TRAINING SUPPORT
www.watchguard.com/training www.watchguard.com/support
training@watchguard.com support@watchguard.com
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
iii
Network Topology ....................................................................................................................... 27
Configure the Device ................................................................................................................. 28
Configure the Switch ................................................................................................................. 30
Physically Connect All Devices .................................................................................................. 30
Test the Configuration ............................................................................................................... 30
Using VLANs in Device Policies ................................................................................... 31
Apply Firewall Policies to Intra-VLAN Traffic ............................................................................. 31
Aliases ........................................................................................................................................ 31
Exercise 5: Configure VLANs for Wireless Access Points ............................................ 33
When to Use This Configuration ............................................................................................... 33
Network Topology ....................................................................................................................... 33
Frequently Asked Questions ....................................................................................... 38
What You Have Learned .............................................................................................. 38
Traffic Management ............................................................................................................. 39
What You Will Learn ..................................................................................................... 39
Control Bandwidth Use with Traffic Management Actions ........................................ 39
Traffic Management Action Types ............................................................................................ 40
Traffic Management in Policies ................................................................................................ 40
Traffic Management in Application Control ............................................................................. 40
Traffic Management Action Precedence .................................................................................. 40
Monitoring Bandwidth Statistics ................................................................................................ 41
Control Traffic Priority with QoS .................................................................................. 41
About Interface QoS Settings ..................................................................................................... 41
About Policy QoS Settings .......................................................................................................... 41
About Traffic Priority ................................................................................................................... 41
About Outgoing Interface Bandwidth ....................................................................................... 42
Exercise 1: Use a Traffic Management Action to Guarantee Bandwidth ................... 43
Enable Traffic Management and QoS ...................................................................................... 43
Verify the OS Compatibility Setting ........................................................................................... 43
Define Outgoing Interface Bandwidth ...................................................................................... 43
Create a Traffic Management Action ....................................................................................... 44
Modify Policy Configuration ....................................................................................................... 45
Set Up Service Watch ................................................................................................................ 46
See the Results of the Configuration ........................................................................................ 47
Exercise 2: Use a Traffic Management Action to Limit Bandwidth ............................. 50
Re-Define Outgoing Interface Bandwidth ................................................................................ 50
Create a Traffic Management Action ....................................................................................... 51
Modify Policy Configuration ....................................................................................................... 51
See the Results of the Configuration ....................................................................................... 52
Exercise 3: Use Traffic Management with Application Control ................................... 55
Create two Traffic Management Actions .................................................................................. 55
Configure Application Control ................................................................................................... 56
Configure Application Control in Policies ................................................................................. 58
Monitor the Traffic Management Actions in Firebox System Manager .................................. 59
Exercise 4: Use QoS to Mark and Prioritize Traffic ...................................................... 61
Before You Begin ....................................................................................................................... 61
Enable Prioritization by QoS Marking on Interfaces ................................................................ 61
Prioritize Traffic by Policy ........................................................................................................... 63
See the Results of the Configuration ....................................................................................... 64
What You Have Learned .............................................................................................. 65
Link Aggregation ................................................................................................................... 67
Introduction .................................................................................................................. 67
v
How to Configure It .................................................................................................................... 98
When an External Interface Fails .............................................................................................. 99
The Failover Multi-WAN Method ............................................................................... 100
When to Use It .......................................................................................................................... 100
How It Works ............................................................................................................................ 100
How to Configure It .................................................................................................................. 100
When an External Interface Fails ............................................................................................ 100
The Interface Overflow Multi-WAN Method .............................................................. 101
When to Use It .......................................................................................................................... 101
How It Works ............................................................................................................................ 101
How to Configure It .................................................................................................................. 101
When an External Interface Fails ............................................................................................ 101
The Routing Table Multi-WAN Method ...................................................................... 102
When to Use It .......................................................................................................................... 102
How It Works ............................................................................................................................ 102
How to Configure It .................................................................................................................. 102
When an External Interface Fails ............................................................................................ 102
Exercises Before You Begin ................................................................................... 103
Necessary Equipment and Services ....................................................................................... 103
Management Computer Configuration ................................................................................... 103
Firewall Configuration .............................................................................................................. 104
Bandwidth Available at Each External Interface ................................................................... 104
Physically Connecting your Devices ........................................................................................ 104
Exercise 1: Demonstrate the Interface Overflow Multi-WAN Method and Sticky
Connections .................................................................................................................. 105
When to Use the Interface Overflow Method ......................................................................... 105
Network Topology ..................................................................................................................... 105
Configure the Device ............................................................................................................... 106
Demonstrate It ......................................................................................................................... 110
Exercise 2: Demonstrate the Failover Multi-WAN Method and Policy-Based Routing ....
114
When to Use the Failover Method ........................................................................................... 114
Network Topology ..................................................................................................................... 114
Configure the Device ............................................................................................................... 115
Demonstrate It ......................................................................................................................... 119
Exercise 3: Demonstrate Load Balancing with the Round Robin Multi-WAN Method ....
120
Configure the Device ............................................................................................................... 120
Demonstrate It ......................................................................................................................... 121
Appendix ..................................................................................................................... 122
How Fireware Makes Multi-WAN Routing Decisions For Outbound Traffic .......................... 122
Multi-WAN Routing Decision Flow Chart ................................................................................ 123
What You Have Learned ............................................................................................ 125
Routing ................................................................................................................................ 127
Introduction ................................................................................................................ 127
What You Will Learn ................................................................................................................. 127
Terms and Concepts .................................................................................................. 128
Route ........................................................................................................................................ 128
Router ....................................................................................................................................... 128
RouteTable ................................................................................................................................ 128
Route Metric ............................................................................................................................. 128
Routing Protocol ....................................................................................................................... 129
vii
About Failover ............................................................................................................ 168
Causes of FireCluster Failover ................................................................................................. 168
What Happens During a Failover ............................................................................................ 170
Monitoring Tools ........................................................................................................ 171
Firebox System Manager ......................................................................................................... 171
Diagnostic Logging .................................................................................................................. 172
FireCluster Requirements ......................................................................................... 173
Hardware Requirements ......................................................................................................... 173
License Requirements ............................................................................................................. 173
Network Configuration Requirements .................................................................................... 173
Switch and Router Requirements ............................................................................................ 174
FireCluster Pre-Configuration Checklist .................................................................................. 175
Exercise 1: Set Up an Active/Passive Cluster ............................................................ 176
Configure the External Interface to Use a Static IP Address ................................................ 176
Configure the Trusted Interface .............................................................................................. 177
Disable Unused Network Interfaces ....................................................................................... 178
Decide Which Interfaces and Interface Address to Use ....................................................... 179
Connect the Cables .................................................................................................................. 179
Run the FireCluster Setup Wizard ........................................................................................... 180
Reset the Second Device to Factory-Default Settings ........................................................... 188
Discover the Second Cluster Member .................................................................................... 189
Exercise 2: Monitor Cluster Status ............................................................................. 190
Monitor the Cluster .................................................................................................................. 190
Monitor a Cluster Member ...................................................................................................... 191
Exercise 3: Test FireCluster Failover .......................................................................... 192
Force a Failover from Firebox System Manager .................................................................... 192
Trigger a Failover Due to Link Status ...................................................................................... 192
Use the Backup Cluster Interface ........................................................................................... 193
Trigger a Failover Due to Power Failure .................................................................................. 193
Test Failover with Network Traffic ........................................................................................... 193
Use Leave/Join in Firebox System Manager .......................................................................... 193
What You Have Learned ............................................................................................ 193
Course Introduction
Network and Traffic Management with Fireware
Training Overview
The WatchGuard Fireware Network and Traffic Management with Fireware course covers these topics: About Side Notes
Side notes are extra
VLANs information that is
Traffic Management and QoS not necessary to
understand the
Link Aggregation training. They might
Multi-WAN be configuration or
troubleshooting tips,
Routing
or extra technical
FireCluster information.
This course assumes that you have completed the Fireware Essentials course and that you know how to
set up and configure basic networking features. This Course Introduction describes the software,
hardware, and network environment required to complete the exercises in this training courseware.
1
Classroom Network Configuration
The exercises in this course are designed using RFC 5737 documentation IP addresses to represent
public network IP addresses. The exercises in this training assume the following network configuration:
Course Introduction 3
The instructor device must have 2 VLANs configured:
VLAN10 Trusted 198.51.100.1/24, ID:10 Untagged eth2, tagged eth3
VLAN20 Trusted 192.0.2.1/24, ID:20 Tagged eth3
Figure 4: Secondary IP addresses for Eth4 on the instructor device, for a total of 8 students
Course Introduction 5
3. To configure the instructor Firebox to simulate a multi-hop link for the routing exercises, you must
add static routes to route traffic to the trusted network on each student device. The next hop for
each is the IP address of the optional interface on each student device.
The gateway corresponds to the primary and secondary networks defined for Eth4 on the instructor device.
Figure 7: Static route configuration for the instructor Firebox for a class with 8 students.
VLANs
Four Ways to Configure VLANs on a Firebox
Introduction
A virtual local area network (VLAN) is a collection of computers on a LAN or LANs that are grouped
together in a single broadcast domain independent of their physical location. A VLAN allows you to
group devices according to function or traffic patterns instead of location or IP address. Members of a
VLAN can share resources as if they were connected to the same LAN.
