercise you
configure only one
VLAN.
If you want to extend

this exercise, you
could configure
another VLAN on the
Firebox and on the
switch just as you did
in that exercise.
Figure 20: Link aggregation interface configured as a member of a VLAN interface.
Before You Begin

Connect the management computer to Eth1.
Make sure you have a managed switch, started in managed mode.
Disconnect the Firebox from the switch.
Make sure the Firebox is configured with these interface settings:
- Eth3 and Eth4 are link aggregation interface members
- One link aggregation interface is configured (from the previous exercise)
Replace the X in the IP addresses with the student number.
The steps in this exercise assume you already have a link aggregation interface configured on the
Firebox and on the switch from the previous exercise. You can use any link aggregation mode for this
exercise.
Link Aggregation 83
The VLAN settings list is empty because you have not defined any VLANs.
the Ending Address.
d. Click OK.
10. Click OK.
Figure 21: The VLAN tab with VLAN10 added

11. Select the Link Aggregation tab.
The link aggregation interface you configured in the previous exercise appears in the list.
12. Select the link aggregation interface and click Edit.

13. Change the Interface Type from Trusted to VLAN.

The list of VLANs appears in the IPV4 tab. The new VLAN appears in the list.
Figure 22: The LA-Trusted interface configured as type VLAN

14. Select Send and receive tagged traffic for selected VLANs.
15. In the Member column, select the check box for VLAN10. Click OK.
The Link Aggregation tab should look like this.
Figure 23: The Link Aggregation tab shows one interface of type VLAN with two interface members
Figure 24: The VLAN tab shows the link aggregation interface as a member of VLAN10
17. Save this configuration to the device.
Link Aggregation 85
This exercise assumes you have already configured the link aggregation group on the switch in the
previous exercise. Use these steps to
Refer to the instructions from your switch manufacturer to configure VLANs on your switch.
1. Add a VLAN to the 802.1Q switch configuration.
Set the VLAN ID number for this VLAN to 10.
2. Configure the LAG for the switch interfaces that connect to device interfaces 2 and 3.
b. Configure the LAG on the switch to be a member of VLAN 10.
c. Configure this interface to tag for VLAN 10.
d. If necessary for your switch operating system, configure the switch mode to trunk.
e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.
3. Configure the switch interfaces that connect computers in VLAN10 to the switch.
a. Configure each switch interface that will connect a computer in VLAN10 to be a member of
VLAN10.
b. Configure these interfaces to untag for VLAN10.
Physically Connect all Devices

1. Connect interface 2 on the Firebox to one of the LAG member interfaces on the switch.
2. Connect interface 3 on the Firebox to the other LAG member interface on the switch.
3. Connect a computer to the interface on the switch that you configured to untag for VLAN10.
For more information, see Step 9 on page 84.
computers default gateway to the Firebox VLAN IP address, 192.168.10.1.
6. On the management computer, ping the Firebox at 192.168.10.1.
A ping response verifies that you are connected to VLAN10.
7. In WatchGuard System Manager, connect to the Firebox at 192.168.10.1.

8. Expand the Firebox Status tree to see the interface status.

The link aggregation interface is a physical interface member of vlan10.
Figure 25: The link aggregation interface is listed as a member of vlan10

In this module, you learned:
What link aggregation is
Learned some benefits of using link aggregation in your network
How link aggregation works on the Firebox
How to configure a Firebox to use link aggregation in three modes
How to configure a link aggregation interface as a VLAN member
Link Aggregation 87
Fireware Training
Multi-WAN Methods
Exploring Multi-WAN Through Hands-On Training
Introduction
What You Will Learn

Many organizations have more than one Internet connection, or plan to have additional ones in the
future. This part of the course shows you how Fireware manages outgoing traffic with each of the four
different multi-WAN modes of operation:
Round-robin
Failover
Interface Overflow
Routing Table
You also learn how to monitor the status of your external connections, how sticky connections
influence routing decisions, and how to use policy-based routing.
Exercises
The step-by-step exercises in this course show how to configure two of the multi-WAN methods and
demonstrate how outgoing connections behave when certain events occur. The first exercise shows
the Interface Overflow multi-WAN method and sticky connections. The second one shows how to
configure the Failover multi-WAN method and configure policy-based routing.
What Multi-WAN Can Do For You

Multiple external connections provide several benefits:
Redundancy If the main Internet connection goes down, you can use a backup connection for
your outgoing connections.
More bandwidth available for outgoing connections An additional connection to the Internet
can reduce wait times for new connections and large downloads initiated from behind the Firebox.
Dedicated access through a preferred connection You can make mission-critical applications or
those that require a lot of bandwidth use a specified external interface.
89
Outgoing Traffic and Multi-WAN

In Fireware, you can configure multiple Firebox interfaces as type External. Because each external
interface must have a default gateway, each external interface provides a path that Fireware can use to
send traffic to external destinations.
For every connection that starts in a network behind the Firebox and goes to an external destination,
the Firebox must decide which external interface to use to send the traffic. Several factors determine
whether the Firebox allows an outgoing connection, and which external interface the Firebox uses for
allowed traffic:
Policies in Policy Manager that allow and deny traffic
Multi-WAN method you use
Static and dynamic routes in the Firebox routing table
Which external interfaces are currently able to send traffic
Per-policy settings that can override the multi-WAN method you use (policy-based routing and
sticky connections)
The Appendix section includes a flow chart that illustrates how the Firebox makes these decisions.
Incoming Traffic
For incoming connections, the decision process is much more simple. An incoming connection is
allowed only if a policy in Policy Manager allows it. Any external interface can receive traffic, as long as
Firewares link monitors sense that the interface is active. The multi-WAN method you use does not
affect the path that incoming traffic takes to get to your Firebox.
Because the Firebox cannot control which external interface an incoming connection attempts to
come through, this training course does not discuss incoming connections. Instead the focus is on
understanding how Fireware handles outgoing connections using the different multi-WAN methods
and options.
IPSec VPN Traffic

The concepts in this training apply only to non-IPSec traffic. The methods that Fireware uses to route
normal (non-IPSec) traffic to external networks are distinct and separate from the way traffic is sent to
the remote side of an IPSec VPN. When the Firebox sends traffic to the other side of a VPN tunnel, it
selects from the interfaces specified in the gateway settings for that tunnel. Multiple external interfaces
for IPSec VPNs are covered in a separate training module.
Equal-Cost Multi-Path Routing (ECMP)

ECMP is an algorithm for routing packets to destinations when there are multiple next-hop paths of
equal cost. The Routing Table multi-WAN method uses ECMP to evenly distribute outgoing traffic
across multiple external interfaces based on source and destination IP addresses, and based on the
number of connections that go through each external interface.
A routing table is a collection of data about destinations in a network and how to reach them. Fireware
always consults the Firebox routing table regardless of multi-WAN method. Because of this, ECMP does
not interfere with static routes you enter into Policy Manager, or with dynamic routing protocols such
as RIP, OSPF, and BGP.
An ECMP group is the group of external interfaces used for ECMP calculations. When the Firebox
determines that an external interface in the ECMP group is no longer able to forward traffic to external

networks, it removes that interface from the ECMP group. Fireware puts the external interface back into
the ECMP group when it determines that the interface is available again. For more information, see
The Routing Table Multi-WAN Method on page 102.
Sticky Connections
Dynamic NAT changes the source IP address of an outgoing connection to match the IP address on the
external interface the Firebox uses to send the connection. You use sticky connections to make sure
that when an outgoing traffic flow is established, all connections between the inside users IP address
and the external sites IP address use the same external interface for a certain amount of time.
Fireware keeps a dynamic table of sticky connections that includes the source/destination pair for each
outgoing connection, the external interface used for the connection, and the connections age. If a new
connection between the pair happens before the sticky connection timeout, the age is reset to zero.
When the age of an entry reaches the sticky connection limit, the entry is deleted from the sticky
connections table. New connections between the two IP addresses can use a different external
interface.
You can configure the sticky connection interval for the Round-Robin, Interface Overflow, and Routing
Table multi-WAN methods.
You cannot use sticky connection options when:
You use the Failover multi-WAN method.
You enable policy-based routing for a policy.
Global Sticky Connection Settings

You configure the global sticky connection settings in the Advanced tab in the Multi-WAN settings.
Figure 1: Sticky connection settings in the Multi-WAN configuration
We recommend you use the default settings for sticky connections. The three-minute timeout prevents
most problems that arise when the source IP address of new traffic from behind the Firebox changes.
Multi-WAN Methods 91
Policy-Based Sticky Connection Settings
For any policy, you can override the global sticky connection settings configured in the multi-WAN
settings. Policy-based sticky connection settings specify that outgoing traffic that uses the policy has a
shorter or longer sticky connection setting than the global sticky connection setting. You can also
disable sticky connections for a policy.
Some applications drop a clients connection if the clients source IP address changes. The most
common situation is when a user is on a web site that uses HTTPS. Some HTTPS sites use a session
cookie that includes the users source IP address. If the user is on the site and the browser attempts a
new connection (for example, a new GET or POST request to the site causes a new TCP session), the site
might deny the new connection if the source IP address does not match what is in the session cookie.
If users report that they need to frequently re-authenticate to sites that use HTTPS, you can configure a
higher sticky timeout for the policy that allows outbound HTTPS traffic.
Figure 2: Sticky connection settings in the HTTPS policy

If you do not use a specific HTTPS policy in your Firebox configuration (for example, you have a policy
that allows outbound connections over any TCP port), you can add a policy that allows only port 443
traffic. You can then adjust the sticky connection timeout in this policy without affecting other
connections.
Load Balancing Interface Group (LBIG)

The Load Balancing Interface Group is the group of interfaces that participate in multi-WAN load
balancing. By default, all external interfaces are included in the load balancing interface group. You can
include or exclude any external interface from the multi-WAN method that you use, but you must
include at least two external interfaces in the group.

Load Balancing Interface Groups apply only to the Round-robin, Failover, and Interface Overflow
methods. The Routing Table method does not use the LBIG because the ECMP (equal-cost multi-path)
routing algorithm manages all routing decisions.
Policy-Based Routing
Policy-based routing is the ability to specify, at a firewall policy level, that an outgoing traffic flow must
use a specific external interface if the source and destination IP addresses of the traffic match the From
and To lists of the policy. Policy-based routing lets you overrule the routing decision that Fireware
would otherwise apply based on the multi-WAN method.
You can also use policy-based routing to route traffic for a policy through a BOVPN virtual interface.
Link Monitor Settings

The Firebox has two ways to tell if an external interface is available to send or receive traffic:
Monitor the physical link state of the interfaces Ethernet peer.
The Firebox monitors the physical link by default. If the kernel-level drivers sense that the physical
Ethernet link is down, the Firebox immediately declares the interface down. New connections
begin to flow through the other external interfaces, depending on various multi-WAN and
per-policy configuration options you set.
Monitor the ability to make connections to external locations.
You can specify how the Firebox determines if an external interface is available. From Policy
Manager, select Network > Configuration and select the Multi-WAN tab. Select the interface to
monitor in the External Interface column and configure the settings on the Link Monitor tab.
Figure 3: Link Monitor tab
Use these settings:
Select the Ping check box to add an IP address or domain name for the Firebox to ping to check for
interface status.
Select the TCP check box to add the IP address or domain name where the Firebox sends a TCP SYN
packet. Use the Port box to set the port the Firebox uses when it sends the SYN packet. If the target
sends an ACK in reply, the Firebox knows it can reach the external target. The Firebox closes the
connection with a RST packet when it gets an ACK.
Select the Both ping and TCP must be successful to define the interface as active check box if
you want the interface to be considered down when either a ping probe or a TCP packet probe
fails. If you do not select this box, then both the ping probe and the TCP packet probe must fail for
the Firebox to consider the interface down.
Multi-WAN does not require that you configure Ping or TCP link monitor targets, but we recommend
that you configure one or both to determine whether the external interface can send traffic out of your
network.
Note
If you do not select Ping or TCP link monitor targets, Fireware monitors each interface by sending an
ICMP echo to the interfaces default gateway IP address. Because monitoring the connection to the
default gateway does not test whether the interface can send traffic beyond the edge of your
network, we recommend you indicate other link monitor targets.
Recommended Link Monitor Targets

Good candidates for a link monitor target include:
A server with a record of high uptime, such as a server hosted by your ISP
A server that is critical to your business, such as a server at business partner, or a credit card
processing site
It is a good practice to ask the remote site administrator if they have a device you can use as a
monitoring target to verify connectivity to their site.
Link Monitor settings:

Use the Probe Interval setting to configure the frequency you want the Firebox to do the ping and
TCP probes. By default, the Firebox probes every 15 seconds.
Use the Deactivate after setting to change the number of consecutive probe failures that must
occur before failover. By default, after three probe failures, the Firebox removes the interface from
the list of active external interfaces. Outgoing traffic continues based on the multi-WAN method
you use. See the next section, Failover/Failback.
Use the Reactivate after setting to change the number of consecutive successful probes through
an interface before an interface that was inactive becomes active again.
Configure link monitor settings for each external interface.
Failover/Failback
Failover occurs when an interface that was previously active becomes unable to send traffic to external
networks. Failback occurs when an interface that was previously not able to reach external locations
becomes active again.

Failover On an External Interface

If an external interface goes down, the Firebox removes that external interface from all routing
decisions. The action the Firebox takes depends on the multi-WAN method currently in use:
Round-robin The failed interface is removed from the Round-robin group. If your Round-robin
group has only two external interfaces, all outgoing connections now use the remaining active
interface. If your Round-robin group has more than two external interfaces, Fireware reduces the
size of the group so that it includes only the remaining active interfaces. It continues to use the
relative weights of the remaining interfaces to make routing decisions.
Failover The failed interface is removed from the failover group. Traffic goes out through the
next available interface in the failover list.
Interface Overflow The failed interface is removed from the Interface Overflow group. The
Firebox uses the Interface Overflow threshold assigned to each interface to determine which to
use for outgoing traffic. If your Interface Overflow interface group has only two external interfaces,
all outgoing connections now use the remaining active interface.
Routing table The failed interface is removed from the ECMP group. ECMP continues to make
routing decisions based on the external interfaces that remain active.
Failback
When the Link Monitor probes determine that an interface is active again, the interface is made
available for outgoing traffic.
The Probe Interval and the Reactivate After settings on the Link Monitor tab determine how long
this takes. The defaults are to send a probe every 15 seconds and to reactivate the interface after three
successful probes. Failback can take up to a full minute if you use the default setting on the Link
Monitor tab.
New outgoing connections, unless they match an entry in the sticky connections table, start to use the
now-active external interface based on the multi-WAN method you select.
Existing connections (including traffic that matches an entry in the sticky connections table) behave
according to the option you select in the Failback for Active Connections drop-down list:
Immediate Failback
- The Firebox drops all currently active connections.
- TCP RST packets are sent to close all open TCP connections.
- NAT ports that are open for return UDP packets are closed.
- The sticky connections table is purged.
Gradual Failback
- All currently active connections are allowed to finish before Fireware begins to use the
multi-WAN method to send them through another external interface.
- The sticky connections table stays the same.
Select Immediate Failback if your backup line is expensive, you want to use the backup line only in
emergency, and your organization can tolerate dropped connections when the failback happens.
Select Gradual Failback if your organization cannot tolerate dropped connections when the failback
happens.
Fireware Multi-WAN Methods
Fireware supports four Multi-WAN methods:
Round-robin
Round robin distributes outgoing connections based on bandwidth. If you set the weight for each
external interface to 1 in Round-robin mode, the algorithm attempts to equalize the amount of bits
per second sent through each interface.
Routing Table
The Routing Table uses ECMP to distribute outgoing connections based on the number of
connections. The Routing Table method attempts to equalize the number of connections going out
each interface. It does not consider the amount of bandwidth sent through each interface.
Interface overflow
The Interface Overflow method allows you to set a bandwidth limit to restrict the amount of traffic
sent over each WAN interface. The algorithm sends outgoing connections to external interfaces in
the order you specify. After all interfaces have reached their bandwidth limit, the Firebox uses the
ECMP (Equal Cost MultiPath Protocol) routing algorithm to find the best path.
Failover
The Failover method sends all outgoing connections to the primary interface. This algorithm sends
outgoing connections through a backup interface only if the primary interface is not available.
Note
It may seem that the Routing Table multi-WAN method is equivalent to the Round-robin method
with a weight of 1. But that is not the case because these two methods use different algorithms to
distribute outgoing connections.
The Round-Robin Multi-WAN Method
When to Use It
Use the Round-robin method when:
You want to specify a weighted distribution of outgoing traffic across your external interfaces.
You have a standard Fireware license and you want to distribute bandwidth evenly among your
external interfaces. (If you have the standard Fireware license, you cannot assign weights to the
interfaces.)
How It Works
The Round-robin method distributes traffic to each external interface based on bandwidth, not
connections. This gives you more control over how many bytes of data are sent through each ISP.
For light traffic loads, weighted Round-robin behaves like a connection-based Round-robin because
the weights you use tend to determine the number of connections through each external interface.
When the traffic load increases, weighted Round-robin behaves more like a load-based Round-robin
because the weights you assign tend to determine the load through each external interface.
The Round-robin method uses the run-time average of Tx (transmit) and Rx (receive) bytes through
each interface to balance outgoing traffic according to the relative weights you assign to the interfaces.
Fireware takes a measurement four times a second to determine run-time traffic load on the external
interfaces. The Round-robin algorithm is applied only after routes, sticky connections, and policy-based
routing fail to give a routing decision.