Exercises
The exercises demonstrate situations in which you would use different VLAN configurations, a
simplified view of the network topology for each setup, and step-by-step procedures for how to
configure each setup. The exercises include:
Two VLANs on the same Firebox interface You can also use
VLANs with link
One VLAN bridged across two Firebox interfaces
aggregation. An
One VLAN bridged across two Firebox interfaces (alternate configuration) exercise for that
Two VLANs as External Interfaces on the same Firebox configuration is
included in the link
Three VLANs for two SSIDs on an AP device aggregation section
The course concludes with frequently asked questions about how to configure firewall policies to of this training.
restrict incoming and outgoing access on VLAN interfaces, or to allow or deny traffic between different
VLANs.
7
Increased security options.
By default, members of one VLAN cannot see the traffic from another VLAN. You can apply separate
security policies to VLANs. By contrast, a secondary network on a Firebox interface gives no
additional security because there is no separation of traffic. The Firebox does not filter traffic
between the primary network of an interface and a secondary network on that interface. It
automatically routes traffic between primary and secondary networks on the same physical
interface with no access restrictions.
Switches
When you configure a Firebox Ethernet interface for VLAN, the switches that you connect to the
device interface must be able to use VLAN tags as defined in IEEE 802.1Q. A switch of this type is
commonly called a managed switch or an 802.1Q switch.
Types of VLANs
VLANs can use different parameters to assign membership:
- 802.1Q VLANs (used by the Firebox)
The Institute of Electrical and Electronic Engineers (IEEE) publishes the 802.1Q standard to
define the format of VLAN tags. This standard lets you use VLANs with any vendors
equipment that conforms to 802.1Q standards.
- MAC address-based VLANs use the physical address on a computers network interface card
to put it in the correct logical group.
- VLANs based on multicast groups put computers into VLANs based on whether the
computer has subscribed to a particular multicast group.
- Protocol-based VLANs put computers into VLANs based on the communication protocol
each uses (such as IP, IPX, DECnet, or AppleTalk).
VLANs 9
Before You Begin
Before you begin the exercises, you must:
1. Make sure the switches that connect to the Firebox do not use Spanning Tree Protocol. Disable this
protocol for any switch interface that connects to a device Ethernet interface.
2. Know how to configure your VLAN switch. You should be familiar with how to configure your VLAN
switch. Consult the documentation from the device manufacturer for help.
Firewall Configuration
If your Firebox is not yet configured, run the Quick Setup Wizard first to configure it.
Use the Routed mode for the Quick Setup Wizard. (You cannot use VLANs with Drop-in mode or
Bridge mode.) The Quick Setup Wizard with Routed mode has these defaults:
- The external Interface 0 is configured and enabled with static IP address 203.0.113.X/24.
Replace X in the external IP address with the student number your instructor gives you.
- The trusted Interface 1 is configured and enabled with IP address 10.0.X.1/24.
Replace X in the trusted IP address with the student number your instructor gives you.
- All of the other interfaces are set to Disabled.
- There are five policies in Policy Manager: FTP, Ping, WatchGuard WebUI, WatchGuard, and
Outgoing.
The trusted interface (Interface 1) is not a member of any VLAN in any of the exercises.
The management computer is connected directly to the trusted interface with an Ethernet cable.
Make sure your management computer has an IP address in the same subnet as the trusted
interface, with the correct subnet mask. Make sure the default gateway for the computer is the
trusted interface IP address.
VLANs 11
Exercise 1: Two VLANs on the Same Device Interface
Network Topology
This exercise shows how to connect one switch that carries traffic from two different VLANs to one
Firebox interface. In the subsequent diagram, the computers are connected to the 802.1Q switch, and
the switch is connected to Firebox interface 3. The switch carries traffic from two different VLANs.
VLANs 13
13. (Optional) In the Description text box, type a description.
For this example, type Sales.
14. In the VLAN ID text box, type or select a number for the VLAN.
For this example, select 20.
15. From the Security Zone drop-down list, select the security zone for the VLAN.
For this example, select Optional.
16. In the IP Address text box, type the IP address of the VLAN gateway.
For this example, type 192.168.20.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.
17. (Optional) Configure DHCP for the new VLAN.
a. Select Use DHCP Server.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
For this example, type 192.168.20.10 for the Starting Address and 192.168.20.20 for
the Ending Address.
d. Click OK.
The new address pool appears in the Address Pool box.
18. Click OK.
Both VLANs now appear.
Figure 5: The Member column shows which VLANs the interface is a member of.
24. Click OK.
This interface now appears as type VLAN in the list of interfaces.
VLANs 15
As a general rule, Physically Connect all Devices
remember that the
physical segment 1. Connect one end of an Ethernet cable to the device interface 3.
between a switch
2. Connect the other end of the Ethernet cable to the interface on the switch that you configured to
interface and a
computer (or other
tag for VLANs 10 and 20 (to the VLAN trunk interface of the switch).
networked device) 3. Connect a computer to the interfaces on the switch that you configured to untag for VLAN10.
that connects to it is
an untagged data
4. If you configured VLAN10 to use the DHCP server, configure the computers network card to use
segment. Traffic that DHCP to get an IP address automatically.
flows over this For more information, see Step 9 on page 13.
segment does not
have VLAN tags. 5. If you did not configure the VLAN to use the DHCP server, configure the computers network card
Most switches sold with an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the
today have interfaces computers default gateway to the device VLAN IP address, 192.168.10.1.
that can auto-sense
MDI/MDI-X for the 6. Repeat Steps 13 to connect a computer to a switch interface that you configured to untag for
Ethernet connection. VLAN20.
When the interface
senses a physical link, Test the Configuration
it automatically
configures itself to be From the computer in VLAN10, you should be able to ping the computer in VLAN20, as well as ping the
a normal or uplink VLAN10 computer from the VLAN20 computer. The two computers can ping each other because the
interface. If you do not default settings of the Ping policy allow Any-Trusted and Any-Optional to send ICMP echo requests to
get link lights on the Any.
Ethernet interfaces
with one type of No other traffic is allowed between the two VLANs unless there is a policy that specifically allows it. The
Ethernet cable basic configuration loaded by the Quick Setup Wizard does not allow any other traffic between the
(straight-through or VLANs.
crossover), try the
other type of Ethernet
cable.
VLANs 17
Network Topology
The untagged Firebox This exercise shows how to connect a switch to one Firebox interface, and computers to another
interface in Figure 8 Firebox interface. Figure 8 shows that the computers connected to the switch and to device interface 4
(Interface 4, with one
are in the same VLAN.
computer connected)
operates in much the
same way as an
untagged switch port
on a VLAN switch.
Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.
8. In the IP Address text box, type the IP address of the VLAN gateway.
For this example, type 192.168.10.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.
9. (Optional) Configure DHCP for the new VLAN.
a. Select Use DHCP Server.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 for
the Ending Address.
d. Click OK.
The new address pool appears in the Address Pool list.
10. Click OK. The Interfaces
The new VLAN is added. column is blank for a
new VLAN because no
Firebox interfaces
have been assigned to
it yet. You assign the
VLAN to Firebox
interfaces in the next
steps.
Figure 10: Select the check box to make the interface a member of the VLAN
16. Click OK.
This interface now appears as type VLAN in the list of interfaces.
17. Double-click Interface 4 and configure it to untag for VLAN10.
18. From the Interface Type drop-down list, select VLAN.
VLANs 19
You can only select 19. At the bottom of the dialog box, select the Send and receive untagged traffic for selected VLAN
one VLAN for check box. From the adjacent drop-down list, select VLAN10 (192.168.10.1/24).
untagged traffic.
This option is not
available if you
choose a VLAN that
has external specified
as the zone. You
cannot configure an Figure 11: Make Interface 4 an untagged switch port
interface to send and
receive both tagged 20. Click OK and check your work.
and untagged traffic
The Interfaces tab should now look like this.
when a VLAN is
configured as an
external zone.
If you do not want
computers connected
to a Firebox interface
to be part of a VLAN,
then do not configure
the interface to be of
type VLAN. Instead,
configure the
interface to be of type
Trusted or Optional.
VLANs 21
Exercise 3: One VLAN Bridged Across Two Device Interfaces
(Alternate Configuration)
Network Topology
This exercise shows how to connect two 802.1Q switches, both of which send traffic from the same
VLAN, to two different Firebox interfaces. The subsequent shows how computers are connected to
802.1Q switches, and how the switches are connected to the device. Two 802.1Q switches connected
to device interfaces 3 and 4 carry traffic from the same VLAN.
Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.
VLANs 23
Interface 3 will be a 14. Select Send and receive tagged traffic for selected VLANs.
tagged VLAN
interface because it 15. In the Member column, select the check box for VLAN10.
connects to a VLAN
switch that sends it
traffic with VLAN tags.
Figure 16: Select the check box to make the interface a member of the VLAN
16. Click OK.
This interface now appears as type VLAN in the list of interfaces.
17. Repeat Steps 1116 for Interface 4 to make that interface a member of VLAN10.
18. Check your work.
The Interfaces tab should look like this:.
Figure 18: The VLAN tab shows that interfaces 3 and 4 are members of VLAN10
Switch A
1. Configure the switch interface that connects the switch to the Firebox interface 3.
a. Configure this interface on Switch A to be a member of VLAN10.
b. Configure this interface to send traffic with the VLAN10 tag.
c. If necessary, set the switch mode to trunk.
d. If necessary, set the encapsulation mode to 802.1Q.
As a general rule, remember that the physical segment between this switch interface and the Some switch
Firebox is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN manufacturers refer
tagging. to an interface that is
configured like this as
2. Configure the switch interfaces that connect computers to the switch. a trunk port or a trunk
interface.
Configure the other switch interfaces to be members of VLAN10. You must also configure these
interfaces to send untagged traffic for VLAN10.
As a general rule, remember that the physical segments between each of the other switch
interfaces and the computers (or other networked devices) that connect to them are untagged
data segments. Traffic that flows over these segments does not have VLAN tags.
Switch B
Repeat the previous steps to configure Switch B:
1. Configure the switch interface that connects the switch to the device interface 4.
a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure one interface on Switch B to be a member of VLAN10.
c. Configure this interface to send traffic with the VLAN10 tag.
d. If necessary, set the switch mode to trunk.
e. If necessary, set the encapsulation mode to 802.1Q.
As a general rule, remember that the physical segment between this switch interface and the
Firebox is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN
tagging.
2. Configure the switch interfaces that connect computers to the switch.
3. Configure the other switch interfaces to be members of VLAN10. You must also configure these
interfaces to send untagged traffic for VLAN10.
As a general rule, remember that the physical segments between each of the other switch
interfaces and the computers (or other networked devices) that connect to them are untagged
data segments. Traffic that flows over these segments does not have VLAN tags.
VLANs 25
6. If you configured VLAN10 to use the DHCP server, configure the computers network card to use
DHCP to get an IP address automatically.
See Step 9 on page 23.
7. If you did not configure the VLAN to use the DHCP server, configure the computers network card
with an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the
computers default gateway to the device VLAN IP address 192.168.10.1
8. Repeat these steps to connect a computer to Switch B.
Network Topology
This exercise simulates two service provider connections ISP-1 (VLAN 10) and ISP-2 (VLAN 20) carried
by a single trunk port of the switch to one Firebox interface. In the subsequent diagram, the WAN
connection is connected to the 802.1Q switch, and the trunk port of the switch (Switch A) is connected
to device interface 3.
Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.
VLANs 27
Configure the Device
1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the VLAN tab.
3. Click Add to create a new VLAN.
The New VLAN Configuration dialog box appears.
4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For this
example, type External-VLAN10.
5. (Optional) In the Description text box, type a description. For this example, type ISP-1.
6. In the VLAN ID text box, type or select a number for the VLAN. For this example, select 10.
Security zones 7. From the Security Zone drop-down list, select the security zone for the VLAN. For this example,
correspond to aliases select External.
for interface security
zones. For example, 8. Select Use Static IP.
VLANs of type 9. In the IP Address text box, type the IP address. For this exercise, type 198.51.100.X/24.
External are Replace the X in the IP address with the student number your instructor gives you. For example, if
handled by policies
that use the alias
your student number if 10, type 198.51.100.10/24
Any-External as a 10. In the Default Gateway type the gateway address. For this exercise, type 198.51.100.1.
source or destination. This configuration must have a corresponding upstream connection that is the default gateway
(198.51.100.1).
11. Click OK.
12. Click Add and create another new VLAN.
The New VLAN Configuration dialog box appears.
13. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For this
example, type External-VLAN20.
14. (Optional) In the Description text box, type a description. For this exercise, type ISP-2.
15. In the VLAN ID text box, type or select a number for the VLAN. For this example, select 20.
16. From the Security Zone drop-down list, select the security zone for the VLAN. For this example,
select External.
17. Select Use Static IP.
18. In the IP Address text box, type the IP address. For this example, type 198.0.2.X/24. Replace
the X in the IP address with the student number your instructor gives you. For example, if your
student number if 10, type 198.0.2.10/24
19. In the Default Gateway type the gateway address. For this exercise, type 198.0.2.1.
This configuration must have a corresponding upstream connection that is the default gateway (198.0.2.1).
20. Click OK.
The new VLANs appear.
Figure 21: The Member column shows which VLANs this interface is a member of.
26. Click OK.
27. Check your work.
The Interfaces tab should look like this.
VLANs 29
Configure the Switch
Add VLANS to the switch that connects to your ISP. In the diagram, this is labeled Switch A.
Refer to the instructions from your switch manufacturer to configure VLAN tagging on your switch.
1. Add two VLANs with the ID numbers 10 and 20 to the 802.1Q switch configuration.
2. Configure the switch interface that connects the switch to the Firebox interface 3.
a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure this interface on the switch to be a member of both VLANs 10 and 20.
c. Configure this interface to tag for both VLANs.
d. If necessary for your switch operating system, set the switch mode to trunk.
e. If necessary for your switch operating system, set the encapsulation mode to 802.1Q.
3. Configure the switch interface that connects ISP-1 in VLAN10 to the switch.
a. Configure the switch interface that will connect to ISP-1 to be a member of VLAN10.
b. Configure this interface to untag for VLAN10.
4. Configure the switch interface that connects ISP-2 in VLAN20 to the switch.
a. Configure the switch interface that will connect to ISP-2 to be a member of VLAN20.
b. Configure this interface to untag for VLAN20.
As a general rule, remember that the physical segment between this switch interface and the Firebox is
a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN tagging.
Some switch manufacturers refer to a switch interface that is configured like Step 2 a trunk port or
trunk interface.
As a general rule, remember that the physical segment between a switch interface and the networked
device that connects to it is an untagged data segment. Traffic that flows over this segment does not
have VLAN tags.
You can use another Physically Connect All Devices
Firebox to simulate
ISP-1 and ISP-2 1. Connect one end of an Ethernet cable to the device interface 3.
connections.
2. Connect the other end of the Ethernet cable to the interface on the switch that you configured to
Configure a Trusted
interface with an IP
tag for VLANs 10 and 20 (to the VLAN trunk interface of the switch).
Address of 3. Connect the interface on the switch that you configured to untag for VLAN10 to the upstream
198.51.100.1/24 and internet connection of ISP-1.
another Trusted
interface with an IP 4. Connect the interface on the switch that you configured to untag for VLAN20 to the upstream
Address 198.0.2.1/24 internet connection of ISP-2.
on another Firebox.
Make sure that these Test the Configuration
subnets
(198.51.100.0/24 and From the management computer or any computer on the trusted zone, you should be able to access
198.0.2.0/24) are the Internet. Create an HTTP Policy and enable logging for the allowed packets. You should see which
included on the External interface each packet uses to reach the destination. You may also enable logging on the
Dynamic NAT and Outgoing and Ping policies to try using other protocols. This should log which External Interface each
that these translate to
Any-External to get an
packet used reach its destination.
Internet connection.
Aliases
When you add the new VLAN, the VLAN name appears as a new alias in the list of Firebox aliases.
To open the Aliases dialog box, select Setup > Aliases.
VLANs 31
For example, to specify that users in Trusted-VLAN30 are allowed to make SSH connections to a server
in the trusted network with IP address 10.0.1.56, configure an SSH policy as shown in the subsequent
image.
Note
This exercise includes steps to manually add an AP device to the Firebox configuration. It is not
necessary for you to have an AP device to complete this exercise.
Network Topology
This exercise simulates the situation where you have an AP device with two SSIDs, one SSID for trusted
wireless users, and another for guest wireless users.
Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.
VLANs 33
Configure VLANs
1. In Policy Manager, select Network > Configuration.
2. Select the VLAN tab.
3. Add a new VLAN with these settings:
- Name: VLAN10-Trusted-W
- VLAN ID: 10
- Security Zone: Trusted
- IP Address: 192.168.10.1/24
- DHCP Server Address Pool: 192.168.10.10 - 192.168.10.100
In this exercise, you 4. Add a new VLAN with these settings:
configure the VLAN - Name: VLAN20-Guest-W
for wireless guest
users in the Custom
- VLAN ID: 20
security zone. You - Security Zone: Custom
could instead use the - IP Address: 192.168.20.1/24
Optional zone, if that
is appropriate for your
- DHCP Server Add dress Pool: 192.168.20.10 - 192.168.20.100
network. 5. Add a new VLAN with these settings:
- Name: VLAN30-AP-Mgmt
- VLAN ID: 30
- Security Zone: Trusted
- IP Address: 192.168.30.1
- DHCP Server Add dress Pool: 192.168.30.10 - 192.168.30.100
6. Verify that the list of configured VLANs looks like this:
10. Configure this interface to send and receive tagged traffic for VLANs 10 and 20.
Figure 28: The tagged VLANs, one Trusted and one Custom
11. Configure this interface to send and receive untagged VLAN traffic for VLAN 30.
VLANs 35
10. In the Passphrase text box, type the passphrase that trusted wireless users must know to connect
to this SSID.