The weights you assign are relative weights. For example, suppose interface 0 (eth0) is an external
interface and you give it a weight of 3. Interface 1 (eth1) is also an external interface and you give it a
weight of 2. For every three bytes of traffic that go through eth0, two bytes will go through eth1. The
byte count sent through eth0 will be one and one-half times as much as eth1.
To determine which interface to use for a new outgoing connection, weighted Round-robin calculates
the load:weight ratio (current traffic load as a proportion of the assigned weight) for each external
interface and chooses the interface with least value for the new connection.
For example, configure Interfaces 0, 1, and 2 as external interfaces, and use Round-robin weights of 8, 2,
and 1 for those interfaces respectively. Assume that new connections happen in sequence, and each
new connection increases the load on an interface equally. The algorithm assigns the new connections
as shown in the table in Figure 1:
Current ratio of Current ratio of Current ratio of New connection
{traffic load : weight} {traffic load : weight} {traffic load : weight} uses
Interface 0 Interface 1 Interface 2 this interface
0:8 0:2 0:1 0
1:8 0:2 0:1 1
1:8 1:2 0:1 2
1:8 1:2 1:1 0
2:8 1:2 1:1 0
3:8 1:2 1:1 0
4:8 1:2 1:1 0
5:8 1:2 1:1 1
5:8 2:2 1:1 0
6:8 2:2 1:1 0
7:8 2:2 1:1 0
8:8 2:2 1:1 Use ECMP
when all
interfaces have
full traffic load
Figure 4: This table shows which external interface is used for a new outgoing connection based on {traffic
load : weight} ratio
This example is simplified. The actual situation is more complex. Each new connection does not cause
equal traffic load. Many connections close very quickly, causing load to drop quickly. The load on each
interface is constantly changing.
Calculate Weights for Round-robin

You can only use whole numbers for the interface weights; no fractions or decimals are allowed. To
ensure optimal load-balancing, you might need to perform a calculation to know which whole-number
weight to assign for each interface. Use a common multiplier so that the ratios of bandwidth at each
external connection is resolved to whole numbers.
Example
You have three Internet connections. One ISP gives you 6 Mbps, another ISP gives you 1.5 Mbps, and a
third ISP gives you 768 Kbps. Convert the proportion to whole numbers:
First convert the 768 Kbps to Mbps so that you use the same unit of measurement for all three lines.
This is approximately .75 Mbps. Your three lines are rated at 6, 1.5, and .75 Mbps.
Multiply each value by 100 to remove the decimals. Proportionally, these are equivalent: {6 : 1.5 :
.75} is the same ratio as {600 : 150 : 75}.
Find the greatest common divisor of the three numbers. In this case, 75 is the largest number that
evenly divides all three numbers 600, 150, and 75.
Divide each of the numbers by the greatest common divisor.
The results are 8, 2, and 1. This gives the whole-number weights used for the example.
How to Configure It
2. Select the Multi-WAN tab.
3. From the Multi-WAN Configuration drop-down list, select Round-robin.
Figure 5: Select the Round-robin method for multi-WAN

4. Click Configure, as shown in Figure 2 to set the relative weights for the external interfaces.
The Multi-WAN Round-robin Configuration dialog box appears.
Figure 6: Multi-WAN Round-robin Configuration dialog box

5. In the Include column, select the check boxes next to the interfaces you want to include in the
Round-robin configuration. By default, all external interfaces are included. If you have more than
two external interfaces you might reserve one external interface for a special purpose.
For example, you might want to use an external interface only for routing traffic to an application
service provider, for only VPN traffic. To exclude an external interface from the round-robin, clear
the check box next to that interface in Figure 6. You must include at least two interfaces.
6. To change the weight of one of the interfaces, select the interface and click Configure in Figure 3.
The Round-robin Weight dialog box appears:.
Figure 7: Set the weight for the interface you selected

7. In the Round-robin Weight text box shown in Figure 7, type or select a number to use for this
interfaces weight.
8. Click OK.
Figure 8 shows two external interfaces with Round-robin weights set to 3 and 2:
Figure 8: Two interfaces set to relative weights 3 and 2.
When an External Interface Fails

The failed external interface is removed from the Round-robin group. Fireware continues to use the
relative weights of the remaining interfaces to make routing decisions.
The Failover Multi-WAN Method
When to Use It
Use the Failover method:
When you want to use one external interface for all traffic, and you have another ISP that you can
use if the primary line goes down.
If you want to reserve a WAN2 interface for special traffic, and use WAN1 for all other traffic. If the
primary WAN1 connection goes down, all traffic can use WAN2 for the emergency outage.
You cannot configure sticky connection settings with the Failover method.
How It Works
The Firebox sends all traffic through the external interface at the top of the list in the Multi-WAN
Failover Configuration dialog box. If that interface is not active, the Firebox checks the next external
interface in the list. The first active interface in the list is the gateway for all outgoing traffic.
If the Firebox senses an Ethernet link failure, failover happens immediately. When you use the default
link probe settings, an external interface can take from 45 seconds to one minute to change state from
active to not active, or from not active to active. The default probe options are:
Send a probe every 15 seconds
Deactivate the interface after three probes in a row fail
Reactivate the interface after three successful probes in a row
If an external interface that was previously down becomes active again, and it is higher in your list than
the currently active external interface, the Firebox immediately starts to send all new connections out
the active external interface that is now highest in the list.
You control how the Firebox handles any existing connections that currently use the interface that is
now lower in your list. Such a connection can immediately be disconnected and routed over the new
active interface, or it can use the current interface until the connection is finished.
How to Configure It
Select the Multi-WAN tab on the Network Configuration dialog box to configure this method. You
then use additional dialog boxes to select the interfaces you want to participate in the failover and
establish a failover sequence for them. For more details about how to configure this method, see
Exercise 2.

The failed interface is removed from the failover group. The next available interface in the Failover list
assumes the highest precedence. Client connections time out and are reestablished with the new
route.

The Interface Overflow Multi-WAN Method
The Interface Overflow Multi-WAN Method
When to Use It
Use the Interface Overflow method when you want to restrict the maximum bandwidth that each
external interface uses. When the bandwidth threshold is reached for an external interface, new
connections use the next external interface in your list.
How It Works
When you use the Interface Overflow method, you select the order you want the Firebox to send traffic
through external interfaces and configure each interface with a bandwidth threshold value. The
Firebox starts to send traffic through the first external interface in the Interface Overflow Configuration
list. When the traffic through that interface reaches the bandwidth threshold you set for that interface,
the Firebox starts to send new connections through the next interface in the list.
This multi-WAN method allows the amount of traffic sent over each external interface to be restricted
to a specified bandwidth limit.
To determine traffic volume through an interface, the Firebox examines the amount of sent (TX) and
received (RX) packets and uses the higher number. When you configure the interface bandwidth
threshold for each interface, you must consider the needs of your network for this interface and set the
threshold value based on these needs. For example, if your ISP is asymmetric and you set your
bandwidth threshold based on a large TX rate, interface overflow will not be triggered by a high RX
rate.
When all external interfaces reach their threshold, the Firebox uses the ECMP algorithms to find the
best path.
How to Configure It
Select the Multi-WAN tab on the Network Configuration dialog box to configure this method. You
then use an additional dialog box to configure the bandwidth threshold for each interface. For more
details on configuring this method, see Exercise 1.

The failed interface is removed from the interface overflow group. Traffic goes out through the other
external interfaces in the group, according to the interface overflow threshold assigned to each.

The Routing Table Multi-WAN Method
When to Use It
Use the Routing Table method when you want a quick and easy way to evenly distribute outgoing
traffic among multiple external interfaces.
This method is the quickest way to take advantage of load balancing more than one route to the
Internet. Because the ECMP algorithm manages all connection decisions, no additional configuration is
necessary after it is enabled. This multi-WAN method is based on connections, not bandwidth or load.
Routes configured statically or learned from dynamic routing are used before the ECMP algorithm.
How It Works
If you have multiple active external interfaces, multiple default routes to the external network are
available with the same cost (one hop). With the Routing Table method, Fireware puts all the active
external interfaces into one ECMP group. It uses the ECMP algorithm to decide which next-hop (path)
to use to send each packet. This algorithm does not consider current byte count through the external
interfaces.
When you select the Routing Table method for your multi-WAN configuration, the Firebox first looks at
policy-based routing actions in your policies, the routes in its internal route table, and the sticky
connection table to see if it should send a packet through a specific external interface. If the Firebox
does not find a specified route, it selects a route based on the ECMP (equal-cost multi-path) algorithm
specified in http://www.ietf.org/rfc/rfc2992.txt.
How to Configure It
There is only one setting:
3. From the Multi-WAN Configuration drop-down list, select Routing Table.
Figure 9: Select the Routing Table method for multi-WAN

The failed interface is removed from the ECMP group. ECMP continues to make routing decisions based
on the external interfaces that remain active.

Exercises Before You Begin
Necessary Equipment and Services

Before you start the exercises, make sure you have these items:
Management computer
(See the subsequent section for configuration details.)
Ethernet cables
- One crossover Ethernet cable to connect your computer to the trusted interface on your
student Firebox.
- Two Ethernet cables to connect two external interfaces from your Firebox to the central
classroom Firebox (or to a hub that connects all student Fireboxs to the central Firebox).
WSM version 11.10 software and Fireware v11.9 software
Your instructor provides this software, or you can download it from the WatchGuard web site when
you log in with a valid WatchGuard account.
Firebox
Feature key
Your instructor will provide a feature key to enable the features the Firebox must have for these
exercises. The feature key must include Fireware Pro. You use the feature key near the end of the
Quick Setup Wizard when you configure the device.
FTP Server
Your instructor will provide you access to an FTP server for use in these exercises.
Management Computer Configuration

Before you begin these exercises, make sure your management computer is configured correctly.
Install WSM management software and the Fireware operating system. You do not have to install
the server components, just the WSM client software.
Connect the management computer directly to the trusted interface 1 on the Firebox.
Make sure your management computer has an IP address in the same subnet as the trusted
interface with the correct subnet mask. Use the Firebox trusted interface IP address as the default
gateway of the computer.

Firewall Configuration
If your Firebox is not yet configured, run the Quick Setup Wizard and select mixed routing mode. Mixed
routing mode has these defaults:
In the exercises, your The external Interface 0 is configured and enabled with a static IP address.
external interface and Your instructor will tell you what IP address to assign to the external interface.
trusted interface IP
addresses are The trusted Interface 1 is configured and enabled with IP address 10.0.1.1/24.
determined by your Your instructor will give you an IP address to use for the trusted interface and for your management
student number. computer. Your trusted interface IP address should be 10.0.X.1/24
Replace the X in the None of the other interfaces are configured (they are all set to Disabled).
exercises with your
student number. The configuration file you open in Policy Manager includes five policies: FTP, Ping, DNS,
WatchGuard, and Outgoing.
Bandwidth Available at Each External Interface

In general, this training module does not discuss traffic management. However, you should know the
available upstream and downstream caps that your ISP puts on your Internet connection for each
external interface. You must know these values to:
Make accurate threshold limits for the Interface Overflow method.
If you set threshold limits too low, you might not use the full available bandwidth before traffic
flows over to another external interface.
If you set threshold limits too high, the other external interfaces might never be used (traffic from
an external interface might never flow over to another interface because the threshold is never
reached).
Correctly set the relative weights for the Round-robin method.
You can more effectively balance the outgoing traffic between external interfaces when you know
how much bandwidth each ISP allocates.
Physically Connecting your Devices

Because these exercises are designed for a classroom environment, the external interfaces of all
student Fireboxs should be connected to two network segments. All the student Fireboxs should be
connected to the instructor Firebox.

Exercise 1: Demonstrate the Interface Overflow Multi-WAN

Method and Sticky Connections
When to Use the Interface Overflow Method

The Interface Overflow method lets you use one WAN for outgoing connections until the bandwidth
for that interface goes above a threshold that you set. Then outgoing connections use another external
interface. When the bandwidth use through the first interface falls below the threshold, new
connections use that interface again.
Network Topology
This exercise shows how to configure the Firebox to use two Internet connections using the Interface
Overflow method.
Figure 10 shows how your equipment is connected.
Figure 10: Network topology for Exercise 1. Each student Firebox has two external interfaces.

Configure the Main External Interface
2. Double-click Interface 0 to configure it. Configure the IPv4 tab as shown.
Figure 11: Interface 0 configuration

3. Type a name for the interface in the Interface Name (Alias) text box.
For this example we type Main-Internet for Interface 0.
4. (Optional) Type an interface description if desired.
We use Primary WAN.
5. From the Interface Type drop-down list, select External.
7. In the IP Address text box, type 203.0.113.X/24.
Replace the X in the IP address with the student number your instructor gives you.
In Figure 3, we show the configuration for Student 10. For example, if you are Student 30, the IP
address you type is 203.0.113.30/24
8. In the Default Gateway text box, type 203.0.113.1
9. Click OK to return to the main Network Configuration dialog box.

Configure the Second WAN Interface

1. Double-click Interface 3 to configure it. Configure the IPv4 tab as shown.
Figure 12: Interface 3 configuration

2. From the Interface Type drop-down list, select External.
3. (Optional) Type a name for the interface in the Interface Name (Alias) text box.
For this example we call Interface 3 Secondary-Internet.
4. (Optional) Type an interface description.
For this example, type Backup WAN.
In Figure 12 we show the configuration for Student 10. For example, if you are Student 40, the IP
address you type is 192.51.100.40/24.
7. In the Default Gateway text box, type 192.51.100.1.
8. Click OK to return to the main Network Configuration dialog box.
9. Check your work. The Interfaces tab should look like this:
Figure 13: The Interfaces tab with two external interfaces configured

Configure the Multi-WAN Method
2. From the Multi-WAN Configuration drop-down list, select Interface Overflow.
3. Click Configure.
The Multi-WAN Interface Overflow Configuration dialog box appears.
Figure 14: Interface Overflow Configuration dialog box

4. Select interface 0 (Main-Internet) and click Configure to configure its threshold.
Note that the The Interface Overflow Threshold dialog box appears.
Interface Overflow 5. From the right drop-down list, select Kbps.
Threshold must be
specified in
In the text box, set the threshold for this interface to 200 Kbps..
increments of 100
Kbps. For example, if
you type 256 Kbps
here, Policy Manager
changes it to 200
Kbps.
Figure 15: Configure the interface overflow threshold for the primary WAN
Note
This example is not meant to show a real-world Internet connection. We set the threshold to a low
value to demonstrate the Interface Overflow method. Remember also that Fireware does not use
the overflow threshold value as a cap to throttle available bandwidth. The threshold is only a trigger
to start sending new connections out a different external interface. Throughput can exceed the
overflow threshold you set for an external interface, but Fireware does not send new outgoing
connections through the interface until current throughput for the interface goes below the
overflow threshold.

6. Click OK.
Figure 16: The Interface Overflow Configuration dialog box should look like this
7. Make sure that interface 0 is at the top of the list. If it is not, select the Main-Internet (0) interface
and click Move Up to move it to the top of the list.
You do not need to configure anything on the Link Monitor tab or the Advanced tab for this exercise.
Enable Logging of Allowed Packets For the FTP and Outgoing Policies
By default, the Firebox sends log messages only for denied packets. To see what interface the Firebox
uses to send outgoing connections, enable the logging of allowed packets for the FTP and Outgoing
policies.
1. Edit the FTP policy.
2. Select the Properties tab and click Logging.
Figure 17: Click Logging on the Properties tab of the policy

3. Select the Send Log Message check box to enable logging of allowed packets that the Firebox
sends through this policy, and then click OK.
Figure 18: Enable logging of allowed packets for this policy

4. Click OK.
5. Repeat Steps 14 to enable logging of allowed packets for the Outgoing policy.
6. Note that the Action column shows an icon for policies that have logging enabled. Position the
mouse over the action column to see a description of what each icon represents.
Figure 19: The Action column shows which policies have logging enabled
Demonstrate It
How the Demonstration Works
First you browse several web sites and see the connections go out the Main-Internet interface.
You start an FTP download of a large file to use up the allotted 200 Kbps on the Main-Internet
interface, Interface 0.
When the throughput for the Main-Internet interface reaches the Interface Overflow threshold,
you observe that new outgoing connections use the Secondary-Internet interface, Interface 3.
You see some connections continue to use the Main-Internet interface even though the Interface
Overflow threshold is reached for that interface, because the connections are sticky.

Note
Important! When the FTP download starts, you must visit a new web site quickly to see the Firebox
change the interface it uses for outgoing connections. If you wait too long and the FTP transfer
finishes, the rate of traffic through the main external interface falls below the threshold and the
interface becomes available for new connections again.
Before you begin, think of some sites you can use that you have not been to before, so you can
quickly demonstrate the Interface Overflow behavior when the FTP transfer starts.
Verify that Outgoing HTTP Connections Use the Correct Interface

To make sure that your outgoing HTTP connections use the correct interface, you connect to Firebox
System Manager and then browse the Internet.
1. Connect to Firebox System Manager and select the Traffic Monitor tab.
Figure 20: The Traffic Monitor tab of Firebox System Manager

2. Use your web browser to visit several web sites and see if your connections use the correct Do not start any file
interface. downloads in Step 2.
A large file download
3. Watch Traffic Monitor to see log messages that show outgoing connections that use the can trigger the
Main-Internet interface. You see messages like this in Traffic Monitor: Interface Overflow
2014-06-05 14:20:18 Allow 10.0.10.2 74.125.20.106 https/tcp 60352 443 threshold before you
1-Trusted 0-Main-Internet Allowed 52 127 (Outgoing-00) proc_id="firewall" are ready to observe
rc="100" msg_id="3000-0148" src_ip_nat="203.0.113.10" tcp_info="offset 8 S it. The FTP transfer in
299279867 win 32" Traffic the next section will
trigger the interface
overflow.

Start the FTP Transfer to Trigger the Interface Overflow
Use Internet Explorer or an FTP client to connect to the FTP server. The subsequent steps show how to
use Internet Explorer 9.0 as an FTP client.
1. If the instructor has configured a local FTP server, in the Internet Explorer address bar, type
ftp://192.51.100.2.
If a local FTP server is not available, the instructor will provide instructions to connect to an FTP server on the
Internet.
The FTP server should allow anonymous access (it is not necessary to give a user name and
password). If this is the case, you see a large file listed.
If anonymous FTP access is not allowed, your instructor will give you credentials to log in.
Figure 21: Internet Explorer as an FTP client

2. Press Alt, then select View > Open FTP site in File Explorer.
The FTP site opens in Windows Explorer.
3. Drag the file to the Desktop icon at the left to copy the file to your desktop.
Figure 22: Drag the file to the Desktop icon on the left.
The download starts
New connections that Browse to Sites and See Which Interface is Used
match an entry in the
sticky connections 1. Browse to a web site you visited less than three minutes ago.
table use the same
2. Select the Traffic Monitor tab of Firebox System Manager.
external interface for
the sticky timeout 3. Find the log message for the connection to this site. Look for a log message with the interface
period. This is true 0-Main-Internet in the message:
even if current 2014-06-05 15:24:58 Allow 10.0.10.2 74.125.20.105 https/tcp 51821 443
throughput for the 1-Trusted 0-Main-Internet Allowed 52 127 (Outgoing-00) proc_id="firewall"
interface is over the rc="100" msg_id="3000-0148" src_ip_nat="203.0.113.10" tcp_info="offset 8 S
Interface Overflow 2805116118 win 32" Traffic
threshold.
This connection uses the primary external interface Main-Internet, even though bandwidth on
this interface reached the threshold. This is because it matches an entry in the Sticky Connections
table.
When the throughput 4. Go to a web site you have not visited before.
for the Main-Internet
connection exceeds 5. On the Traffic Monitor tab, find the log message for this new connection. The log message will use
the Interface the interface 3-Secondary-Internet.
Overflow threshold, 2014-06-05 16:02:17 Allow 10.0.10.2 173.194.33.172 https/tcp 52386 443
new connections use 1-Trusted 3-Secondary-Internet Allowed 52 127 (Outgoing-00)
the Secondary- proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="192.51.100.10"
Internet interface. tcp_info="offset 8 S 1892614575 win 32" Traffic
This connection switched to the Secondary-Internet interface, because the Main-Internet interface
reached the Interface Overflow threshold.

6. After the FTP transfer finishes, go back to the web site you visited in Step 3 (if it was less than three
minutes ago) and press Ctrl-F5 on your keyboard to force all content on the page to reload.
This is the site you visited that went through the Secondary-Internet connection, shown in the log message in
Step 5.
7. On the Traffic Monitor tab, find the log messages for this connection.
Verify that it still uses the Secondary-Internet interface.
It still uses the Secondary-Internet interface because it matches an entry in the sticky connections table.
8. Go to a web site you have not visited in the last three minutes.
9. On the Traffic Monitor tab, find the log messages for this connection.
Verify that new connections now use the Main-Internet interface.
New connections start to use the Main-Internet interface because the throughput for that interface is below
the Interface Overflow threshold.

Exercise 2: Demonstrate the Failover Multi-WAN Method and
Policy-Based Routing
This exercise demonstrates what happens when an external interface that uses the Failover Multi-WAN
method fails.
When to Use the Failover Method

Failover gives stability to your organizations outgoing connections. Use the Failover method when you
have more than one Internet connection that you can use. If the primary line goes down, connections
flow through the backup line.
Network Topology
The physical setup is the same as for Exercise 1. Figure 23 shows how your equipment is connected.
Figure 23: The network topology for Exercise 2 is the same as for Exercise 1.


Configure the External Interfaces
The configuration of the main and secondary external interfaces is the same as for Exercise 1. If you
have completed Exercise 1, proceed to the next section.
If you have not completed Exercise 1, you must do so before you can proceed. In the section Configure
the Device, on page 106, complete Steps 117 of Exercise 1.

1. In the Network Configuration dialog box, select the Multi-WAN tab.
2. From the Multi-WAN Configuration drop-down list, select Failover.
Figure 24: Select the Failover Multi-WAN method

3. Click Configure.
The Multi-WAN Failover Configuration dialog box appears.
Figure 25: The Multi-WAN Failover Configuration dialog box

4. Make sure that interface 0 is at the top of the Interface list.
If it is not, select Main-Internet (0) and click Move Up to move it to the top of the list.
5. Click OK.

Configure Link Monitor Target For the Main-Internet Interface
1. On the Link Monitor tab, in the External Interfaces list, select Main-Internet and configure
monitor targets for this external interface.
It is not necessary to 2. Set the ping target:
configure a link a. Select the Ping check box.
monitor target for the
Secondary-Internet
b. From the Ping drop-down list, select IP Address.
connection. When c. In the Ping text box, type the IP address of the instructors FTP server: 192.51.100.2.
you do not configure
link monitor targets
for an external
interface, the Firebox
monitors the health of
the interface by
sending ICMP
requests to the
interfaces default
gateway.
In a real-world
installation, you
would normally select
sites for the link
monitor targets,
based on a record of
superior uptime.
Figure 26: Ping target for monitoring the Main-Internet interface

3. Click OK.
Enable Logging of Allowed Packets For Policies

If you previously completed Exercise 1, you enabled logging of allowed packets for the Outgoing and
FTP policies. Now we will use the same procedure to enable logging of allowed packets for the Ping
and Outgoing policies.
1. Right-click or double-click the Ping policy and select Modify Policy to edit it.
2. Select the Properties tab and click Logging.
The Logging and Notification dialog box appears.
3. Select the Send log message check box to enable logging of allowed packets that the Firebox
sends through this policy.
4. Click OK.
The Logging and Notification dialog box closes and the Edit Policy Properties dialog box appears.
5. Click OK.
The Edit Policy Properties dialog box closes and Policy Manager appears.
6. Repeat these steps to enable logging of allowed packets in the Outgoing policy.
7. Click OK.

Enable Policy-based Routing For the Ping Policy

1. Edit the Ping policy.
2. On the Policy tab, select the Use policy-based routing check box.
3. From the Use policy-based routing drop-down list, select Main-Internet.
4. Do not select the Failover check box. Do not enable failover
in Step 4. This lets you
see what happens
when the
policy-routing
interface is not
available.
Figure 27: Enable policy-based routing for the Ping policy

5. Click OK.

Enable Policy-Based Routing For the Outgoing Policy
1. Double-click the Outgoing policy to edit it.
2. On the Policy tab, select the Use policy-based routing check box.
3. From the Use policy-based routing drop-down list, select Main-Internet.
4. Select the Failover check box.
Figure 28: Enable policy-based routing for the Outgoing policy

5. Click OK.

Demonstrate It
How the Demonstration Works
First, you browse to several web sites using HTTP and HTTPS, and see the connections that go out
the Main-Internet interface.
Ping some external IP addresses to see the Firebox send the echo requests through the
Main-Internet interface with the policy-based routing you enabled for the Ping policy.
Your instructor will cause your Firebox Main-Internet interface to fail by causing pings to the link
monitor target to fail.
After the failover event, browse some web sites again to see the connections go out the
Secondary-Internet interface.
Your pings to external locations will fail, because you did not enable failover for the Ping policys
policy-based routing.
Verify Outgoing Connections Use the Correct Interface

To make sure that your outgoing connections use the correct interface, connect to Firebox System
Manager and then browse the Internet.
1. Open WSM and connect to your Firebox.
2. Select the Firebox and click .

Firebox System Manager appears.
3. Select the Traffic Monitor tab to begin monitoring traffic.
4. Use your browser to connect to some web sites. Visit several sites with HTTP and HTTPS addresses.
5. Watch Traffic Monitor to see log messages that show the outgoing connections using the
Main-Internet interface. Log messages like this appear in Traffic Monitor:
2014-06-05 16:43:14 Allow 10.0.10.2 74.125.20.95 https/tcp 62129 443
1-Trusted 0-Main-Internet Allowed 52 127 (Outgoing-00) proc_id="firewall"
rc="100" msg_id="3000-0148" src_ip_nat="203.0.113.10" tcp_info="offset 8 S
4279110375 win 32" Traffic
6. Ping some sites external to the Firebox. Log messages show that the echo requests go out the
Main-Internet interface. Log messages like this appear:
2014-06-06 11:33:23 Allow 10.0.10.2 8.8.8.8 icmp 1-Trusted
0-Main-Internet Allowed 60 127 (Ping-00) proc_id="firewall" rc="100"
msg_id="3000-0148" src_ip_nat="203.0.113.10" Traffic
The instructor causes ICMP requests to your link monitor target to fail.
A log message like this appears in Traffic Monitor:
2014-06-06 11:26:59 link-mon [Link Monitor] No response received on
Main-Internet from Ping host 203.0.113.2 id="4900-0002" Event
After three probes fail, the Firebox sees that the Main-Internet interface is not available to send Remember that the
traffic. Log messages like this appear: number of failed
probes is
2014-06-06 11:27:14 link-mon [Link Monitor] Main-Internet has failed due to configurable. Three is
probing to the target host failed id="4900-0003" Event the default.
2014-06-06 11:27:14 networkd [eth0 (Main-Internet)] Interface is

deactivated due to link-monitor failure. id="3100-000D" Event
7. Browse to more web sites. Outgoing connections now use the Secondary-Internet interface.
Log messages like this appear in Traffic Monitor:
2014-06-06 11:28:15 Allow 10.0.10.2 54.186.205.46 http/tcp 59310 80
1-Trusted 3-Secondary-Internet Allowed 52 127 (Outgoing-00)
proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="192.51.100.10"
tcp_info="offset 8 S 4135728258 win 32" Traffic

8. Send pings again to the external network. The Firebox drops the packets. Log messages like this
appear in Traffic Monitor:
2014-06-06 11:37:22 Deny 10.0.10.2 5.5.5.5 icmp 1-Trusted Firebox all
gateways in policy routing are down, drop this packet 60 128 (Ping-00)
proc_id="firewall" rc="101" msg_id="3000-0148" Traffic
This message appears when failover is not enabled for the Ping policys policy-based routing. If you
enable failover for policy-based routing in Figure 27, the ping is allowed through the other
interface.
Exercise 3: Demonstrate Load Balancing with the Round Robin

Multi-WAN Method
This exercise shows how to configure the Round Robin load multi-wan method for load balancing of
traffic through two external interfaces, and see the results in FSM and the Fireware XTM Web UI.

Configure the External Interfaces
The configuration of the main and secondary external interfaces is the same as for Exercise 1. If you
have completed Exercise 1, proceed to the next section.
If you have not completed Exercise 1, you must do so before you can proceed. In the section Configure
the Device, on page 106, complete Steps 117 of Exercise 1.

1. In the Network Configuration dialog box, select the Multi-WAN tab.
2. From the Multi-WAN Configuration drop-down list, select Round Robin.
3. Save the configuration to the Firebox.

Demonstrate It
To generate traffic for multiple connections, browse to several web sites and start some videos.
In Firebox System Manager, look at the log messages in the Traffic Monitor tab to see which
interfaces the outgoing traffic uses.
Connect to the Fireware XTM Web UI, and use the FireWatch dashboard to see information about
outbound connections for each interface.

Appendix
How Fireware Makes Multi-WAN Routing Decisions For Outbound Traffic

When a computer behind the Firebox on a trusted or optional network attempts to send traffic to the
external network, the Firebox must make three main decisions:
Whether the traffic is allowed out
Whether an external interface is available to send the traffic
Through which external interface to send the traffic
To make these decisions, the Firebox considers these questions:
1. Does the packet match the From and To lists in a policy?
- If No drop the packet and send a log message with the reason Unhandled Internal Packet.
- If Yes continue.
2. What is the disposition of the policy?
- If Deny drop the packet and send a log message (if logging is enabled for the policy) with
the policy name as the reason.
- If Block same as Deny, and put the source on the Firebox Auto-blocked Sites list.
- If Allow continue.
3. Does the policy use policy-based routing?
- If Yes send the traffic through the indicated external interface
If Failover is enabled for policy-based routing, the first interface in the list that is active is
selected. If none of the policy-based routing interfaces for this policy are available, the packet
is dropped and a log message with the reason all gateways are down is sent, this packet
(internal policy) is dropped.
- If No continue.
4. Check the Firebox kernel routing table. Is there a specific route (a route that is not a default route)
that matches the traffics source and destination?
- If Yes use the gateway for that route.
- If No continue.
5. How many default routes are in the kernel routing table?
- If Zero (the kernel routing table has no default route) drop the packet; all external
interfaces are down.
- If Exactly One default route in the routing table use the gateway interface for this default
route to send the packet out.
- If there is more than one default route in the routing table continue.
6. Does the traffic match an entry in the sticky connections hash table?
- If Yes send the traffic using the sticky interface.
- If No continue.

Appendix
7. Do the interface aliases in the policys To list contain all the members of a load balancing interface Load-balancing
group? interface groups
pertain only to the
- If Yes use the specified multi-WAN routing method: weighted Round-robin, Failover, or
Round-robin, Failover,
Interface Overflow. and Interface
- If No use the Equal Cost Multi-Path (ECMP) routing method to send the packet. Overflow multi-WAN
methods. A
The following flow chart diagram is split on two pages. It shows how the Firebox decides which load-balancing
interface to use to send an outgoing connection. interface group
includes all the
The notes that follow the diagram correspond to the numbered Earth icons in the diagram. interfaces you specify
to participate in the
Round-robin, Failover,
Multi-WAN Routing Decision Flow Chart or Interface Overflow
configuration.