11. Click OK.
12. Repeat the previous steps to add a second SSID with these properties:
- Network Name (SSID): Guest-Wireless
- VLAN ID: 20
- Security: WPA/WPA2 (PSK), with a passphrase for wireless guest users
When you are finished, the SSIDs tab contains SSIDs for trusted and guest wireless users.
Add an AP Device
If you have an AP So that you can complete the configuration without an AP device, this exercise includes steps to
device you can manually add an AP100 wireless access point to the Gateway Wireless Controller
connect it to the VLAN
interface you just 1. Select the Access Points tab.
configured, and pair it
to the Firebox.
2. Click Add.
3. Type the default pairing passphrase, wgwap. Click OK.
Click Help in Policy The Add Access Point dialog box appears.
Manager for detailed
instructions.
Figure 31: Settings for a manually added AP device, with Management VLAN tagging enabled
4. In the Serial Number text box, type the serial number of an Access Point device. If you dont have
an Access Point device, you can just type any string of 13 letters and numbers. For this exercise,
type AP10012345678.
5. Do not select the Enable Management VLAN tagging check box. Management traffic to this AP
device will use VLAN30, which is an untagged VLAN..
6. In the list, add the Trusted-Wireless and Guest-Wireless SSIDs. The Gateway Wireless
Controller on the
Firebox uses the
untagged VLAN to
discover and manage
the WatchGuard
Access Point. You can
also use this VLAN if
Figure 32: Two SSIDs added to the SSID list you want to connect
to the Access Point
7. Click OK. Web UI.
The AP device is added to the Access Points list.
Figure 34: The Outgoing policy with the VLAN20-Guest-W custom VLAN added
3. Save the configuration to the device.
VLANs 37
Frequently Asked Questions
If I want to allow traffic to a VLAN from a device outside the VLAN, do I need a policy for it?
Yes.
By default, the Firebox does not allow traffic to a device in any VLAN. To allow this traffic, add a
policy for it and include the VLANs alias name in the To section.
If I want to allow traffic that starts in a VLAN and leaves the VLAN, do I need a policy for it?
Yes.
Traffic is not allowed to leave a network protected by the Firebox unless there is a policy to allow it.
However, the default configuration the Quick Setup Wizard creates for the Firebox includes the
Outgoing policy, which allows traffic from Any-Trusted to the external network.
If your VLAN uses the Trusted security zone, any device in the VLAN can use the Outgoing policy to
send traffic to the external network. This is because a VLAN that uses the Trusted security zone is
included in the Any-Trusted alias.
If I want to allow traffic that starts in one VLAN and goes to another VLAN, do I need a policy
for it?
Yes.
By default, devices in one VLAN cannot see the traffic from another VLAN. You can apply separate
security policies to VLANs.
If I want to allow traffic that starts in a VLAN and goes to a device in the same VLAN, do I need
a policy for it?
No.
If a computer connected to Switch A sends traffic to a computer connected to Switch B (see
Figure 14 on page 22 in Exercise 3), and both computers are in the same VLAN, the Firebox does
not filter this traffic. In this setup, the Firebox serves as a VLAN bridge between the two computers
and the two switches. The two computers communicate as if they were in the same physical LAN,
not separated by the Firebox.
How many VLANs can I use?
The number of VLANs you can add to your configuration is 50 to 500, depending on the Firebox
model. To verify the number of VLANs you can add to your device:
1. From Policy Manager, select Setup > Feature Key.
The Firebox Feature Key dialog box appears.
2. Scroll down to find the Total Number of VLAN Interfaces row.
The number of available VLANs appears in the Value column.
Out of the above number of VLANs how many External VLANs can I use?
The recommended maximum number of External VLANs is ten.
Traffic Management
Traffic Shaping and Prioritization
39
Traffic Management Action Types
There are three types of Traffic Management actions.
All Policies
The action applies to the combined bandwidth of all policies that use it. If the action is used for
multiple policies, all policies share the bandwidth guarantee or maximum specified in the action.
Per Policy
The action applies individually to each policy that uses it. If the action is used for multiple policies,
the bandwidth maximum or guarantee specified in the action applies separately to each policy.
Per IP Address
The action applies individually to each client source IP address. When you configure a Per IP Address
action, you also specify the Maximum Instance, which is the number of client source IP addresses
that the bandwidth constraints in the action can individually apply to.
If the number of concurrent clients that use a Per IP Address action is larger than the Maximum
Instance, clients with different source IP addresses begin to share the bandwidth specified in the
action. A round-robin algorithm determines which source IP addresses share bandwidth. Recently
connected source IP addresses share bandwidth with source IP addresses that have been
connected longest.
If you apply a Per IP Address action to multiple policies, the action applies to each client source IP
address for the combined traffic handled by all policies that use the action. It functions similar to an
All Policies action, except on a per-IP address basis.
Traffic Management 41
You can set traffic priority for each policy on the Advanced tabs QoS tab. Use this table as a guideline
when you assign priorities:
While DSCP can be configured for QoS marking, the ToS equivalent Class Selector value is used for
prioritization. This gives the IP Precedence, DSCP, and Custom Value options equivalent 0-7 priorities.
For more information on QoS, see the Fireware Help.
Note
For the Outgoing Interface Bandwidth setting, make sure to set your speeds in kilobits or megabits
per second (Kbps or Mbps) rather than kilobytes or megabytes per second (KBps or MBps).
Traffic Management 43
4. Set the Outgoing Interface Bandwidth to 1500 Kbps. Click OK.
The Outgoing Interface Bandwidth limits the Trusted interface transmission rate.
5. Close the Network Configuration dialog box and return to Policy Manager
Figure 2: A Traffic Management action to guarantee minimum bandwidth for all policies that use it
1. Click .
Or, select Edit > Add Policy.
The Add Policies dialog box appears.
2. Expand the Packet Filters folder and select HTTP. Click Add.
The New Policy Properties dialog box appears.
3. Select the Advanced tab.
4. From the Reverse drop-down list, select Min500Kbps.
Figure 3: The HTTP policy Advanced tab with traffic management enabled for reverse traffic
5. Click OK to return to the Add Policies dialog box.
The Add Policies dialog box appears.
6. In the Packet Filters list, select DNS.
Make sure you do not select DNS-proxy in the Proxies list.
7. Click Add.
The New Policy Properties dialog box appears.
8. Select the Advanced tab.
9. From the Reverse drop-down list, select Min500Kbps.
10. Click OK to return to the Add Policies dialog box. Click Close.
Traffic Management 45
11. Right click the Outgoing policy and select Disable Policy.
Figure 4: The icons in the Action column show that Traffic Management is enabled in the HTTP and DNS
policies, and the Outgoing policy is disabled.
12. Save the configuration to the device.
Traffic Management 47
If you use a local web server, to use the 350MB file in the root of C:\inetpub\wwwroot folder, use
this URL:
http://<web server IP address>/350mbfile.txt
Make sure the FTP transfer is still active before you start the HTTP transfer.
5. In Service Watch, look at the amount of bandwidth that is used by both policies.
After you start the HTTP transfer, the amount of bandwidth used by the FTP transfer is reduced, to
allow at least 500Kbps for DNS and HTTP.
Figure 7: FTP cannot use all the bandwidth if it is needed for HTTP traffic
Figure 8: The Traffic Management tab shows statistics about the traffic management action. You can also
click the graph to see statistics for any point.
7. Click the Traffic Management action name in the Action column to see which policies use this
action.
Figure 9: The pop-up shows that this action is used by two policies as the reverse action.
Traffic Management 49
Exercise 2: Use a Traffic Management Action to Limit Bandwidth
When you use multiple internal interfaces, it might not be appropriate to reduce the Outgoing
Interface Bandwidth on a Trusted or Optional interface, because this would prevent transfers between
internal interfaces from using their link speed. You can achieve similar results by restricting the
bandwidth of policies that would consume bandwidth needed for more important business functions.
This exercise is intended to be completed after Exercise 1 and follows the same requirements.
Figure 12: Configure the policy to use the Traffic Management action you just configured as the Reverse
action
3. From the Traffic Management drop-down list, select Max1000Kbps.
4. Click OK.
The FTP policy is now limited to a maximum of 1000Kbps.
5. Save the configuration to the device.
Traffic Management 51
See the Results of the Configuration
With the FTP policy restricted to 1000Kbps, other policies will have the remaining bandwidth available.
If we assume that the downstream bandwidth of the external interface was 1500Kbps, this
configuration leaves 500Kbps available for HTTP and DNS. While this configuration does not restrict the
Trusted interface to 1500Kbps, the FTP policy cannot use additional bandwidth, even if it is available.
1. Close all programs. Results can vary if other applications on your computer have access to the
network.
2. With your computer connected to the trusted interface, start an FTP session to download a large
file.
If you are unable to identify a sufficient public FTP resource, follow the steps in Exercise 1 to set up
a server on your external interface. You can use either the command line, Internet Explorer, or an
FTP client of your choice to make the connection.
3. Open Firebox System Manager and select the Service Watch tab.
The graph shows that the FTP transfer takes only the allotted bandwidth (1000Kbps).
5. In Service Watch, look at the amount of bandwidth that is used by both policies. After you start
the HTTP transfer, the amount of bandwidth used by the FTP transfer could be reduced, however
500Kbps is available for the HTTP and DNS connections.
Figure 14: Monitoring bandwidth usage for FTP and HTTP traffic
6. Now, apply the Max1000Kbps Traffic Management as the Reverse action in the HTTP policy.
Because this is an All Policies traffic Management action, the traffic management action is applied to the
combined bandwidth of all policies where it is assigned.
7. Save the configuration to the device.
Traffic Management 53
8. Start additional HTTP and FTP connections while you monitor Service Watch.
Figure 15: The traffic management action is applied to the combined bandwidth of the FTP and HTTP policies
to which it is assigned.
9. Edit the Max1000Kbps Traffic Management action.
10. From the Type drop-down list, select Per Policy.
Note
To complete this exercise, your device must have a feature key that enables Application Control.
Figure 16: This traffic management action limits bandwidth per client IP address
6. Click OK.
7. To add another Traffic Management action, click Add.
The New Traffic Management Action Configuration dialog box appears.
8. In the Name text box, type Max2Mbps.
9. From the Type drop-down list, select Per IP Address.
Traffic Management 55
10. Set the Maximum bandwidth to 2 Mbps.
Figure 17: This traffic management action limits bandwidth per client IP address
11. Click OK.
12. Close the Traffic Management Actions dialog box.
6. Click OK.
This action now uses the selected Traffic Management action for all streaming media applications. Because
this is a Per IP Address action, each user gets a total of 100 Kbps bandwidth for all streaming media
applications.
7. From the Category drop-down list, select Streaming Media.
The list of applications is filtered to show just the streaming media applications.
Figure 19: The action for Streaming Media applications is set by the application category
If you want to set a different Traffic Management action, or disable Traffic Management for an
application in the category, you can edit the action for the individual application. Application-specific
actions take precedence over application category actions. For example, if you want to make an
exception for Adobe Flash, you can configure a separate action for that application.
Note
To override a Traffic Management action for a specific application in the category, you must assign a
different Traffic Management action to the application. If you disable Traffic Management an
application in the category, the Traffic Management action for the category still applies to traffic for
that application.
Traffic Management 57
1. Select the Adobe Flash application and click Edit.
2. From the Set the action for all behaviors drop-down list, select Allow.
When you set the action to Allow, the Traffic Management check box and the Traffic Management action
configured for the category are automatically selected. To override the Traffic Management action configured
for the application category, you must select a different Traffic Management action for this application.
3. Select the Max2Mbps Traffic Management action.
Figure 22: The Traffic Management tab with details for a Per IP Address Traffic Management action.
4. Start a streaming video from YouTube or your favorite video site.
The statistics appear for the client, and in the overall statistics for the action.
5. In a web browser, connect to the Web UI for your device on the trusted interface at On the Traffic
https:\\<trusted-ip-address>:8080. Management System
Your trusted IP address should be 10.0.X.1, where X is your student number. Status page in the
Web UI the graph
6. Log in with the admin or status user account credentials. shows the newest
data on the right side.
This is the opposite of
the graph in the
Traffic Management
tab in Firebox System
Manager.
Traffic Management 59
7. Select System Status > Traffic Management.
The Traffic Management System Status page shows a similar table and graph, and shows the IP address of
each client.
Figure 23: The Traffic Management System Status page in the Fireware XTM Web UI.
8. Log out of the Web UI.
Traffic Management 61
5. Set the Outgoing Interface Bandwidth to 1500 Kbps. Click OK.
This restricts throughput to make sure that queuing occurs on the trusted interface to illustrate the use of
prioritization.
6. In the Interfaces list, select External (Interface 0). Click Configure.
The Interface Settings dialog box appears.
7. Select the Advanced tab.
Figure 26: Override the per-interface settings in the HTTP policy Advanced settings
6. Click OK to return to Policy Manager
7. Double-click the DNS policy.
The Edit Policy Properties dialog box appears.
8. Select the Advanced tab.
9. Select the QoS tab.
10. Select the Override per-interface settings check box.
11. Modify the settings to Assign an IP Precedence value of 2 (Immediate), and Prioritize Traffic
Based On QoS Marking.
12. Click OK to return to Policy Manager.
13. Save the configuration to the device.
Traffic Management 63
See the Results of the Configuration
Both the DNS and HTTP policies are prioritized higher than other traffic. While this configuration does
not dedicate specific bandwidth, the prioritization does improve the performance of these policies
when there is network congestion.
1. Close all programs. Results can vary if other applications on your computer have access to the
network.
2. With your computer connected to the trusted interface, start an FTP session to download a large
file.
3. Select the Service Watch tab.
The graph shows that the FTP transfer takes all of the available bandwidth. This should be
approximately equal to the value you set for Outgoing Interface Bandwidth on the Trusted
interface (1500 Kbps).
5. On the Service Watch tab, look at the amount of bandwidth that is used by both policies.
Traffic Management 65
66 WatchGuard Fireware Training
Fireware Training
Link Aggregation
Increase Interface Aggregate Throughput and Redundancy
Introduction
A link aggregation (LA) interface is a group of physical interfaces that you configure to work together as
a single logical interface. You can use a link aggregation interface to increase the aggregate
throughput beyond the capacity of a single physical interface, and to provide redundancy if there is a
physical link failure.
Course Outline
The exercises provide step-by-step procedures for how to set up several link aggregation
configurations. The exercises include:
Configure a link aggregation interface in active-backup mode
Configure a link aggregation interface in static mode
Configure a link aggregation interface in dynamic mode
Configure a link aggregation interface as a member of a VLAN
Link Aggregation
Link Aggregation, also known as Port Trunking, Port Teaming, Ethernet Trunking, or Link Bundling,
refers to the concept of grouping multiple ethernet ports to function as a single connection between
networked devices.
Link Aggregation provides two main benefits.
Provides graceful recovery from link failures
For all link aggregation types, if a single interface in a link aggregation group fails, traffic can flow
through the other member interfaces in the link aggregation group.
Increases aggregate throughput between devices
For static or dynamic link aggregation, traffic flows over all member interfaces. This increases the
aggregate throughput, because different traffic flows are load balanced between different
member interfaces. Because each traffic flow uses a single interface, the maximum throughput for
a single connection does not increase beyond the bandwidth of a single interface. But the
aggregate bandwidth increases because different traffic flows can use different member interfaces.
67
Link Aggregation Group (LAG)
A link aggregation group, or LAG, is a group of Ethernet interfaces configured as a group for the
purposes of link aggregation. When you configure a link aggregation on a Firebox, it is called a link
aggregation interface. The term LAG is also used by some switch vendors to refer to link aggregation in
general.
Link Aggregation 69
Link Aggregation with Other Networking Features
You can use a link aggregation interface in most of the same ways that you use a physical interface. For
example, you can use it in the configuration of policies, VLANs, multi-WAN, VPN, DHCP, and PPPoE.
You can use a link aggregation interface with most other networking features, just as you would use a
physical interface:
Multi-WAN
VLAN
FireCluster (active/passive only)
VPNs
Dynamic Routing
Network Address Translation (NAT)
Secondary networks
You cannot configure link aggregation interfaces to use these features:
Traffic Management
Quality of Service (QoS)
MAC Access control
Network Topology
In this exercise you will configure Eth3 and Eth4 as members of a new link aggregation interface. After The topology used in
you configure the link aggregation interface, you connect the physical interface members to two this exercise only
works for a link
different unmanaged switches that are also connected to each other. Because the link aggregation
aggregation interface
interface is configured in active-backup mode, only one of the member interfaces is active at a time. in active-backup
mode.
It is important that
both interfaces are
not active at the same
time, or this topology
causes a network
routing loop.
Figure 1: Active-backup link aggregation interface when the interface connected to Switch A is active.
Figure 2: Active-backup link aggregation interface when the interface connected to Switch B is active.
Link Aggregation 71
If two Firebox devices If each student does not have two switches, two students can share a pair of switches. This network
share the same topology is not something you would do on a production network, but may be necessary for training
switches for this
purposes. If students must share switches, the cable configuration look like this.
exercise, each device
could report spoofing
errors if it receives
traffic from the
network configured
on the other device.
This does not affect
the exercise.
Figure 3: Link aggregation active-backup topology for two students sharing two switches. For each link
aggregation group, either member interface could be the active interface.
4. Click Add.
The New Link Aggregation Interface Configuration dialog box appears. Notice that the MAC
Access Control tab
does not appear here.
Link aggregation
interfaces does not
support that feature.
Link Aggregation 73
Add Member Interfaces
After you create the link aggregation interface, you must assign at least one member interface. The
number of interfaces you can add is limited only by the available physical interfaces on your Firebox.
For this exercise, you add two member interfaces.
1. Click the Interfaces tab.
2. Select interface 2 and click Configure.
The Interface Settings dialog box appears.
3. Set the Interface Type to Link Aggregation.
If a link aggregation The configured link aggregation interface appears in the list.
interface is not
already configured,
click New Link
Aggregation to create
a new one.
9. Click OK.
Interfaces 2 and 3 are now configured as type LA (Link Aggregation).
Figure 8: The interfaces of type LA are the two link aggregation member interfaces
10. Click the Link Aggregation tab.
The link aggregation interface shows interfaces 2 and 3 as members.