Diagram Notes
1. A specific route is a route that is not a default route. A default route has destination 0.0.0.0.
2. You can see the Firebox Kernel IP routing table on the Status Report tab of Firebox System
Manager.
3. You can see which external interfaces are up with Firebox System Manager. View the Status
Report tab of Firebox System Manager for current interface status.
4. The [source IP address / destination IP address] pair of each outgoing connection is combined to
make a unique hash value. The hash value for an outgoing connection is put in the sticky
connections hash table, and the table entry is associated with the external interface used to send
the outgoing traffic.

If the [source IP / destination IP] hash of an outgoing connection matches an entry in the hash
table, the external interface associated with that entry in the table is used for that connection.
A timer counts down for each entry in the table. The time for a table entry starts with the value
specified in your configuration for sticky connections. When a new outgoing connection matches
an entry in the hash table, the time for that table entry is reset to the full time for sticky connections
and the timer starts again. When the timer for an entry in the hash table reaches zero, the entry is
purged from the table.
5. A load balancing interface group is the group of interfaces you include when you click
Configure at the top of the Multi-WAN tab in Policy Manager. You can exclude any external
interface from participating in the multi-WAN method that you use.
Load balancing interface groups apply only to the Round-robin, Failover, and Interface Overflow
methods. The Routing Table method does not use the load balancing interface group because the
ECMP (equal-cost multi-path) routing algorithm manages all routing decisions.

In this module, you learned:
How Fireware manages outgoing traffic with each of these multi-WAN modes of operation:
- Round-robin
- Failover
- Interface Overflow
- Routing Table
How to monitor the status of your external connections
How sticky connections influence routing decisions
How to use policy-based routing

Fireware Training
Routing
Configure Static and Dynamic Routing
Introduction
You can use static and dynamic routing to ensure connectivity between networks that connect to your
Firebox. Static routing is the use of manually configured non-changing routes in a Firebox or routers
routing table. Dynamic routing allows your device and connected network routers to share information
about network accessibility and to dynamically update their local routing tables based on changes to
the network topology.
What You Will Learn

This course explains the concepts related to static and dynamic routing, and describes when and how
to use each routing method. In this course, you will learn how to:
Select the best routing protocol to use
Configure static routing over a point-to-point link and a multi-hop link
Configure OSPF for dynamic routing over a point-to-point link
Configure BGP for dynamic routing over a multi-hop link
Use the Status Report and Diagnostic Log Levels to monitor and troubleshoot routing
The step-by-step exercises in this course show you how to configure IPv4 static and dynamic routing
between Firebox devices.
127
Terms and Concepts
To understand routing, you should be familiar with these terms and concepts:
Route
A route is the sequence of devices that network traffic must go through to get from its source to its
destination. A packet can go through many network points with routers before it reaches its
destination. Routes can be static or dynamic.
Static Route A manually configured route to a specific network or host. A static route includes
the destination network or host IP address and a gateway IP address.
Dynamic Route A route automatically learned and updated by a router, based on
communication with adjacent network routers. You configure dynamic routing to control which
routes your device dynamically shares with other network routers.
Router
The device on a network that uses a routing table to find the next network point through which to send
the network traffic toward its destination.
RouteTable
The route table in A router, or a network device such as a Firebox, stores information about static and dynamic routes in a
Fireware v11.9.x and route tables. The device looks in the route tables to find a route to send each received packet toward its
lower looks different
destination.
than what is shown in
this training. You can see the route tables for a Firebox in Firebox System Manager, on the Status Report tab. The
route tables in the Status Report are called IPv4 Routes and IPv6 Routes. Each route table includes
these routes:
Routes to networks for all enabled device interfaces
Routes to networks for all enabled BOVPN virtual interfaces
Static network routes or host routes you add to your device configuration, if the device has a route
to the gateway configured for each route.
Routes the device learns from dynamic routing processes that are enabled on the device
Note
Policy-based routes, described in the Multi-WAN module, do not appear in the Route Table.
Route Metric
Each route in the routing table has an associated metric, which is a number that indicates the cost
associated with the route. A lower metric for a route indicates a lower cost, and higher priority for the
route. If the routing table includes more than one route to the same destination, the Firebox uses the
route that has the lower metric. For a static route, to control the priority of each route, you manually set
the metric. If you use dynamic routing, the dynamic routing protocol automatically sets the metric for
each route based on characteristics such as the link speed, hop count, or time delay.

Terms and Concepts
Routing Protocol
Dynamic routing protocols enable routers to communicate with each other and share information
about the status of network accessibility. All dynamic routing protocols perform these tasks:
Send information about network accessibility to other routers
Receive information about network accessibility from other routers
Determine the best routes based on the known accessibility information and save the best routes
in the local routing table
React to and advertise network topology changes
Exterior Vs. Interior Routing Protocols

One way to classify dynamic routing protocols is based on whether they are best used to communicate
routing information between devices within a single organization or whether they are best used to
communicate routing information between two separate organizations.
Interior An interior protocol is most often used to communicate routing information between
networks managed by the same or closely related organizations. Interior protocols include RIP and
OSPF. Interior protocols cannot scale to very large networks, but they are easy to manage and have
low overhead. OSPF is most often used for routing between interior networks because it is more
scalable and has a shorter convergence time than RIP.
Exterior An exterior protocol is most often used to communicate routing information between
networks at different sites or sites managed by independent organizations. Independent
organizations can use an exterior protocol, such as BGP, to communicate routing information to
other externally managed sites. Exterior protocols are most often used only for multi-hop links
between networks.
Distance-Vector Vs. Link State Protocols

Another way to categorize dyanamic routing protocols is based on the type of information they
exchange about routes, and how routers use this information to update their routing tables.
Distance-vector In a distance-vector protocol, each router sends information about all network
destinations it knows how to reach. For each destination, it sends a metric that indicates how far
away the destination is (the distance), and the next hop (the vector) toward that destination. The
distance metric can be the number of hops, or it can be based on other information about the
route toward a destination. BGP and RIP are both distance-vector protocols.
Link state In a link state protocol, each router sends a list of all the network links it directly
connects to, and the functional status of each link (the link state). Changes to link state are
immediately communicated to other routers on the network. Each router can then construct its
own view of the network topology based on the status of the links, and uses that to populate the
routing table with the best path to any destination. OSPF is a link state protocol.
Convergence Time
Convergence time refers to the time it takes for connected routers to establish consistent and
correct routing tables after a network topology change. Convergence time is shorter for the BGP
and OSPF protocols than it is for the RIP dynamic routing protocol.
Routing 129
Routing Types and Protocols
Static vs. Dynamic Routing

When you configure a network, the simplest solution is usually best. It is good practice to use dynamic
routing only if static routing is not a practical solution. For a small network, or for a network that does
not change much, static routing is often a simpler and better solution. That said, for large or growing
networks, dynamic routing can provide these advantages:
Simplify the management of network routes as your network topology changes. When your
network changes, you only need to update the configuration on one device instead of several.
Increase the redundancy and fault-tolerance of your network. Dynamic routing can allow your
Firebox to automatically fail over to a secondary VPN network connection if the primary route
between two sites is unavailable.
Supported Dynamic Routing Protocols

Fireboxs support three IPv4 dynamic routing protocols. Which protocol to use depends on the size of
your network and the type of network link you need to send data through.
Routing Information Protocol (RIP v1, RIP v2, RIPng)
RIP is a distance-vector routing protocol that uses hop count as the only metric to decide the best
route. It can be used for point-to-point network links, but is usually recommended only if OSPF is
not an option. Fireware supports RIPv1 and RIPv2 for IPv4 dynamic routing, and RIPng for IPv6
dynamic routing.
Open Shortest Path First (OSPF, OSPFv3)
OSPF is a link state routing protocol and is commonly used for point-to-point links between interior
networks. OSPF is more scalable and has a faster convergence time than RIP, so OSPF is usually the
recommended interior protocol. Fireware supports OSPFv2 for IPv4 dynamic routing, and OSPFv3
for IPv6 dynamic routing.
Border Gateway Protocol (BGP)
BGP is an exterior distance-vector protocol that uses many decision factors (not just hop count) to
decide the best route. BGP is commonly used for exterior multi-hop links. This is because we do not
want to base routing on the link state since we cannot monitor the state of multiple links. BGP is
used for any inter-domain dynamic routing between TCP/IP networks, and is the protocol used by
ISPs for routing across the Internet. You can configure BGP for IPv4 and IPV6 dynamic routing.
Note
The exercises in this course focus on IPV4 dynamic routing, but the concepts are the same for IPv6.

Routing Types and Protocols
eBGP and iBGP

Connections between two BGP peers can be external (eBGP) or internal (iBGP). Autonomous system
(AS) numbers identify the network for BGP routing. The AS number indicates whether the peers are
part of networks managed by the same or different organizations.
eBGP If two BGP peers have different AS numbers, the BGP connection between them is an
eBGP session.
iBGP If two BGP peers are part of the same autonomous system, they both use the same AS
number, and the BGP connection between them is an iBGP session.
Note
Use a private AS number, in the range 64512 to 65535, for iBGP connections between private
networks. This avoids the need to register for a public AS number.
When you connect your network to two different ISPs, it is called multihoming. Multihoming provides
redundancy and network optimization. You can use eBGP to make sure that the Firebox routes
outbound traffic to the ISP that can provide the best path to the destination.
When you use eBGP to exchange BGP routes with an upstream ISP peer, the eBGP peer might send you
these different types of routes:
Default route the 0.0.0.0/0 route. The ISP can send you a default route if they use the BGP
command default-information originate. The default router your ISP sends you does not
affect the Firebox, because when you configure an external interface, you must specify a gateway
IP address, which is the default route for that interface.
Customer routes the collection of all static and dynamic routes to other customers who are
subscribed to the same ISP.
Default and customer routes the combined list of default route and customer routes
Full routes the list of all customer routes and all other dynamic routes learned from the ISPs
upstream (higher tier) ISP and peer ISPs that are part of a local Internet exchange point network.
Note
An Internet exchange point (IX or IXP) is neutral location located between some Tier 2 and lower ISPs
that allows the ISPs to directly exchange Internet traffic between their networks without the need to
route through a Tier 1 ISP.
You can use the access-list and route-maps BGP commands to filter BGP route updates that come from
an eBGP peer.
For the exercises in this training, we only configure iBGP, but it is important to know that eBGP can
result in a very large routing table that you must manage.
Routing 131
Dynamic Routing Policies
When you enable a dynamic routing protocol, Policy Manager automatically creates the necessary
policy to allow required dynamic routing traffic, if an existing policy to allow the traffic does not exist.
The automatically added policies for each protocol are:
DR-RIP-Allow
This is the automatically created dynamic routing policy for RIP. The DR-RIP-Any policy is
configured to allow RIP multicasts to the reserved multicast address for RIP v2.
If you use RIP v1, you must configure the RIP policy to allow RIP broadcasts from the network
broadcast IP address to the Firebox. For example, if your external interface IP address is 203.0.113.2/
24, you must configure the RIP policy to allow traffic from the broadcast address 203.0.113.255 to
the Firebox.
DR-RIPng-Allow
This is the automatically created dynamic routing policy for RIPng. The DR-RIPng-Allow policy is
configured to allow RIPng multicasts to the reserved multicast address for RIPng, FF02::9.
DR-OSPF-Allow
This is the automatically created dynamic routing policy for OSPF. The DR-OSPF-Any policy is
configured to allow OSPF multicasts to the reserved IPv4 multicast addresses for OSPF.
DR-OSPFv3-Allow
This is the automatically created dynamic routing policy for OSPFv3. The DR-OSPFv3-Allow policy
is configured to allow OSPF multicasts to the reserved IPv6 multicast addresses for OSPFv3, FF02::5
and FF02::6
DR-BGP-Allow
This is the automatically created dynamic routing policy for BGP.
You can edit these policies to add authentication or restrict the policy to listen on only the correct
interfaces.
If you remove or disable these dynamic routing policies, or if you remove the necessary multicast IP
addresses from the To section of the policies, dynamic routing cannot function.

Network Link Types
Network Link Types

You can use dynamic routing to route traffic between devices at different sites, or between devices at
the same site. When you enable dynamic routing in a Firebox, it is important that the Firebox is the
single ingress and egress point for traffic from the local networks.
For dynamic routing, it is important to consider the type of link you have between the devices. Before
you can enable dynamic routing between two devices, you must make sure the peer interfaces on the
two Fireboxs can communicate with each other.
Point-to-Point Link
In a point-to-point link connection, interfaces on two Fireboxdevices connect directly to each other.
The peer interfaces are on the same subnet and can communicate directly. Typical examples of a
point-to-point link between two sites are fiber-to-Ethernet converters, layer 2 VLAN connections, a
fiber optic connection, or a leased line with serial-to-Ethernet converters at each end.
Figure 1: Point-to-point link between two devices at different locations
Routing 133
This diagram is A point-to-point link could also be a direct link between devices at the same location, such as devices
intended to represent that connect to networks for different departments.
a section of a larger
network topology
that would include
the connections to
other departments
and to the Internet.
Figure 2: Point-to-point link between two devices at the same location
Multi-Hop Link
In a multi-hop link connection, the Fireboxdevices do not connect to the same network. The device at
each site connects to a local router or other networking device. Those routers between the Fireboxs
connect to each other. A typical example of this type of connection is a leased line terminated on
routers at each site. Or, the connection between the routers could be over an MPLS network.
Figure 3: Example of a Multi-hop link between two Firebox devices

If the two Firebox devices are connected with a multi-hop link, the peer interfaces route through one or
more intermediate routers. If the connection is a multi-hop link, you must configure static routes to
enable the peer interfaces to communicate before you can enable dynamic routing between the two
devices.

Network Link Types
Asymmetrical Routes Cause Routing Inconsistency

One common cause of network routing problems is a network topology that does not provide a single
path for traffic between networks. A topology with more than one ingress or egress point can create
asymmetric routes between the two sites. This can occur, for example, if a peer router that connects to
another site does not connect to the Firebox, but instead connects to a switch on an internal network.
Figure 4: A common cause of routing inconsistency

In this topology, there is not a single ingress and egress point at each site. This could create asymmetric
routes between the two sites. Connections between the two sites can fail regardless of whether TCP
SYN checking is enabled, because the firewall at each site might see only one side of the TCP
handshake.
Asymmetric routing can occur in this topology because:
1. Packets sent from a computer at Site A to a computer at Site B are routed through the default
gateway at Site A (the Site A Firebox). The packets are then routed over the peer link to the
computer at Site B. These packets do not go through the Site B Firebox.
2. The returned packets from the computer at Site B are routed through the default gateway at Site B
(the Site B Firebox). The packets are then routed over the peer link to the computer at Site A. These
packets do not go through the Site A Firebox.
With this network topology, the Firebox cannot control network failover to a branch office VPN, as
described in the next section. Even if you do not use dynamic routing or configure failover to a VPN,
this network configuration can cause routing problems and should be avoided.
Routing 135
Routing and Branch Office VPNs
You can use a branch office VPN (BOVPN) to make a secure connection between networks at different
locations. There are two methods you can use to can configure a BOVPN tunnel. The method you use
determines how the Firebox devices decides whether to route traffic through the BOVPN tunnel.
Branch office VPN BOVPN Gateway and BOVPN Tunnels
configuration is You can configure a BOVPN gateway and add one or more BOVPN tunnels that use that gateway.
covered in the
When you use this configuration method, the Firebox always routes a packet through the BOVPN
Fireware Essentials
course. tunnel if the source and destination of the packet match a configured BOVPN tunnel.
BOVPN Virtual Interface
You can configure a branch office VPN as a BOVPN virtual interface. BOVPN virtual interface routes
appear in the routing table, and the decision about whether to send traffic through the VPN tunnel
or through another interface is affected by static and dynamic routes, and by policy-based routing.
This provides more flexibility in how you can configure routing through the tunnel.
When you have configured a BOVPN virtual interface, you can add an IPv4 or IPv6 BOVPN virtual
interface route, which is a static route through the BOVPN virtual interface.
If you enable the Figure 5: The Add Route dialog box for a BOVPN virtual interface route
global VPN setting to
remove VPN routes, Route metrics are the same for a BOVPN virtual interface route as for routes through any other
you must either interface. You can set the metric for a static BOVPN virtual interface route to make it a higher or
enable policy-based lower metric than other routes, to control which is the preferred route.
routing for the BOVPN
virtual interface or, in The global VPN setting controls whether VPN routes are removed if a BOVPN virtual interface is
the BOVPN virtual down.
interface settings,
select the Start
Phase1 tunnel when
it is inactive option.
Figure 6: The VPN setting to remove VPN routes when the tunnel is down