Figure 9: The interfaces column shows which physical interfaces are members
11. Save the configuration to the device.
Link Aggregation 75
Monitor the Link Aggregation Interface
It is not necessary to 1. Disconnect the management computer from eth1 and connect it to an interface on one of the
connect the switches.
management
computer to the 2. Change the IP address of the management computer to an IP address on the 172.16.X.0/24
switch to monitor the network configured on your link aggregation interface.
link aggregation 3. In WatchGuard System Manager, use the IP Address of the link aggregation interface, 172.16.X.1, to
interface. We do so in
this exercise in order
connect to the device. Replace X with your student number.
to generate some 4. Expand the Firebox Status tree to see the interface status.
traffic over the link The link aggregation interface is listed as bond0. The physical interface members are listed below it.
aggregation
interface.
Figure 11: The bond0 and member interfaces in Firebox System Manager
7. Since this is an active-backup link aggregation interface, traffic goes through only one interface at
a time. Look at the sent and received statistics to see which interface is currently active. In the
example shown here, eth2 has sent only one packet, so we know that eth3 is the active interface.
If several computers were connected and sending traffic through the switch, traffic from all
computers would still go through only one interface at a time, because this link aggregation
interface is configured in active-backup mode.
8. Unplug the cable connected that connects the currently active interface to the switch.
Even if your management computer is connected to the switch you just unplugged from the Firebox, your
connection to the Firebox is not interrupted. Traffic for the link aggregation interface goes through the other
switch to the other member interface.
9. Click the Status Report tab.
10. Scroll down to the Network Configuration section.
The link status of the bond0 interface is up, even though the link status of a member interface is down.
Link Aggregation 77
Exercise 2: Static and Dynamic Link Aggregation
In this exercise, you configure a link aggregation interface in static mode, and connect managed switch
interfaces that are also configured as a link aggregation group. Then you change this configuration to
dynamic mode (802.3ad).
Both static and dynamic modes load balance traffic across all member interfaces. The difference is in
how the individual traffic flows are distributed across the interfaces.
Topology
This exercise requires a Firebox and a managed switch.
Link Aggregation 79
Add Member Interfaces
Next, you add the member interfaces.
1. Click the Interfaces tab.
2. Select interface 2 and click Configure.
3. Set the Interface Type to Link Aggregation.
The configured link aggregation interface appears in the list.
Figure 16: You must add at least one member interface to the link aggregation interface
4. In the Member column, select the link aggregation interface you just configured.
5. (Optional) In the Interface Name text box, change the interface name to something that indicates
this is part of a trusted link aggregation interface.
6. Click OK.
7. Select interface 3 and click Configure.
8. Set the Interface Type to Link Aggregation.
9. In the Member column, select the link aggregation interface you just configured.
10. (Optional) In the Interface Name text box, change the interface name to something that indicates
this is part of a trusted link aggregation interface.
11. Click OK.
Interfaces 2 and 3 are now configured as type LA (Link Aggregation).
Link Aggregation 81
Monitor the Link Aggregation Interface
It is not necessary to 1. Disconnect the management computer from eth1 and connect it to an interface on the switch.
connect the
management 2. Change the IP address of the management computer to an IP address on the 172.16.X.0/24
computer to the network configured on your link aggregation interface.
switch to monitor the 3. In WatchGuard System Manager, use the IP Address of the link aggregation interface, 172.16.X.1, to
link aggregation connect to the device. Replace X with your student number.
interface. We do so in
this exercise in order 4. Start Firebox System Manager.
to generate some 5. Expand Interfaces to show information for eth2, eth3, and bond0.
traffic over the link
aggregation 6. Even though this is a static link aggregation interface, traffic goes through only one interface when
interface. only one computer is sending traffic through the interface.
In static mode, if several hosts are connected and sending traffic through the switch, traffic from
different hosts would go through different interfaces in the LAG.
7. If you have another computer available:
a. Connect the second computer to the switch and configure it with an IP address on the on the
172.16.X.0/24 network.
b. On the second computer, start a process, such as ping, to generate traffic to the 172.16.X.0/24
network. For example, you could ping the trusted interface at 10.0.10.X.
8. Watch the interface statistics in Firebox System Manager.
When traffic is coming from multiple hosts, you should see traffic statistics changing for both member
interfaces.
9. Unplug one of the cables that connects the device to the switch.
The computers connected to the switch should maintain their connection, even though the link status of a
member interface is down.
Network Topology
This exercise shows how to configure a link aggregation interface as a member of a VLAN. In the The VLAN part of this
network diagram, the computers are connected to the 802.1Q switch, that has a link aggregation group exercise is similar to
exercise 1 in the VLAN
defined. The switch interfaces in the link aggregation group are connected to member interfaces of a
section of this
link aggregation interface on the Firebox. On the device, the link aggregation interface is configured as training, except that
a member of the VLAN. in this exercise you
configure only one
VLAN.
Link Aggregation 83
Configure the Device
1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the VLAN tab.
The VLAN settings list is empty because you have not defined any VLANs.
3. Click Add and create a new VLAN.
The New VLAN Configuration dialog box appears.
4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces.
For this example, type VLAN10.
5. (Optional) In the Description text box, type a description.
For this example, type Accounting.
6. In the VLAN ID text box, type or select a number for the VLAN.
For this example, select 10.
7. From the Security Zone drop-down list, select the security zone for the VLAN.
For this example, select Trusted.
8. In the IP Address text box, type the IP address of the VLAN gateway.
For this example, type 192.168.10.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.
9. (Optional) Configure DHCP for the new VLAN.
a. Select Use DHCP Server.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 for
the Ending Address.
d. Click OK.
The new address pool appears in the Address Pool list.
10. Click OK.
The new VLAN appears.
Figure 23: The Link Aggregation tab shows one interface of type VLAN with two interface members
The VLAN tab should look like this.
Figure 24: The VLAN tab shows the link aggregation interface as a member of VLAN10
17. Save this configuration to the device.
Link Aggregation 85
Configure the Switch
This exercise assumes you have already configured the link aggregation group on the switch in the
previous exercise. Use these steps to
Refer to the instructions from your switch manufacturer to configure VLANs on your switch.
1. Add a VLAN to the 802.1Q switch configuration.
Set the VLAN ID number for this VLAN to 10.
2. Configure the LAG for the switch interfaces that connect to device interfaces 2 and 3.
a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure the LAG on the switch to be a member of VLAN 10.
c. Configure this interface to tag for VLAN 10.
d. If necessary for your switch operating system, configure the switch mode to trunk.
e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.
3. Configure the switch interfaces that connect computers in VLAN10 to the switch.
a. Configure each switch interface that will connect a computer in VLAN10 to be a member of
VLAN10.
b. Configure these interfaces to untag for VLAN10.
Link Aggregation 87
88 WatchGuard Fireware Training
Fireware Training
Multi-WAN Methods
Exploring Multi-WAN Through Hands-On Training
Introduction
Exercises
The step-by-step exercises in this course show how to configure two of the multi-WAN methods and
demonstrate how outgoing connections behave when certain events occur. The first exercise shows
the Interface Overflow multi-WAN method and sticky connections. The second one shows how to
configure the Failover multi-WAN method and configure policy-based routing.
89
Terms and Concepts You Should Know
Incoming Traffic
For incoming connections, the decision process is much more simple. An incoming connection is
allowed only if a policy in Policy Manager allows it. Any external interface can receive traffic, as long as
Firewares link monitors sense that the interface is active. The multi-WAN method you use does not
affect the path that incoming traffic takes to get to your Firebox.
Because the Firebox cannot control which external interface an incoming connection attempts to
come through, this training course does not discuss incoming connections. Instead the focus is on
understanding how Fireware handles outgoing connections using the different multi-WAN methods
and options.
networks, it removes that interface from the ECMP group. Fireware puts the external interface back into
the ECMP group when it determines that the interface is available again. For more information, see
The Routing Table Multi-WAN Method on page 102.
Sticky Connections
Dynamic NAT changes the source IP address of an outgoing connection to match the IP address on the
external interface the Firebox uses to send the connection. You use sticky connections to make sure
that when an outgoing traffic flow is established, all connections between the inside users IP address
and the external sites IP address use the same external interface for a certain amount of time.
Fireware keeps a dynamic table of sticky connections that includes the source/destination pair for each
outgoing connection, the external interface used for the connection, and the connections age. If a new
connection between the pair happens before the sticky connection timeout, the age is reset to zero.
When the age of an entry reaches the sticky connection limit, the entry is deleted from the sticky
connections table. New connections between the two IP addresses can use a different external
interface.
You can configure the sticky connection interval for the Round-Robin, Interface Overflow, and Routing
Table multi-WAN methods.
You cannot use sticky connection options when:
You use the Failover multi-WAN method.
You enable policy-based routing for a policy.
We recommend you use the default settings for sticky connections. The three-minute timeout prevents
most problems that arise when the source IP address of new traffic from behind the Firebox changes.
Multi-WAN Methods 91
Policy-Based Sticky Connection Settings
For any policy, you can override the global sticky connection settings configured in the multi-WAN
settings. Policy-based sticky connection settings specify that outgoing traffic that uses the policy has a
shorter or longer sticky connection setting than the global sticky connection setting. You can also
disable sticky connections for a policy.