Routing and Branch Office VPNs
BOVPN Virtual Interface Routing Scenarios

Because you can specify a BOVPN virtual interface as the interface you use for the static, dynamic, and
policy-based routing definitions, a BOVPN virtual interface provides a lot of flexible configuration
options. Some examples of the routing scenarios you can configure with a BOVPN virtual interface
include:
Metric-based VPN Failover and Failback
For two sites that are connected with an MPLS link, you can configure the Firebox to automatically
failover and failback to a secondary BOVPN virtual interface connection over an IP network. To do
this, you configure the external interface for the primary connection between the two sites over the
MPLS network. Then, configure a BOVPN virtual interface for the secondary link between the two
sites. Add a BOVPN virtual interface static route, and set a high metric (such as 200) for the route, so
it is only used if the primary connection is not available. You could also configure metric-based VPN
failover between a primary and secondary BOVPN virtual interface.
BOVPN Virtual Interface with Policy-Based Routing
If two sites are connected by two VPN tunnels, and you want to send certain types of traffic through You cannot configure
a specific tunnel, you can enable policy-based routing to redirect traffic handled by the policy to a policy-based routing
to enable failover
specific tunnel. This encrypts the packets and sends them through the tunnel. This can be useful if
from a BOVPN virtual
you have tunnels with different cost or latency, and you want to send only latency-sensitive traffic, interface to another
such as VoIP traffic, through the tunnel with the lowest latency. interface.
BOVPN Virtual Interface with Dynamic Routing
You can configure dynamic routing over a BOVPN virtual interface so that the two sites can
dynamically exchange route information about multiple local networks through a secure VPN
tunnel. This avoid the need to manually add and maintain configured routes between all the private
networks at each site. To do this, you configure a BOVPN virtual interface, and configure virtual IP
addresses for the VPN endpoints. Enable and configure dynamic routing between the two sites, and
use the virtual IP addresses as the peer network IP addresses.
- For OSPF, use the network command, and the peer virtual IP address with a /32 netmask.
For example: network <peer_virtual_ip>/32 area 0.0.0.0
- For BGP, use the neighbor command, and the peer virtual IP address
For example: neighbor <peer_virtual_ip> remote-as 65535
You can use dynamic routing commands to configure which local networks each device propagates
routes for. To specify route priority for OSPF dynamic routes you can use the Interface Cost. The lower
the Interface Cost, the more preferred the route is. To specify route priority for BGP dynamic routes, you
can use the Local Preference. The higher the Local Preference, the more preferred the route is.
Routing 137
Failover from a Dynamic Route to a Branch Office VPN
When you use dynamic routing to establish the routes between networks behind two Firebox devices,
you can optionally configure automatic failover to a VPN connection if a route between the networks is
not present in the routing table. When you use dynamic routing, the failover happens automatically,
when the route between two devices is removed from the routing table.
To configure network failover to a branch office VPN you must:
1. Configure dynamic routing between the two sites over the primary connection.
2. Configure a branch office VPN tunnel between the two sites over another Firebox interface.
3. Enable the global VPN setting Enable the use of non-default (static or dynamic) routes to
determine if IPSec is used.
This setting enables the automatic failover to the VPN based on changes to the routing table.
Figure 7: Select the check box to enable the use of non-default routes
When you use dynamic routing, if the primary network link fails, the route is automatically removed
from the routing table. When the route is removed, if this global VPN setting is enabled, the Firebox
automatically uses the VPN tunnel to routes packets between the two networks. When the primary
routing problem is resolved, the dynamic routing protocol adds the route back to the table, and the
Firebox automatically begins to use that route instead of the VPN tunnel for traffic between the two
networks.
Figure 8: Branch Office VPN as a failover for a connection between two devices

Monitoring Tools
Note
For a complete description of this VPN failover configuration, with sample configuration files, see the
Branch Office VPN Failover from a Private Network Link example on the WatchGuard Configuration
Examples page at http://www.watchguard.com/help/configuration-examples/index.asp.
Dynamic Routing is Required for Automatic Failover

When you enable the VPN setting Enable the use of non-default (static or dynamic) routes to
determine if IPSec is used, the Firebox routes traffic through the branch office VPN when a static or
dynamic route to the peer device is not present in the route table.
With this global setting enabled:
When the primary route is a dynamic route
If the link to the next hop goes down, the dynamic route is automatically removed from the route
table. After the route is removed, the Firebox automatically begins to route traffic through the
branch office VPN.
When the primary route is a static route
If the link to the next hop goes down, the static route remains in the route table. Because the route
is not removed, the Firebox does not automatically begin to route traffic through the branch office
VPN. You must manually remove the static route from both devices to trigger failover to the VPN.
Monitoring Tools
The Status Report

The Status Report in Firebox System Manager is an important tool you can use to understand the
current state of routes and routing protocols on your Firebox. To see the Status Report, connect to the
device and open Firebox System Manager. Then select the Status Report tab.
Look for these sections to find routing status information:
IPv4 Routes The format of the
Lists the first 100 destination hosts and networks that your Firebox can send IPv4 traffic to. This routing tables is
different for Fireware
includes IPv4 static routes, dynamic routes , directly connected networks, and IPv6 BOVPN interface
version prior to
routes. v11.10.
IPv6 Routes
Lists the first 100 destination hosts and networks your Firebox can send IPv6 traffic to. This includes
IPv6 static routes, dynamic routes, directly connected networks, and IPv6 BOVPN interface routes.
- Route table: main shows all IPv4 and IPv6 static routes
- Route Table: default shows information about the default route
- Route Table: ethx.out shows active routes for an external interface, ethx, where x is the
interface number
- Route Table: any.out shows active routes for all external interfaces with multi-path default
routes, when multi-WAN is configured
- Route Table: zebra shows dynamic routes received from a peer, if dynamic routing is
enabled
Dynamic Routing
The Dynamic Routing section has additional information about the status of the dynamic routing
process that runs on the Firebox. This section shows these types of status information:
- ENABLED the dynamic routing protocol is enabled in the configuration
Routing 139
- RUNNING the dynamic routing process is running
- STOP the dynamic routing process is stopped
- LICENSED the dynamic routing protocol is licensed
- CFGSYNC reserved for future use
Under the Dynamic Routing section are these sections with information about the status of each
dynamic routing protocol:
- RIP RIP routes and status
- OSPF OSPF routes and status
- BGP BGP routes and status
- RIPng RIPng routes and status
- OSPFv3 OSPFv3 routes and status
Set the Diagnostic Log Level

If you need to troubleshoot issues with dynamic routing, it can be useful to change the diagnostic log
level for dynamic routing. By default, the dynamic routing diagnostic log level is set to Error. You can
increase the level to see more detailed dynamic routing information in the log files.
1. In Policy Manager, select Setup > Logging.
2. Click Diagnostic Log Level.
3. From the Networking category, select Dynamic Routing.
Figure 9: Dynamic Routing diagnostic log level.

4. Move the slider to set the diagnostic log level.

Monitoring Tools
Enable Debug Logging for Dynamic Routing

The RIP, OSPF, and BGP dynamic routing protocols each include commands to enable debug logging. It
can be useful to enable debug logging when you troubleshoot a dynamic routing problem.
To enable debug logging for dynamic routing, you must do two things:
1. Set the diagnostic log level for Dynamic Routing to the highest level, Debug, as described above.
2. Enable debug logging in the RIP, OSPF, or BGP configuration.
Fireware supports the dynamic routing commands for the Quagga routing suite. For a list of
commands for the supported dynamic routing protocols, see the Quagga documentation at http:/
/www.quagga.net/docs/.
When you enable debug logging, the debug log messages appear in the Traffic Monitor tab in Firebox
System Manager. Debug log messages are also saved to the /tmp/debug/quagga.log file, which is
included in the support snapshot for your device.
To save a support snapshot, from the Firebox System Manager Status Report tab, click Support.
Routing 141
Exercise 1: Configure Static Routing Over a Point-to-Point Link
You can use static routing to route traffic between any two networks, as long as the networks are
connected by one or more Firebox devices or routers. To configure static routing, you must add static
routes to all Firebox devices and routers that route traffic between the two networks.
This exercise shows how to configure static routing between two devices that are connected by a
point-to point link. In a point-to-point link connection, the Fireboxdevices connect directly to the same
network.
For this exercise, we assume the point-to-point link in the training environment looks like this:
Figure 10: Point-to-point link between two Firebox devices

These exercises require that you configure two Firebox devices with different IP addresses. For the
instructions in these exercises, we assume each device is configured by a different student. The student
numbers in the IP addresses are represented as A and B. The diagrams and configuration settings
shown in these exercises assume that:
Site A is configured by student A, who is assigned student number 10
Site B is configured by Student B, who is assigned student number 20
When you configure the network settings, use the student numbers your instructor gives you.
In the training environment, the external interface of all devices connect to the 203.0.113.0/24
network. So there is already a point-to-point link between the devices, over the external interfaces. To
route traffic between the private networks at each site, all you need to do is add a static route on each
Firebox device.

Monitoring Tools
For example, for student 10 and student 20, the network interface configuration looks like this:
Figure 11: Network interface configuration for student 10
Figure 12: Network interface configuration for student 20
Add a Static Route to the Site A Device

1. Open the configuration for the Site A Firebox in Policy Manager.
2. Select Network > Routes.
The Setup Routes dialog box appears.
3. Click Add.
The Add Route dialog box appears.
Figure 13: The Add Route dialog box

4. From the Destination Type drop-down list, select Network IPv4.
Routing 143
5. In the Route To text box, type the IP address of the Site B trusted network.
The Site B trusted network is 10.0.B.0/24
6. In the Gateway text box, type the IP address of the Site B external interface.
The Gateway (next hop) is 203.0.113.B.
Replace the B in the IP address with the student number your instructor gives to the student who
manages the Site B device.
7. Save the configuration to the Site A device.
Add a Static Route to the Site B Device

1. Open the configuration for the Site B Firebox in Policy Manager.
3. Click Add.
Figure 14: The Add Route dialog box configured for a route to the student 10 Firebox
5. In the Route To text box, type the IP address of the Site A trusted network.
The Site A trusted network is 10.0.A.0/24.
6. In the Gateway text box, type the IP address of the Site A external interface.
The Gateway (next hop) is 203.0.113.A.
Replace the A in the IP address with the student number your instructor gives to the student who
manages the Site A device.
7. Save the configuration to the Site B device.

Monitoring Tools
Review the Route Table

1. Connect to the Site A Firebox with Firebox System Manager.
2. Select the Status Report tab.
3. Scroll down to the Routes section. Or press Ctrl+F and type Routes to find this section.
The route you added appears in the IPv4 Routes list.
Figure 15: The IPv4 Routes section of the Status Report

4. Use the same steps to verify that the static route appears in the routing table for the Site B Firebox.
Each static route is associated with the interface it uses to reach the gateway. For the static route you
added in this exercise, the interface for the route is eth0, because traffic to the gateway you specified in
the static route (203.0.113.A) is routed to the 203.0.113.0/24 network through the eth0 interface.
Note
A configured static route does not appear in the route table if there is no route to the gateway
specified in the static route. If you add a static route, and the route does not appear in the route
table, check the gateway you specified in the static route, and make sure your device can route to
that gateway IP address. For example, in this exercise, if you add a static route, and specify the
gateway incorrectly (203.0.114.A), the route does not appear in the routing table.
Routing 145
Test the Static Route
To test the static route, you can ping a device or interface on the remote network.
Because this exercise uses the external interface as the point-to-point link, you must update the ping
policy to allow the ping between networks for testing. The default Ping policy does not allow ping
traffic in through the external interface.
To enable ping traffic for testing:
1. In Policy Manager, double-click the Ping policy to edit it.
2. Add Any-External to the From section of the policy.
4. Repeat these steps to enable ping traffic on the other device.
Now that ping traffic is allowed from the external network, you can use the ping command to test the
static routes between these two sites. To do this, open the Windows command prompt on the
management computer connected to the Site A network and issue a ping command to the IP address
of a device on the private network on the Site B device. Or, you can use Firebox System Manager to
issue a ping.
To issue a ping from Firebox System Manager for the Site A device:
1. Select the Traffic Monitor tab.
2. Right-click anywhere on the tab.
A context menu appears.
3. From the context menu, select Diagnostic Tasks.
The Diagnostic Tasks dialog box appears.
Figure 16: Diagnostic tasks ping example

4. In the Address text box, type the IP address of a device on the Site B private network.
The address can be the address of the Site B Firebox trusted interface, or it can be a connected computer.
5. Click Run Task.
The results of the ping appear in the Results text box.
6. Repeat these steps to test the static route from Site B to the Site A private network.

Monitoring Tools
The Disadvantage of Using Only Static Routes

You can use static routes to set up routing between all of your networks. But if you use only static
routes, you must manually update the static routes on all devices each time a network is added or
changed. As the network complexity and the number of subnets at each site grows, the level of effort
to update and maintain the static routes increases.
As you see in the next exercise, dynamic routing provides a way to reduce the administrative effort
required to update network routes when there are additions or changes to the network topology.
It is important to understand static routing before you implement dynamic routing. When you
implement dynamic routing between sites, you often must first define static routes to enable the
communication between the peer interfaces of the two devices.
Routing 147
Exercise 2: Configure Dynamic Routing over a Point-to-Point Link
You can use dynamic routing to simplify the management of configuration updates to your network as
the topology at each site changes. In this exercise you configure static routing between two Firebox
devices connected over a point-to-point link. This exercise also demonstrates how dynamic routing
automatically adds new routes to one device after you change the network configuration on the other
device.
Network Topology
For this exercise, we will configure dynamic routing over the point-to-point network we configured in
Exercise 1.
Figure 17: Point-to-point link between two sites

To establish dynamic routing between two Firebox devices, each device must be able to reach the
interface on the other Firebox you want to peer it with. For a point-to-point link, the external interfaces
on both devices are on the same subnet so there is nothing we need to do to allow the two devices to
communicate.
Remove the Static Routes

First, remove the static routes you added in Exercise 1.
From Policy Manager for the Site A Firebox:
2. Select the existing static route.
3. Click Remove.
4. Repeat these steps to remove the static route from the Site B Firebox.

Monitoring Tools
Configure Dynamic Routing with OSPF

1. Open Policy Manager for the Site A Firebox.
2. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.
3. Select the Enable Dynamic Routing check box.
4. Select the OSPF tab.
5. Select the Enable OSPF check box.
6. Type the Site A dynamic routing configuration in the text box.
The OSPF commands used in this exercise are: If you do not specify
the OSPF router-id,
- router ospf Enables the OSPF protocol OSPF sets the
- ospf router-id Specifies the IP address of the Site A interface that routes to Site B router-id based on the
- network Defines each network that OSPF sends information about IP addresses of the
device interfaces. We
- passive-interface default Configures interfaces to not participate in OSPF by default recommend that you
- no passive-interface Defines interfaces that participate in OSPF always specify the
router-id to avoid the
If the Site A device is managed by student 10, the OSPF configuration for Site A looks like this:
possibility of
router ospf duplicate router-ids
ospf router-id 203.0.113.10 for devices that have
network 203.0.113.0/24 area 0.0.0.0 similar interface IP
addresses.
network 10.0.10.0/24 area 0.0.0.0
passive-interface default On both devices, all
no passive-interface eth0 interfaces except eth0
are passive. Even
7. Click Yes to automatically add the required dynamic routing policy. though OSPF
Policy Manager adds the DR-OSPF-Allow policy to allow the OSPF multicasts to the reserved multicast IP announces the
addresses for OSPF. network on interface
1, the device does not
Note need to send OSPF
If you remove or disable the DR-OSPF-Allow policy, or if you remove the multicast IP addresses from multicasts on eth1, so
the To section of the policy, dynamic routing cannot function. eth1 is a passive
interface.
8. Save the configuration to the Site A device.
Policy Manager automatically verifies the syntax in your dynamic routing configuration before it saves the
configuration to the device. If an error is found, Policy Manager displays information about the error, and does
not save the configuration.
9. Repeat the same steps to enable OSPF on the Site B Firebox.
If the Site B device is managed by student 20, the OSPF configuration for Site B look like this:
router ospf
ospf router-id 203.0.113.20
network 203.0.113.0/24 area 0.0.0.0
network 10.0.20.0/24 area 0.0.0.0
passive-interface default
no passive-interface eth0
10. Save the configuration to the Site B device.
Routing 149
If Student 10 manages the Site A device, and Student 20 manages the Site B device, the finished
dynamic routing configuration for these two sites looks like this:
Figure 18: OSPF dynamic routing configurations for Site A (left) and Site B (right)

Now, you can review the routing table for each device to see the routes added by the dynamic routing
process.
3. Scroll down to the OSPF section. Or press Ctrl+F and type OSPF to find this section.
The OSPF network routing table shows the dynamic routes added by OSPF.:
Figure 19: The OSPF network routing table at Site A includes a route to the trusted network at Site B

Monitoring Tools
4. Scroll to the Routes section. Or press Ctrl+F and type Routes find this section.
The dynamic routes appear in the IPv4 Routes section of the status report.
Figure 20: The IPv4 Routes table with the dynamic route added
Add a New Network at Site B

Now youcan add another trusted network at Site B to see how OSPF propagates the changes to Site A.
First, configure a new network interface at Site B:
1. Open Policy Manager for the Site B Firebox.
3. Select interface 4. Click Configure.
4. From the Interface Type drop-down list, select Trusted.
5. In the IP Address text box, type 192.168.B.1/24. Click OK.
manages the Site B device. For example, if your student number is 20, type 192.168.20.1/24.
Next, update the OSPF dynamic routing configuration at Site B:
2. Click the OSPF tab.
3. Add a network statement for the new network:
network 192.168.B.0/24 area 0.0.0.0
manages the Site B device. For example, if your student number is 20, type;
network 192.168.20.0/24 area 0.0.0.0
4. Save the configuration to the device at Site B.
Routing 151
5. In the FSM status report for Site A, review the OSPF network routing table.
Figure 21: The OSPF network routing table

The OSPF network routing table at Site A automatically includes a route to the new trusted network at
Site B. The new route is also added to the IPv4 Routes table at Site A.
This exercise demonstrates how dynamic routing can make it easier to accommodate changes to your
network topology. When you add to or change a local network connected to one device, you do not
need to manually add routes to the new networks at all the other devices. Dynamic routing takes care
of that automatically.

Monitoring Tools
Exercise 3: Configure Static Routing Over a Multi-Hop Link

Next, lets look at how to configure static routes between these two sites if they are connected with a
multi-hop link. In a multi-hop link connection, the Fireboxdevices do not connect to the same
network, but instead each connects to a router or other device that routes traffic between the two
devices. For this exercise, an interface on the instructor Firebox is configured with secondary addresses
to emulate a multi-hop link.
Network Topology
To configure the Firebox for this exercise, you must connect interface 2 to a switch that connects to the
instructor Firebox.
Figure 22: Multi-hop link training network topology, with IP addresses for student 10 and student 20
Before You Begin

Remove any static routes added in a prior exercise.
Disable any dynamic routing protocols enabled in a prior exercise.
Site A Firebox configuration
- Eth0 (External) is 203.0.113.A/24
- Eth1 is a trusted interface, with the IP address 10.0.A.1/24.
Replace the A in the IP addresses with the student number for the Site A device.
Site B Firebox configuration
- Eth0 (External) is 203.0.113.B/24.
- Eth1 is a trusted interface, with the IP address 10.0.B.1/24.
Replace the B in the IP addresses with the student number for the Site B device.
Routing 153
Configure the Peer Interfaces
Configure interface 2 on each device as the peer interface to use for dynamic routing over the
multi-hop link.
Configure the Peer Interface at Site A

You can use either a 4. From the Interface Type drop-down list, select Optional.
trusted or optional
interface as the peer 5. In the IP Address text box, type 172.16.A.2/30. Click OK.
interface. Replace the A in the IP addresses with the student number for the Site A device.
Configure the Peer Interface at Site B

4. From the Interface Type drop-down list, select Optional.
5. In the IP Address text box, type 172.16.B.2/30. Click OK.
Replace the B in the IP addresses with the student number for the Site B device.
Configure Static Routes Between the Trusted Networks at Each Site

When you configure routing over a multi-hop link, you must look at your network topology to
determine all the devices that route traffic between these two networks. You can then determine the
static routes you must add to allow the two Firebox devices to communicate. For this network, we must
add a static route to each of the devices. The instructor device that connects both networks must also
have static routes to route traffic between the networks.
Add a Static Route to the Site A Firebox

3. Click Add.
Figure 23: The Add Route dialog box with the route to the Firebox of student 20

Monitoring Tools

5. In the Route To text box, type 10.0.B.0/24, the IP address of the Site B trusted network.
For example, if the Site B device is managed by Student 20, use 10.0.20.0/24.
6. In the Gateway text box, type 172.16.A.1, the IP address of the instructor Firebox that connects to
the optional network on this device.
For example, if your student number is 10, type 172.16.10.1
Add a Static Route to the Site B Device

2.Select Network > Routes.
3. Click Add.
5. In the Route To text box, type 10.0.A.0/24, the IP address of the Site A trusted network.
For example, if the Site B device is managed by Student 10, use 10.0.10.0.
6. In the Gateway text box, type 172.16.B.1, the IP address of the instructor device that connects to
both networks.
For example, if your student number is 20, type 172.16.20.1
Routing 155
Add Static Routes to Routers Between the Two Sites
If the Firebox devices at each site were connected to routers, you would need to add a static route to
the routers at each site. In the training network configuration, the instructor device has multiple IP
addresses assigned to one interface, so it acts as a router for both sites. To complete the static route
configuration, the instructor must add static routes to the instructor device. The configuration for the
static routes on the instructor device looks like this:
Figure 25: Static routes configured on the instructor device for all student trusted networks. The routes to the
networks for student 10 and student 20 are circled.

You can look in the IPv4 route table in Firebox System Manager Status Report tab to verify that the
static routes were added for each device.
Figure 26: The IPv4 Routes table oshows the static route to the Student 20 trusted network through the
gateway at 172.16.10.1.
You can use the Ping command in the Windows command line to test the static route between the two
sites. For example, you can ping the address of the trusted interface of the device at Site B from the
management computer connected to Site A.

Monitoring Tools
Exercise 4: Dynamic Routing Over a Multi-Hop Link

In this exercise, youconfigure dynamic routing over a multi-hop link with the BGP routing protocol.
Network Topology
To configure the Firebox for this exercise, you must connect interface 2 to a switch that connects to the
instructor device. The network topology for this exercise is exactly the same as for Exercise 3.
Figure 27: Multi-hop link training network topology
Before You Begin

Make sure the two Firebox devices are configured with these interface settings. These are the same
settings that were required for the previous exercise.
Remove any static routes added in a prior exercise.
Disable any dynamic routing protocols enabled in a prior exercise
Site A Firebox configuration
- Eth0 (External) is 203.0.113.A/24
- Eth1 is a trusted interface, with the IP address 10.0.A.1/24.
- Eth2 is an optional interface, with the IP address 172.16.A.2/30.
- Eth3 is disabled.
Replace the A in the IP addresses with the student number for the Site A Firebox.
Site B Firebox configuration
- Eth0 (External) is 203.0.113.B/24.
- Eth1 is a trusted interface, with the IP address 10.0.B.1/24.
- Eth2 is an optional interface, with the IP address 172.16.B.2/30.
- Eth3 is disabled or disconnected.
Replace the B in the IP addresses with the student number for the Site B Firebox.
Routing 157
Configure Static Routes Between the Peer Interfaces
To configure static routing over a multi-hop link, you must add static routes on each Firebox and on any
network routing devices between them to correctly direct the traffic between the two networks. The
peer interfaces are the device interfaces that connect to the router between the sites. To configure
static routing over a multi-hop link, you must add static routes on each device and on the routers
between them to correctly direct the traffic between the two peer interfaces, 172.16.A.2 at Site A, and
172.16.B.2 at Site B.
The first thing you must do is look at your network topology to determine all the devices that route
traffic between these two interfaces. You can then determine what static routes must be added to
allow the two Firebox devices to communicate. For this network, we must add a static route to each of
the devices.
There is no need for the instructor to add static host routes to the device in the middle, since the
instructor device already connects directly to the networks for the optional interfaces of both Firebox
devices.
Note
The difference between the static routes in this exercise and the static routes added in the prior
exercise, is that these are host routes to the IP address of the peer interface, rather than network
routes to the private network on the peer device.
Add a Static Route on the Site A Firebox

3. Click Add.
4. From the Destination Type drop-down list, select Host IPv4.
5. In the Route To text box, type 172.16.B.2, the IP address of the Site B peer interface.
6. In the Gateway text box, type 172.16.A.1, the IP address of the instructor Firebox interface that
connects to the peer interface on the Site A Firebox.

Monitoring Tools
Add a Static Route on the Site B Firebox

3. Click Add.
Figure 29: The Add Route dialog box with the route to the device of student 10
4. From the Destination Type drop-down list, select Host IPv4.
5. In the Route To text box, type 172.16.A.2, the IP address of the Site A peer interface.
6. In the Gateway text box, type 172.16.B.1, the IP address of the instructor Firebox interface that
connects to the peer interface on the Site B Firebox.
Add Static Routes to Routers Between the Two Sites

In the training network configuration, the Firebox acts as a router between the two networks. There is
no need for the instructor to add static routes to the Firebox in the middle, since that device can already
route traffic to the peer interfaces of both Firebox devices.
If the Firebox devices at each site connected to routers, you would need to add static routes on those
routers so that traffic can be routed between the peer interfaces of the Firebox devices at each site.
Routing 159
Test the Static Route Between the Peer Interfaces
You cannot use the After you configure the static routes on the Firebox devices and routers, you can use the Diagnostic
ping command from Tasks in Firebox System Manager to test the static route between the peer interfaces, External
the Windows
(203.0.113.A) at Site A, and external interface (192.51.100.B) at Site B.
command line to test
this static route, since 1. In Firebox System Manager for the Site A Firebox, select Tools > Diagnostic Tasks.
the static route is only This is the same Diagnostic Tasks dialog box you opened before from within the Traffic Monitor tab.
between the peer
interfaces. 2. Select the Advanced Options check box.
When you enable Figure 30: Diagnostic Tasks ping command, advanced options
Advanced Options,
you can move the 3. In the Arguments text box, type:
mouse pointer over -I<source interface IP address> <destination IP address to ping>
the Arguments text This starts an extended ping from the Firebox. The -I option allows you to specify the IP address of
box to see a list of the the interface to ping from. For this exercise, we use these addresses:
available arguments.
- Source address: 172.16.A.2
- Destination address: 172.16.B.2
For example, to ping from the Student 10 peer interface to the Student 20 peer interface, type:
-I172.16.10.2 172.16.20.2
4. Click Run Task.
It can take more than a minute for the results to appear in the Results text box.
Repeat the above steps from the Firebox at Site B to test routing to the peer interface at Site A. At Site B,
the arguments for the extended ping are reversed:
Source address: 172.16.B.2
Destination address: 172.16.A.2
If the static route test does not work the first time, check your cabling and static route configuration.
After you verify that the peering interfaces can communicate, you are ready to set up dynamic routing
between the two networks.

Monitoring Tools
Configure Dynamic Routing with BGP

1. Open Policy Manager for the Site A Firebox.
The Dynamic Routing Setup dialog box appears.
3. Select the Enable Dynamic Routing check box.
4. Select the OSPF tab.
Clear the Enable OSPF check box to disable OSPF dynamic routing you enabled in Exercise 2.
5. Select the BGP tab.
6. Select the Enable BGP check box.
7. Type the Site A dynamic routing configuration in the text box. Basic BGP statements are:
- router Enables the BGP protocol and specifies the BGP AS number to use
- network Defines each local network that BGP sends information about
- neighbor Defines the IP address and AS number of the remote peer
If Student 10 manages the Site A Firebox and Student 20 manages the Site B Firebox, the BGP
configuration for Site A looks like this:
router bgp 65535
network 10.0.10.0/24
neighbor 172.16.20.2 remote-as 65535
8. Click Yes to automatically add the required dynamic routing policy.
Policy Manager adds the DR-BGP-Allow policy.
Policy Manager automatically verifies the syntax in your dynamic routing configuration before it saves the
configuration to the device. If an error is found, Policy Manager displays information about the error, and does
not save the configuration.
10. Repeat the same steps to disable OSPF and enable BGP on the Site B Firebox.
If Student 10 manages the Site A Firebox and Student 20 manages the Site B Firebox, the BGP
configuration for Site B looks like this:
router bgp 65535
network 10.0.20.0/24
neighbor 172.16.10.2 remote-as 65535
11. Save the configuration to the device at Site B.
Routing 161
Now, review the routing table to verify that the expected routing table entries were added.
3. Scroll down to the BGP section.
The BGP network routing table shows the dynamic routes added by BGP.:
Figure 31: Dynamic routes in the BGP network routing table

4. Scroll to the IPv4 Routes section.
The IPv4 Routes table now includes:
- The static route to the peer interface at Site B
- The dynamic route added by BGP.
5. Repeat these steps to examine the routing table in the status report for the Site B Firebox.

You can use the Ping command in the Windows command line to test the static route between the two
sites. For example, you can ping the address of the management computer connected to the trusted
network at Site B from the management computer connected to the trusted network at Site A.
Troubleshooting
If the dynamic routes from one device do not appear in the route table of the peer device, use these
steps to troubleshoot the problem:
1. Make sure you have saved the configuration to each device.
2. Verify that each device has a working static route to the external interface on the peer device.
If necessary, use the steps earlier in this exercise to test the static route.
3. Make sure there is a policy to allow BGP traffic between the two devices.
The DR-BGP-Allow policy should have been automatically created on each device when you enabled BGP.


In this module you learned the concepts related to static and dynamic routing, and when and how to
use each routing method. This includes how to:
Select the best routing protocol to use
Configure static routing over a point-to-point link and a multi-hop link
Configure OSPF for dynamic routing over a point-to-point link
Configure BGP for dynamic routing over a multi-hop link
Use the Status Report and Diagnostic Log Levels to monitor and troubleshoot routing
Routing 163
Fireware Training
FireCluster
Redundancy and Load Sharing for Your Network
Introduction
What You Will Learn

With the Fireware FireCluster feature, you can configure two Firebox devices as a cluster to increase
network performance and scalability. In this module, you learn how to:
Understand the clustering requirements for your Firebox
Set up a FireCluster
See status for a FireCluster
Understand what happens when a FireCluster failover occurs
About FireCluster
A FireCluster is a pair of Firebox devices configured to provide network redundancy and improved
scalability. Both devices connect to routers or switches connected to each network. The Firebox devices
also connect directly to each other to exchange information necessary for the operation of the cluster.
Figure 1: A FireCluster with a trusted and an optional network
165
To set up a FireCluster, you first configure one device with the network and policy configuration you
want to use for the cluster. You reset the second device to factory default settings. When you connect
the two devices to each other and enable FireCluster, the connected devices synchronize their
configuration and operate as a cluster.
When you configure Firebox devices as a FireCluster, there are some management limitations:
You cannot use Fireware Web UI to configure a cluster or change the FireCluster settings.
You cannot use WSM with a Management Server to schedule an OS updated for a FireCluster
member.
Cluster Member
A device that is part of a FireCluster. A cluster member can take on one of two roles in the cluster.
Cluster master The device that updates and maintains all the connection and session
information for the cluster, and synchronizes that information with the backup master. In an active/
active cluster, the cluster master assigns connections and sessions to itself or to the backup master.
Backup master The device that monitors the cluster master, and automatically takes over the
role of cluster master in the event of a failover.
Active/Active Cluster
In an active/active cluster, both cluster members share the load of traffic that passes through the
cluster. An active/active cluster improves scalability because both devices share the load. If either
member of an active/active cluster fails, the other member takes on the entire load for the cluster. To
add both redundancy and load sharing to your network, select an active/active cluster.
Active/Passive Cluster
In an active/passive, also known as an active/standby cluster, only the cluster master handles network
traffic. The backup master actively monitors and synchronizes status with the cluster master. If the
cluster master fails, the backup master becomes cluster master, and takes over all the traffic for the
cluster. An active/passive cluster provides redundancy, but not increased scalability, because the traffic
load is handled by only one device at a time. To add redundancy, choose an active/passive cluster.
Load Balance Methods

An active/active FireCluster supports two load balance methods:
Least connection The cluster master assigns each new traffic flow to the cluster member that
has the lowest number of open connections.
Round-robin The cluster master assigns each new traffic flow alternately to the cluster master
and the backup master.