Some applications drop a clients connection if the clients source IP address changes. The most
common situation is when a user is on a web site that uses HTTPS. Some HTTPS sites use a session
cookie that includes the users source IP address. If the user is on the site and the browser attempts a
new connection (for example, a new GET or POST request to the site causes a new TCP session), the site
might deny the new connection if the source IP address does not match what is in the session cookie.
If users report that they need to frequently re-authenticate to sites that use HTTPS, you can configure a
higher sticky timeout for the policy that allows outbound HTTPS traffic.
Load Balancing Interface Groups apply only to the Round-robin, Failover, and Interface Overflow
methods. The Routing Table method does not use the LBIG because the ECMP (equal-cost multi-path)
routing algorithm manages all routing decisions.
Policy-Based Routing
Policy-based routing is the ability to specify, at a firewall policy level, that an outgoing traffic flow must
use a specific external interface if the source and destination IP addresses of the traffic match the From
and To lists of the policy. Policy-based routing lets you overrule the routing decision that Fireware
would otherwise apply based on the multi-WAN method.
You can also use policy-based routing to route traffic for a policy through a BOVPN virtual interface.
Multi-WAN Methods 93
Use these settings:
Select the Ping check box to add an IP address or domain name for the Firebox to ping to check for
interface status.
Select the TCP check box to add the IP address or domain name where the Firebox sends a TCP SYN
packet. Use the Port box to set the port the Firebox uses when it sends the SYN packet. If the target
sends an ACK in reply, the Firebox knows it can reach the external target. The Firebox closes the
connection with a RST packet when it gets an ACK.
Select the Both ping and TCP must be successful to define the interface as active check box if
you want the interface to be considered down when either a ping probe or a TCP packet probe
fails. If you do not select this box, then both the ping probe and the TCP packet probe must fail for
the Firebox to consider the interface down.
Multi-WAN does not require that you configure Ping or TCP link monitor targets, but we recommend
that you configure one or both to determine whether the external interface can send traffic out of your
network.
Note
If you do not select Ping or TCP link monitor targets, Fireware monitors each interface by sending an
ICMP echo to the interfaces default gateway IP address. Because monitoring the connection to the
default gateway does not test whether the interface can send traffic beyond the edge of your
network, we recommend you indicate other link monitor targets.
Failover/Failback
Failover occurs when an interface that was previously active becomes unable to send traffic to external
networks. Failback occurs when an interface that was previously not able to reach external locations
becomes active again.
Failback
When the Link Monitor probes determine that an interface is active again, the interface is made
available for outgoing traffic.
The Probe Interval and the Reactivate After settings on the Link Monitor tab determine how long
this takes. The defaults are to send a probe every 15 seconds and to reactivate the interface after three
successful probes. Failback can take up to a full minute if you use the default setting on the Link
Monitor tab.
New outgoing connections, unless they match an entry in the sticky connections table, start to use the
now-active external interface based on the multi-WAN method you select.
Existing connections (including traffic that matches an entry in the sticky connections table) behave
according to the option you select in the Failback for Active Connections drop-down list:
Immediate Failback
- The Firebox drops all currently active connections.
- TCP RST packets are sent to close all open TCP connections.
- NAT ports that are open for return UDP packets are closed.
- The sticky connections table is purged.
Gradual Failback
- All currently active connections are allowed to finish before Fireware begins to use the
multi-WAN method to send them through another external interface.
- The sticky connections table stays the same.
Select Immediate Failback if your backup line is expensive, you want to use the backup line only in
emergency, and your organization can tolerate dropped connections when the failback happens.
Select Gradual Failback if your organization cannot tolerate dropped connections when the failback
happens.
Multi-WAN Methods 95
Fireware Multi-WAN Methods
Fireware supports four Multi-WAN methods:
Round-robin
Round robin distributes outgoing connections based on bandwidth. If you set the weight for each
external interface to 1 in Round-robin mode, the algorithm attempts to equalize the amount of bits
per second sent through each interface.
Routing Table
The Routing Table uses ECMP to distribute outgoing connections based on the number of
connections. The Routing Table method attempts to equalize the number of connections going out
each interface. It does not consider the amount of bandwidth sent through each interface.
Interface overflow
The Interface Overflow method allows you to set a bandwidth limit to restrict the amount of traffic
sent over each WAN interface. The algorithm sends outgoing connections to external interfaces in
the order you specify. After all interfaces have reached their bandwidth limit, the Firebox uses the
ECMP (Equal Cost MultiPath Protocol) routing algorithm to find the best path.
Failover
The Failover method sends all outgoing connections to the primary interface. This algorithm sends
outgoing connections through a backup interface only if the primary interface is not available.
Note
It may seem that the Routing Table multi-WAN method is equivalent to the Round-robin method
with a weight of 1. But that is not the case because these two methods use different algorithms to
distribute outgoing connections.
When to Use It
Use the Round-robin method when:
You want to specify a weighted distribution of outgoing traffic across your external interfaces.
You have a standard Fireware license and you want to distribute bandwidth evenly among your
external interfaces. (If you have the standard Fireware license, you cannot assign weights to the
interfaces.)
How It Works
The Round-robin method distributes traffic to each external interface based on bandwidth, not
connections. This gives you more control over how many bytes of data are sent through each ISP.
For light traffic loads, weighted Round-robin behaves like a connection-based Round-robin because
the weights you use tend to determine the number of connections through each external interface.
When the traffic load increases, weighted Round-robin behaves more like a load-based Round-robin
because the weights you assign tend to determine the load through each external interface.
The Round-robin method uses the run-time average of Tx (transmit) and Rx (receive) bytes through
each interface to balance outgoing traffic according to the relative weights you assign to the interfaces.
Fireware takes a measurement four times a second to determine run-time traffic load on the external
interfaces. The Round-robin algorithm is applied only after routes, sticky connections, and policy-based
routing fail to give a routing decision.
The weights you assign are relative weights. For example, suppose interface 0 (eth0) is an external
interface and you give it a weight of 3. Interface 1 (eth1) is also an external interface and you give it a
weight of 2. For every three bytes of traffic that go through eth0, two bytes will go through eth1. The
byte count sent through eth0 will be one and one-half times as much as eth1.
To determine which interface to use for a new outgoing connection, weighted Round-robin calculates
the load:weight ratio (current traffic load as a proportion of the assigned weight) for each external
interface and chooses the interface with least value for the new connection.
For example, configure Interfaces 0, 1, and 2 as external interfaces, and use Round-robin weights of 8, 2,
and 1 for those interfaces respectively. Assume that new connections happen in sequence, and each
new connection increases the load on an interface equally. The algorithm assigns the new connections
as shown in the table in Figure 1:
Current ratio of Current ratio of Current ratio of New connection
{traffic load : weight} {traffic load : weight} {traffic load : weight} uses
Interface 0 Interface 1 Interface 2 this interface
0:8 0:2 0:1 0
1:8 0:2 0:1 1
1:8 1:2 0:1 2
1:8 1:2 1:1 0
2:8 1:2 1:1 0
3:8 1:2 1:1 0
4:8 1:2 1:1 0
5:8 1:2 1:1 1
5:8 2:2 1:1 0
6:8 2:2 1:1 0
7:8 2:2 1:1 0
8:8 2:2 1:1 Use ECMP
when all
interfaces have
full traffic load
Figure 4: This table shows which external interface is used for a new outgoing connection based on {traffic
load : weight} ratio
This example is simplified. The actual situation is more complex. Each new connection does not cause
equal traffic load. Many connections close very quickly, causing load to drop quickly. The load on each
interface is constantly changing.
Multi-WAN Methods 97
Example
You have three Internet connections. One ISP gives you 6 Mbps, another ISP gives you 1.5 Mbps, and a
third ISP gives you 768 Kbps. Convert the proportion to whole numbers:
First convert the 768 Kbps to Mbps so that you use the same unit of measurement for all three lines.
This is approximately .75 Mbps. Your three lines are rated at 6, 1.5, and .75 Mbps.
Multiply each value by 100 to remove the decimals. Proportionally, these are equivalent: {6 : 1.5 :
.75} is the same ratio as {600 : 150 : 75}.
Find the greatest common divisor of the three numbers. In this case, 75 is the largest number that
evenly divides all three numbers 600, 150, and 75.
Divide each of the numbers by the greatest common divisor.
The results are 8, 2, and 1. This gives the whole-number weights used for the example.
How to Configure It
1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the Multi-WAN tab.
3. From the Multi-WAN Configuration drop-down list, select Round-robin.
5. In the Include column, select the check boxes next to the interfaces you want to include in the
Round-robin configuration. By default, all external interfaces are included. If you have more than
two external interfaces you might reserve one external interface for a special purpose.
For example, you might want to use an external interface only for routing traffic to an application
service provider, for only VPN traffic. To exclude an external interface from the round-robin, clear
the check box next to that interface in Figure 6. You must include at least two interfaces.
6. To change the weight of one of the interfaces, select the interface and click Configure in Figure 3.
The Round-robin Weight dialog box appears:.
Multi-WAN Methods 99
The Failover Multi-WAN Method
When to Use It
Use the Failover method:
When you want to use one external interface for all traffic, and you have another ISP that you can
use if the primary line goes down.