Cluster ID
The cluster ID uniquely identifies your FireCluster. The default cluster ID is 1. If you enable more than
one FireCluster on the same network, it is important to assign each cluster a different cluster ID.
An active/passive FireCluster uses a virtual MAC address, calculated based on the Cluster ID and the You can see the virtual
interface numbers. If you configure more than one active/passive FireCluster on the same subnet, it is MAC address in
Firebox System
important to know how to set the Cluster ID to avoid a possible virtual MAC address conflict.
Manager, in the
The virtual MAC addresses for interfaces on an active/passive FireCluster start with 00:00:5E:00:01. The details for each
sixth octet of the MAC address is set to a value that is equal to the interface number plus the Cluster ID. interface.
For example, if you set the Cluster ID to 1, the virtual MAC addresses for the first three interfaces are:
Interface 0: 00:00:5E:00:01:01
Interface 1: 00:00:5E:00:01:02
Interface 2: 00:00:5E:00:01:03
If you add a second active/passive FireCluster to the same subnet, you must set the Cluster ID to a
number that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC
address conflict between interfaces on the two FireClusters.
It is also possible that the FireCluster virtual MAC addresses can conflict with HSRP and VRRP devices on
your network. Keep this in mind when you decide which Cluster ID to use.
Cluster Interface
The cluster interface is an interface on each cluster member that is dedicated to communication
between the cluster members. The cluster interfaces of the cluster members must connect to each
other. You must define at least one cluster interface. You can optionally configure a second cluster
interface that is only used if communication over the primary cluster interface is interrupted.
Cluster Interface IP Address

Each pair of cluster interfaces must be assigned an IP address on the same subnet. To avoid conflict
with routeable IP addresses, we recommend you allocate a dedicated private subnet to each cluster
interface, or use link-local IP addresses for the cluster interfaces. Link-local IP addresses begin with
169.254. You might find it useful to define your cluster interface IP addresses like this:
169.254.<interface number>.<member number>/24 RFC 3927 specifies
that a link-local
For example if interface 4 is a cluster interface, you could set the interface IP addresses to: address must be in the
169.254.0.0/16
Member 1 169.254.4.1/24
subnet. Because the
Member 2 169.254.4.2/24 cluster interface
connection is an
This link-local IP address convention is used in the exercises included in this module. isolated network, it is
not a problem to use
Note the /24 IP address.
Do not set the Primary or Backup cluster IP address to the default IP address of any interface on the
device. The default interface IP addresses are in the range 10.0.0.1 - 10.0.17.1.
FireCluster 167
Management Interface
You must select one of the active traffic interfaces as the interface for management IP address. Set this to
the interface your management computer is connected to. This is usually the trusted network. You
must also configure a management IP address for each cluster member. The address must be an unused
IP address on the network for the selected interface. You can also use a VLAN as the cluster
management interface.
If the interface you select as the interface for management IP address has IPv6 enabled, you can assign
an IPv6 management IP address for each cluster member.
Management software uses the Management IP address to connect to cluster members for upgrade,
failover, reboot, shutdown and other operations. You can also use the IPv4 or IPv6 management IP
address to connect to a specific cluster member with the management software.
About Failover
Failover occurs when one of the cluster members experiences a failure and the other cluster member
takes over the traffic that was assigned to the failed device. The cluster master is constantly monitored
by the backup master.
Causes of FireCluster Failover

Failover of a cluster member can be triggered by one of these events:
Lost heartbeat from the cluster master
The cluster master sends a heartbeat packet through the primary and backup cluster interfaces
once per second. If the backup master does not receive three consecutive heartbeats from the
cluster master, this triggers failover of the cluster master. The default threshold for lost heartbeats is
three. You can increase the lost heartbeat threshold that triggers a failover in the FireCluster
Advanced settings.
Software or hardware malfunction
If a software or hardware error is detected on a cluster member, that can trigger failover of that
device. This is based on comparing the cluster health indexes of each cluster member.
Monitored interface link down
The FireCluster monitors the link status of all active interfaces (all interfaces that are not set to status
Disabled). This is why it is important that you disable any interfaces that are not connected to a
switch or router.
Failover Master command
In Firebox System Manager, you can select Tools > Cluster > Failover Master to force the cluster
master to fail over.

About Failover
The cluster health factors that can trigger a failover are collectively referred to as the Weighted Average
Index (WAI). The WAI takes into account the link status of monitored interfaces, and other factors that
indicate a software or hardware malfunction. If the WAI of the backup master is greater than the WAI of
the master, failover of the cluster master is triggered.
You can see the WAI in the Cluster Health section of the status report in Firebox System Manager.
Cluster Health
--------------
Member Id = 80B0030CA6EE9
Member cluster Role = 3
System Health Index (SHI) = 100
Hardware Health Index (HHI) = 100 (disabled)
Monitored Ports Health Index (MPHI) = 100
Weighted Avg Index (WAI) = 100
Member Id = 80B0030EBCFAA
Member cluster Role = 2
System Health Index (SHI) = 100
Hardware Health Index (HHI) = 100 (disabled)
Monitored Ports Health Index (MPHI) = 100
Weighted Avg Index (WAI) = 100
For each cluster member, the Status Report shows these health index values:
System Health Index (SHI)
This number indicates the status of monitored processes on the device. If all monitored processes
are active, the SHI value is 100.
Hardware Health Index (HHI)
This number indicates the status of critical hardware components. If no hardware failures are
detected, the HHI value is 100. If a critical monitored hardware component fails, the HHI value is
zero. The HHI is based on the status of hardware components such as the CPU, fans, and power
supply.
If (disabled) appears adjacent to the HHI number in the Status Report, the HHI is not used in the
calculation of the WAI, and so is not a criteria for failover. This is the default setting.
Monitored Ports Health Index (MPHI)
This number indicates the link status of monitored ports. If all monitored ports are up, the SHI value
is 100. The status of wireless connections are not monitored as part of this index.
Weighted Average Index (WAI)
This number is used to compare the overall health of two cluster members, as a criteria for failover.
By default, the WAI for a cluster member is a weighted average of the SHI, and MPHI for that device,
but does not include the HHI.
If you enable the HHI to be used in the calculation of the WAI, the WAI is a weighted average of the
HHI, SHI, and MPHI. The one exception is that if the HHI of a device is zero, the WAI for that device is
also zero.
To enable the HHI to be used in the calculation of the WAI, select the Monitor hardware status as a
criteria for FireCluster failover check box in FireCluster Advanced settings.
FireCluster 169
What Happens During a Failover
It is possible for either device in a cluster to fail. In an active/passive cluster, only failure of the cluster
master impacts connections. In an active/active cluster, because connections can be assigned to either
device, failure of either device can interrupt proxy and mobile VPN connections assigned to the device
that failed.
Failure of the cluster master
When a failover of the cluster master occurs, the backup master becomes the cluster master. The
original cluster master may rejoin the cluster as the backup master. When a failover occurs, the
cluster maintains all packet filter connections, branch office VPN tunnels, and user sessions. This is
the same for an active/active or an active/passive FireCluster.
Failure of the backup master
If the backup master fails in an active/active cluster, the cluster master maintains all packet filter
connections, branch office VPN tunnels, and user sessions. Proxy connections and Mobile VPN
connections are interrupted if they are assigned to the backup master.
In an active/passive cluster, if the backup master fails, there is no interruption of connections or
sessions because no traffic is assigned to the backup master.
Which Connections Fail Over

When a failover occurs, proxy and mobile VPN connections that were assigned to the device that failed
are interrupted. These connections must be reestablished with the other active device in the cluster.
Connections that fail over:
Packet filter connections
User sessions
Branch Office VPN tunnels
Connections that do not fail over:
Proxy connections
Mobile VPN connections

Monitoring Tools
Monitoring Tools
Firebox System Manager and the Fireware log files are useful tools to monitor the status and operation
of your FireCluster.
Firebox System Manager

On the Front Panel tab in Firebox System Manager, you can monitor the real-time status of your
FireCluster. If you connect to the cluster, you can see the status of the cluster as a whole. If you connect
to an individual cluster member, you can see more details about that specific device.
To connect to a cluster member:
1. Connect to a cluster member and open Firebox System Manager.
2. Select Tools > Cluster > Connect to Member.
The Status Report tab in Firebox System Manager is an important tool you can use to understand
more details about the current state of your FireCluster.
To see the Status Report:
1. Connect to the cluster and open Firebox System Manager.
When Firebox System Manager is in cluster view, the Status Report has a report section for each
member. When you connect to a specific cluster member, the status report shows information about
just that member.
FireCluster 171
Diagnostic Logging
If you need to troubleshoot issues with FireCluster, it can be useful to change the diagnostic log level
for FireCluster. By default, the FireCluster diagnostic log level is set to Error. You can increase the level
to see more detailed information in the log files.
To configure the diagnostic log level for FireCluster:
1. In Policy Manager, select Setup > Logging.
2. Click Diagnostic Log Level.
From the category list, expand FireCluster.
Figure 2: The FireCluster diagnostic log level

3. Select the FireCluster category to set the diagnostic log level for all the FireCluster components, or
select a sub-category to change the log level for the category of FireCluster operations that you
want to monitor more closely.
- Cluster Management Log messages for FireCluster configuration and management tasks
- Cluster Operation Log messages for all current FireCluster member roles and operations
- Cluster Event Monitoring Log messages for the process that monitors FireCluster
resources and takes the appropriate action for each event that occurs in the FireCluster
- Cluster Transport Log messages for FireCluster member communications channels
After you increase the diagnostic log level, you can see more detailed log messages in Traffic Monitor
and in your log files, if you have configured a Log Server.

FireCluster Requirements
To use FireCluster, your Firebox devices and network configuration must meet these requirements:
Hardware Requirements
Both Firebox devices in a FireCluster must be the same model. FireCluster is supported on most Firebox
models.
FireCluster restrictions on Firebox wireless devices (Firebox T10-W, XTM 25-W, 26-W, and 33-W):
When you enable the external interface as a wireless interface, FireCluster is not supported.
When you enable wireless access points on an Firebox wireless device, you can configure
FireCluster only as active/passive.
FireCluster is not supported on:
XTMv virtual devices on Hyper-V
Firebox T10, XTM 21/22/23 or XTM 21-W/22-W/23-W models
License Requirements
Both devices in a FireCluster must use the same version of Fireware.
Both devices must have an active LiveSecurity Service subscription.
For an active/active cluster, we recommend both devices have active licenses for the same set of
security services such as Gateway AV, Intrusion Prevention Service, and Application Control. For an
active/passive cluster, you need an active license for any security services on only one of the cluster
members, and that license is used by whichever device is active.
Network Configuration Requirements

You cannot configure the network in bridge mode for an active/active or active/passive cluster.
You cannot configure the network in drop-in mode for an active/active cluster.
You cannot configure an active/active FireCluster for a device that uses link aggregation.
For an active/active cluster, you must configure the external interface with a static IP address.
For an active/passive cluster, the external interface can have a static IP address, or use PPoE.
You can configure a wireless device in active/passive mode only
We recommend that you do not use the default IP address 10.0.1.1 for interface 1.
FireCluster 173
Switch and Router Requirements
Switch and router requirements depend on the type of FireCluster.
Active/Active or Active/Passive FireCluster
In any FireCluster, all active traffic interfaces must be connected to a separate switch or VLAN.
Active/Active FireCluster
For an active/active FireCluster, your configuration must also meet these requirements:
All switches and routers in the broadcast domain must not block ARP requests if the response
contains a multicast MAC address.
- This is the default behavior for most layer 2 switches.
The default ARP - For routers and layer 3 switches, the default behavior is to follow RFC 1812. If possible, disable
behavior is described this behavior. If you are unable to block RFC 1812 support, you might need to configure static
in RFC 1812, section MAC and static ARP entries on your routing device.
3.3.2.
All switches in the broadcast domain must be configured to forward traffic to all ports connected
to FireCluster members when the destination MAC address is the multicast MAC address of the
FireCluster.
To find the multicast - For unmanaged layer 2 switches, this should be the default behavior.
MAC addresses for the
- For managed switches, you could need to add static MAC and static ARP entries for the
FireCluster, select
FireCluster >
FireCluster.
Configure. You could need to add the IP address and MAC address of each router or layer 3 switch in the
broadcast domain as a static ARP entry in the FireCluster configuration.
To add static ARP entries:
1. Find the IP address and MAC address of your layer 3 switch.
2. In Policy Manager, select Network > ARP Entries.
Figure 3: Static ARP Entries dialog box

3. Add one static ARP entry for each switch that connects directly to your FireCluster.

FireCluster Pre-Configuration Checklist

When youre ready to set up a FireCluster, it can be helpful to run though this checklist to make sure
prerequisites have been met and you are ready to enable FireCluster:
Checklist item
You have two identical Firebox devices with matching model numbers. These cannot be
_______ Firebox T10 or XTM 21, 22, 23, 21-W, 22-W, or 23-W.
_______ Both devices have the same version of Fireware OS installed.
Both Firebox devices have Fireware Pro icense in the feature key
_______ (this is included by default for most models).
_______ You have a crossover cable (red) to connect the cluster interfaces.
_______ You know the serial numbers for each Firebox device:
Member 1:__________________________________
Member 2: _________________________________
_______ You have saved the feature keys for both devices to a local file.
_______ You have one switch or router for each active traffic interface.
You have decided which interfaces and IP addresses to use for this FireCluster. Record
_______ these in the table below.
FireCluster interfaces and IP addresses:

Interface number Member 1 IP Address Member 2 IP Address
Primary Cluster
Interface
Backup Cluster
Interface
Management
Interface
Note
Do not assign IP addresses in the range 10.0.0.1 - 10.0.13.254 to the primary or backup cluster
interfaces. This address range includes Firebox default interface IP addresses and cannot be used for
the cluster interfaces.
For the FireCluster Management IPaddress, select an unused IP address on the same subnet as the
address assigned to the management interface. For example, if you select the trusted interface as the
management interface, choose two unused IP addresses from your trusted subnet to use as the
FireCluster management IP addresses. If you choose the External interface as the Interface for
management IP address, choose two unused external IP addresses on the same subnet as the External
interface IPaddress that you can dedicate to FireCluster management functions.
Note
If you set the Management IP addresses of a FireCluster member to an IP address that is not on the
same subnet as the IP address of the FireCluster management interface, make sure your network
configuration includes routes to allow the management software to communicate with FireCluster
members, and to allow the FireCluster members to communicate with each other.
Now you are ready to set up the FireCluster as described in Exercise 1.
FireCluster 175
Exercise 1: Set Up an Active/Passive Cluster
In this exercise you learn how to configure two Firebox devices as an active/passive FireCluster.
To complete this exercise, you must have:
Two supported Firebox devices of the same model number.
Fireware v11.10 or higher installed on both devices.
Fireware Pro enabled in the feature key for both devices.
Feature key for both devices saved locally in a file.
A switch or router for each enabled network interface.
In this exercise, we refer to the members of the FireCluster as Member 1 and Member 2, because that is
how the FireCluster Setup wizard names them by default. Member 1 is the first device you configure.
Member 2 is the second device that you add when you enable FireCluster. For the first part of this
exercise, Member 2 must be powered off.
Configure the External Interface to Use a Static IP Address

1. Make sure that Member 2 is powered off.
2. In WatchGuard System Manager, connect to Member 1.
3. Open Policy Manager.
5. In the Interfaces tab, select External (Interface 0). Click Configure.
Figure 4: Configure interface 0 as an external interface with a static IP address

6. Make sure that the Interface Type is set to External.
For example, if you are Student 10, the IP address you type is 203.0.113.10/24
9. In the Default Gateway text box, type the IP address of the default gateway. Click OK.

Configure the Trusted Interface

1. In the Interfaces tab, select Trusted (Interface 1). Click Configure.
2. Make sure the Interface Type is set to Trusted.
Note
It is important that you do not use the default IP address, 10.0.1.1, for interface 1, because that
would create a temporary IP address conflict with the second device before the cluster is formed.
4. In the DHCP Address Pool list, configure the address range 10.0.X.2 - 10.0.X.100. We set the IP address
range here, so that we
can identify an
address outside of this
range to use for the
Management IP
address.
Figure 5: DHCP Server address pool configuration for student 10

5. Click OK.
FireCluster 177
Disable Unused Network Interfaces
In this exercise, we assume there is only one trusted network, connected to Interface 1. Before you
enable FireCluster, you must disable any unused interfaces. This is an important step, because
FireCluster monitors the link status of all enabled interfaces to determine whether to start failover.
Figure 6: Interfaces configuration for student 10, with unused interfaces enabled
2. If there are any unused interfaces enabled, select an unused interface and click Configure.
3. From the Interface Type drop-down list, select Disabled. Click OK.
Repeat this for all the other unused interfaces.
Figure 7: Interfaces configuration for student 10, with unused interfaces disabled
4. Save the configuration to the Firebox.
Because you have changed the trusted IP address, you must use the new address, 10.0.X.1 to reconnect
to the device in WatchGuard System Manager.

Decide Which Interfaces and Interface Address to Use

Next, you must decide which interfaces and IP addresses to use for FireCluster. For this exercise, use
these interfaces and addresses
Interface Member 1 IP Member 2 IP
number Address Address
Primary Cluster 5 169.254.5.1/24 169.254.5.2/24
Interface
Backup Cluster 4 169.254.4.1/24 169.254.4.2/24
Interface
Management Interface 1 10.0.X.101/24 10.0.X.102/24
Connect the Cables

You are now ready to connect the cables.
Figure 8: Network configuration diagram for a FireCluster with two cluster interfaces
1. Make sure that Member 2 is powered off before you connect the cables.
2. Use a red cross-over cable to connect interface 6 on Member 1 to interface 6 on Member 2.
3. Use a red cross-over cable to connect interface 5 on Member 1 to interface 5 on Member 2.
4. Connect interface 0, the external interface of both devices, to a switch or router.
5. Connect interface 1, the trusted interface of both devices, to another switch or router.
6. Connect the management computer to the switch or router on the trusted network.
FireCluster 179
Run the FireCluster Setup Wizard
1. Connect to Member 1 with WatchGuard System Manager at 10.0.X.1.
2. Start Policy Manager
Select FireCluster > Setup.
The FireCluster Setup Wizard starts.
3. Click Next to continue.
The first page of FireCluster global properties appears.
If you had selected 4. Select the cluster type.
Active/Active cluster, For this exercise, select Active/Passive cluster.
you would also need
to select the load
balance method here.
Figure 9: Active/Passive cluster configuration for student 10

5. Set the Cluster ID to your student number.
If multiple FireClusters connect to the same network, each cluster must have a unique ID.

6. Click Next.
The FireCluster global properties page appears.
Figure 10: These global properties apply to both devices in the cluster
7. Find the Member 1 Primary and Backup cluster interface and Management IP address interface
from the table at the start of this exercise.
- From the Primary drop-down list, select interface 5.
- From the Backup drop-down list, select interface 4.
- From the Interface for management IP address drop-down list, select interface 1.
Up to this point, the wizard has asked for global configuration settings that apply to the cluster as a
whole. In the next set of steps you configure properties that are unique to each cluster member.
FireCluster 181
8. Click Next.
The Feature key page appears.
Figure 11: The feature key for the first FireCluster member
9. For the first member, you have already imported the feature key. If you had not already done so,
you could click Import to add the feature key here. Verify that the serial number in this feature key
matches the serial number for the device you are connected to.
Click Next.
The Name and serial number page appears.
Figure 12: The FireCluster serial number is copied from the feature key
The wizard automatically gets the serial number from the feature key. The default member name
for the first device is Member1. For this exercise, do not edit the Member Name.

10. Click Next.

The Cluster interface IP addresses configuration page appears.
Figure 13: The cluster interface and management IP address configuration for the Member1 device
11. Type the cluster interface and management interface IP addresses for member 1 from the table at
the start of this exercise.
- For the Primary cluster interface IP address, type 169.254.5.1/24.
- For the Backup cluster interface IP address, type 169.254.4.1/24.
- For the IPv4 Management IP address, type 10.0.X.101/24.
Replace the X in the Management IP address with your student number.
12. Click Next.
The Add another cluster member page appears.
Figure 14: The wizard automatically asks if you want to configure another device
FireCluster 183
13. Select Yes to add another device. Click Next.
The Feature key page appears for the second device.
Figure 15: You must import the feature key for the second cluster member before you can continue
14. Click Import to add the feature key for the second cluster member.
The Import Firebox Feature Key dialog box appears.
15. Paste the feature key for the second device. Make sure the serial number matches. Click OK.
The feature key is added to the wizard.
16. Click Next.
The Name and serial number page appears.
Figure 16: The FireCluster serial number is pulled from the feature key
The wizard automatically gets the serial number from the feature key. The default member name
for the first device is Member2. For this exercise, do not edit the Member Name.

17. Click Next.

The cluster IP addresses page appears for Member 2.
Figure 17: The cluster interface and management IP address configuration for the Member2 device
18. Type the cluster interface and management interface IP addresses for Member 2 from the table at
the start of this exercise.
- For the Primary cluster interface IP address, type 169.254.5.2/24.
- For the Backup cluster interface IP address, type 169.254.4.2/24.
- For the IPv4 Management IP address, type 10.0.X.102/24.
Replace the X in the management IP address with your student number.
FireCluster 185
19. Click Next.
The Summary page appears.
Figure 18: The wizard summarizes all of the settings you configured
20. Review your FireCluster settings carefully.
In the Global Properties, make sure the interfaces match the interfaces you have connected and
that you have set a unique FireCluster ID.
In the Member Properties, check these things:
- The primary cluster IP addresses for both members are on the same subnet
- The backup cluster IP addresses for both members are on the same subnet
- The cluster IP addresses do not use addresses in the range 10.0.0.1 - 10.0.13.254.
- The management IP addresses for both devices are on the trusted network.
21. Click Next.
The wizard completion page appears.

22. Click Finish.

The FireCluster Configuration dialog box appears.
Figure 19: The FireCluster Configuration dialog box shows the settings you configured in the wizard
You can return to this dialog box at any time from Policy Manager. Select FireCluster > Configure.
From the FireCluster Configuration dialog box, you can enable or disable the FireCluster, or you
can review and change the configuration. There are three tabs:
- In the General tab you can see and configure the FireCluster global properties.
- In the Members tab you can see and configure the FireCluster member properties.
- In the Advanced tab you can see and configure FireCluster logging, notification, and
hardware monitoring settings.
23. Click OK to close the FireCluster configuration dialog box.
24. Select File > Save > To Firebox to save the configuration to the Firebox.
The first device is now the cluster master. Now you can add the second device to the cluster.
FireCluster 187
Reset the Second Device to Factory-Default Settings
To get the second device ready to be discovered by the cluster master, you must reset it to
factory-default settings. The steps to do this vary by device model.
Note
If the instructions to reset your Firebox are not described here, see the topic Reset a Device in
Fireware Help, or see the Hardware Guide for your Firebox model.
These procedures all start with the second device powered off.
To reset a Firebox M400 or M500 to factory-default settings:

1. Use the power switch on the rear of the device to power it on.
2. Press and hold the Power button on the front of the device for five seconds to power it off.
3. Press and hold the Reset button on the front left of the device, and briefly press the Power button
on the front of the device to power it on.
4. Continue to hold the Reset button while the Arm indicator is red.
5. Continue to hold the Reset button while the Arm indicator is slowly flashing green.
6. When the Arm indicator flashes green more rapidly, release the Reset button.
7. Wait until the Arm indicator starts flashing red.
8. Press and hold the Power button for five seconds to power off the device.
9. Briefly press the Power button on the front of the device to power it on.
To reset a Firebox M440 to factory-default settings:

1. Use the power switch on the rear of the device to power it on.
2. Press and hold the Power button on the front of the device for three seconds to power it off.
3. Press and hold the Reset button on the front left of the device, and briefly press the Power button
on the front of the device to power it on.
4. Continue to hold the Reset button until the Attn indicator begins to flash.
5. Release the Reset button.
6. Wait until the Attn indicator stops flashing and remains lit.
7. Press and hold the Power button for three seconds to power off the device.
8. Briefly press the Power button to power on the device.
To reset an XTM device that has an LCD panel to factory-default settings

1. Press and hold the down arrow button on the device front panel while you power on the device.
2. Release the button after you see the words Safe mode starting on the LCD display.

Discover the Second Cluster Member

1. In WatchGuard System Manager, connect to the cluster at 10.0.X.1, if you are not already
connected.
2. Click to launch Firebox System Manager.

The cluster shows that one cluster member is the master, and the other member is inactive.
3. Select Tools > Cluster > Discover member.
4. Type the configuration passphrase.
5. Monitor the status of Member2 in Firebox System Manager.
The status appears in parentheses after the member name. It will change from (inactive) to (idle) to (backup
master).
Figure 20: An Active/Passive cluster is shown in Firebox System Manager as Active/Standby

You can see that this is an Active/Standby cluster, and that Member1 is the master.
About Automatic Member Discovery

The first time you save the cluster configuration to the cluster master, it automatically attempts to use
the cluster inteface to discover the second device. If the second device is connected and has been reset
to factory-default settings, the cluster master automatically discovers it and adds it to the cluster.
If automatic discovery does not work, you can always use Firebox System Manager to manually trigger
the cluster master to discover the second device, as you did in this exercise.
FireCluster 189
Exercise 2: Monitor Cluster Status
In this exercise, you learn how to use Firebox System Manager to monitor the cluster and cluster
member status.
Monitor the Cluster

1. In WatchGuard System Manager, connect to the cluster, if you are not already connected.
2. Click to launch Firebox System Manager (FSM).
Figure 21: Firebox System Manager Cluster View

Notice that the Firebox System Manager title bar says (Cluster View). This means that you are
monitoring the cluster, rather than a specific cluster member. When you are in cluster view, the
detail section of the Front Panel tab does not show system uptime, because it is not the same for
both cluster members. Instead, you can see the uptime in the tree under each member.
3. Expand the Cluster section of the tree below the device.
You can see the status and configuration information for each cluster member.
4. Select the Status Report tab to see more detailed cluster status.
When FSM is in cluster view, the Status Report has a report section for each member.

Monitor a Cluster Member

Sometimes you want to connect to a specific cluster member to see more information about its status.
This can be useful if you need to troubleshoot a FireCluster issue.
1. In Firebox System Manager, select Tools > Cluster > Connect to Member.
Figure 22: The Connect to member dialog box

2. Select a cluster member to connect to. Click OK.
Another Firebox System Manager window opens, to monitor the cluster member.
Figure 23: Firebox System Manager view of a single cluster member

3. Expand the sections of the tree in the Front Panel to see status information for this device.
FireCluster 191
Exercise 3: Test FireCluster Failover
In this exercise you trigger a failover, and learn what to expect to see while you monitor the cluster
during a failover.
Force a Failover from Firebox System Manager

One easy way to watch what happens during failover is to trigger a failover of the master from Firebox
System Manager.
1. Open Firebox System Manager to monitor the cluster.
2. Expand the cluster section of the tree in the Front Panel tab.
3. Select Tools > Cluster > Failover Master.
Figure 24: The Failover Master dialog box

Type the Passphrase for the admin user.
Firebox System Manager initiates failover of the master.
4. Watch the status of the devices in Firebox System Manager.
Figure 25: Firebox System Manager cluster member status

The original cluster master fails over. The backup master becomes the master. The previous cluster
master rejoins the cluster as the backup master.
Trigger a Failover Due to Link Status

Another way to trigger failover is to disconnect a network cable from a monitored interface on the
cluster master.
1. Disconnect the cable from interface 0 of the cluster master.
2. Monitor the cluster status in Firebox System Manager
Failover initiates and the other member becomes the cluster master.
Notice that the interface status for Eth0 does not show a problem in cluster view. But if you connect to
the backup master with Firebox System Manager, you can see the interface is disconnected.

Use the Backup Cluster Interface

1. Disconnect the primary cluster interface cable from interface 6.
2. Monitor the cluster status in Firebox System Manager.
The cluster continues to operate, because the cluster members can communicate over the backup cluster
interface, interface 5.
Trigger a Failover Due to Power Failure

We recommend that you connect your clustered devices to different power circuits. If the power is lost
to one device, the cluster can fail over to the other device.
1. Power off the cluster master.
The backup master becomes the cluster master. The other member has the status (inactive).
2. Power on the cluster master.
The second device status changes to (backup master).
Test Failover with Network Traffic

If your classroom environment enables you to connect to a server or the Internet over the external
network, you can repeat any of the above failover exercises while you browse the web or download a
file from a server, and see how the traffic is not interrupted when a failover occurs.
Use Leave/Join in Firebox System Manager

In Firebox System Manager, you can also use the Leave and Join commands to remove or re-add a
configured device from the cluster. When a member leaves the cluster, it is still part of the cluster
configuration, but does not participate in the cluster. The other cluster member handles all traffic in the
cluster after the second member has left.
The Leave and Join commands are in Tools > Cluster menu in Firebox System Manager. You use these
commands as part of the procedure to restore a FireCluster backup image. See the WatchGuard System
Manager Help for more information.

In this module, you learned how to:
Understand the clustering requirements for your Firebox
Set up a FireCluster
See status for a FireCluster
Understand what happens when a FireCluster failover occurs
FireCluster 193
TRAINING COPYRIGHT 2014 WatchGuard Technologies, Inc. All rights reserved.
www.watchguard.com/training WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or
training@watchguard.com trademarks of WatchGuard Technologies, Inc. in the United States and/or other
countries.

Network and Traffic Management V11-10whatguard

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Network and Traffic Management V11-10whatguard

Diunggah oleh

Hak Cipta:

Format Tersedia

WatchGuard Certified Training

Network and Traffic Management

Revised: March 2015

Copyright and Patent Information

ii WatchGuard Fireware Training

Course Introduction ................................................................................................................ 1

iv WatchGuard Fireware Training

vi WatchGuard Fireware Training

viii WatchGuard Fireware Training

This training is for:

Necessary Equipment and Software

Figure 1: Training network configuration

Student Device IP Addresses

2 WatchGuard Fireware Training

Instructor Device Network Configuration

Figure 2: Instructor Firebox network interfaces configuration

Figure 3: Instructor Firebox VLAN configuration

4 WatchGuard Fireware Training

Configuration Changes for the Instructor Device

Figure 5: Any policy configuration for the instructor Firebox

Figure 6: NAT configuration for the instructor Firebox

(Optional) Set Up a Server to Host FTP and HTTP Downloads

4. Set up the web server on your Windows 2003 Server.

6 WatchGuard Fireware Training

What You Will Learn

What VLANs Can Do For You

Terms and Concepts You Should Know

8 WatchGuard Fireware Training

VLAN Requirements and Recommendations

Necessary Equipment and Services

10 WatchGuard Fireware Training

Configuring the VLAN Switch

Select the VLAN ID Numbers

About the PVID

When to Use this Configuration

Figure 1: Network topology for Exercise 1

12 WatchGuard Fireware Training

Configure the Device

Figure 2: VLAN tab of Network Configuration dialog box

Figure 3: VLAN tab with new VLAN10

Figure 4: Two new VLANS: VLAN10 and VLAN20

You can add

14 WatchGuard Fireware Training

25. Check your work.

Figure 6: Firebox Interface 3 is now type VLAN

Figure 7: VLAN tab after the VLANs are defined

26. Click and save this configuration to the device.

Configure the Switch

16 WatchGuard Fireware Training

Exercise 2: One VLAN Bridged Across Two Device Interfaces

When to Use this Configuration

Figure 8: Network topology for Exercise 2

Configure the Device

18 WatchGuard Fireware Training

Figure 9: VLAN10 on the VLAN tab

Figure 12: Firebox interfaces 3 and 4 now appear as type VLAN

Figure 13: The VLAN interface used by interfaces 3 and 4

20 WatchGuard Fireware Training

Configure the Switch

Physically Connect all Devices

Test the Configuration

When to Use This Configuration

Figure 14: Network topology for Exercise 3