If you want to reserve a WAN2 interface for special traffic, and use WAN1 for all other traffic. If the
primary WAN1 connection goes down, all traffic can use WAN2 for the emergency outage.
You cannot configure sticky connection settings with the Failover method.
How It Works
The Firebox sends all traffic through the external interface at the top of the list in the Multi-WAN
Failover Configuration dialog box. If that interface is not active, the Firebox checks the next external
interface in the list. The first active interface in the list is the gateway for all outgoing traffic.
If the Firebox senses an Ethernet link failure, failover happens immediately. When you use the default
link probe settings, an external interface can take from 45 seconds to one minute to change state from
active to not active, or from not active to active. The default probe options are:
Send a probe every 15 seconds
Deactivate the interface after three probes in a row fail
Reactivate the interface after three successful probes in a row
If an external interface that was previously down becomes active again, and it is higher in your list than
the currently active external interface, the Firebox immediately starts to send all new connections out
the active external interface that is now highest in the list.
You control how the Firebox handles any existing connections that currently use the interface that is
now lower in your list. Such a connection can immediately be disconnected and routed over the new
active interface, or it can use the current interface until the connection is finished.
How to Configure It
Select the Multi-WAN tab on the Network Configuration dialog box to configure this method. You
then use additional dialog boxes to select the interfaces you want to participate in the failover and
establish a failover sequence for them. For more details about how to configure this method, see
Exercise 2.
When to Use It
Use the Interface Overflow method when you want to restrict the maximum bandwidth that each
external interface uses. When the bandwidth threshold is reached for an external interface, new
connections use the next external interface in your list.
How It Works
When you use the Interface Overflow method, you select the order you want the Firebox to send traffic
through external interfaces and configure each interface with a bandwidth threshold value. The
Firebox starts to send traffic through the first external interface in the Interface Overflow Configuration
list. When the traffic through that interface reaches the bandwidth threshold you set for that interface,
the Firebox starts to send new connections through the next interface in the list.
This multi-WAN method allows the amount of traffic sent over each external interface to be restricted
to a specified bandwidth limit.
To determine traffic volume through an interface, the Firebox examines the amount of sent (TX) and
received (RX) packets and uses the higher number. When you configure the interface bandwidth
threshold for each interface, you must consider the needs of your network for this interface and set the
threshold value based on these needs. For example, if your ISP is asymmetric and you set your
bandwidth threshold based on a large TX rate, interface overflow will not be triggered by a high RX
rate.
When all external interfaces reach their threshold, the Firebox uses the ECMP algorithms to find the
best path.
How to Configure It
Select the Multi-WAN tab on the Network Configuration dialog box to configure this method. You
then use an additional dialog box to configure the bandwidth threshold for each interface. For more
details on configuring this method, see Exercise 1.
When to Use It
Use the Routing Table method when you want a quick and easy way to evenly distribute outgoing
traffic among multiple external interfaces.
This method is the quickest way to take advantage of load balancing more than one route to the
Internet. Because the ECMP algorithm manages all connection decisions, no additional configuration is
necessary after it is enabled. This multi-WAN method is based on connections, not bandwidth or load.
Routes configured statically or learned from dynamic routing are used before the ECMP algorithm.
How It Works
If you have multiple active external interfaces, multiple default routes to the external network are
available with the same cost (one hop). With the Routing Table method, Fireware puts all the active
external interfaces into one ECMP group. It uses the ECMP algorithm to decide which next-hop (path)
to use to send each packet. This algorithm does not consider current byte count through the external
interfaces.
When you select the Routing Table method for your multi-WAN configuration, the Firebox first looks at
policy-based routing actions in your policies, the routes in its internal route table, and the sticky
connection table to see if it should send a packet through a specific external interface. If the Firebox
does not find a specified route, it selects a route based on the ECMP (equal-cost multi-path) algorithm
specified in http://www.ietf.org/rfc/rfc2992.txt.
How to Configure It
There is only one setting:
1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.
2. Select the Multi-WAN tab.
3. From the Multi-WAN Configuration drop-down list, select Routing Table.
Network Topology
This exercise shows how to configure the Firebox to use two Internet connections using the Interface
Overflow method.
Figure 10 shows how your equipment is connected.
Figure 10: Network topology for Exercise 1. Each student Firebox has two external interfaces.
Figure 13: The Interfaces tab with two external interfaces configured
Figure 15: Configure the interface overflow threshold for the primary WAN
Note
This example is not meant to show a real-world Internet connection. We set the threshold to a low
value to demonstrate the Interface Overflow method. Remember also that Fireware does not use
the overflow threshold value as a cap to throttle available bandwidth. The threshold is only a trigger
to start sending new connections out a different external interface. Throughput can exceed the
overflow threshold you set for an external interface, but Fireware does not send new outgoing
connections through the interface until current throughput for the interface goes below the
overflow threshold.
6. Click OK.
Figure 16: The Interface Overflow Configuration dialog box should look like this
7. Make sure that interface 0 is at the top of the list. If it is not, select the Main-Internet (0) interface
and click Move Up to move it to the top of the list.
You do not need to configure anything on the Link Monitor tab or the Advanced tab for this exercise.
Enable Logging of Allowed Packets For the FTP and Outgoing Policies
By default, the Firebox sends log messages only for denied packets. To see what interface the Firebox
uses to send outgoing connections, enable the logging of allowed packets for the FTP and Outgoing
policies.
1. Edit the FTP policy.
2. Select the Properties tab and click Logging.
Figure 19: The Action column shows which policies have logging enabled
7. Save this configuration to the Firebox.
Demonstrate It
How the Demonstration Works
First you browse several web sites and see the connections go out the Main-Internet interface.
You start an FTP download of a large file to use up the allotted 200 Kbps on the Main-Internet
interface, Interface 0.
When the throughput for the Main-Internet interface reaches the Interface Overflow threshold,
you observe that new outgoing connections use the Secondary-Internet interface, Interface 3.
You see some connections continue to use the Main-Internet interface even though the Interface
Overflow threshold is reached for that interface, because the connections are sticky.
Note
Important! When the FTP download starts, you must visit a new web site quickly to see the Firebox
change the interface it uses for outgoing connections. If you wait too long and the FTP transfer
finishes, the rate of traffic through the main external interface falls below the threshold and the
interface becomes available for new connections again.
Before you begin, think of some sites you can use that you have not been to before, so you can
quickly demonstrate the Interface Overflow behavior when the FTP transfer starts.
Figure 22: Drag the file to the Desktop icon on the left.
The download starts
New connections that Browse to Sites and See Which Interface is Used
match an entry in the
sticky connections 1. Browse to a web site you visited less than three minutes ago.
table use the same
2. Select the Traffic Monitor tab of Firebox System Manager.
external interface for
the sticky timeout 3. Find the log message for the connection to this site. Look for a log message with the interface
period. This is true 0-Main-Internet in the message:
even if current 2014-06-05 15:24:58 Allow 10.0.10.2 74.125.20.105 https/tcp 51821 443
throughput for the 1-Trusted 0-Main-Internet Allowed 52 127 (Outgoing-00) proc_id="firewall"
interface is over the rc="100" msg_id="3000-0148" src_ip_nat="203.0.113.10" tcp_info="offset 8 S
Interface Overflow 2805116118 win 32" Traffic
threshold.
This connection uses the primary external interface Main-Internet, even though bandwidth on
this interface reached the threshold. This is because it matches an entry in the Sticky Connections
table.
When the throughput 4. Go to a web site you have not visited before.
for the Main-Internet
connection exceeds 5. On the Traffic Monitor tab, find the log message for this new connection. The log message will use
the Interface the interface 3-Secondary-Internet.
Overflow threshold, 2014-06-05 16:02:17 Allow 10.0.10.2 173.194.33.172 https/tcp 52386 443
new connections use 1-Trusted 3-Secondary-Internet Allowed 52 127 (Outgoing-00)
the Secondary- proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="192.51.100.10"
Internet interface. tcp_info="offset 8 S 1892614575 win 32" Traffic
This connection switched to the Secondary-Internet interface, because the Main-Internet interface
reached the Interface Overflow threshold.
6. After the FTP transfer finishes, go back to the web site you visited in Step 3 (if it was less than three
minutes ago) and press Ctrl-F5 on your keyboard to force all content on the page to reload.
This is the site you visited that went through the Secondary-Internet connection, shown in the log message in
Step 5.
7. On the Traffic Monitor tab, find the log messages for this connection.
Verify that it still uses the Secondary-Internet interface.
It still uses the Secondary-Internet interface because it matches an entry in the sticky connections table.
8. Go to a web site you have not visited in the last three minutes.
9. On the Traffic Monitor tab, find the log messages for this connection.
Verify that new connections now use the Main-Internet interface.
New connections start to use the Main-Internet interface because the throughput for that interface is below
the Interface Overflow threshold.
Network Topology
The physical setup is the same as for Exercise 1. Figure 23 shows how your equipment is connected.
Figure 23: The network topology for Exercise 2 is the same as for Exercise 1.
Demonstrate It
How the Demonstration Works
First, you browse to several web sites using HTTP and HTTPS, and see the connections that go out
the Main-Internet interface.
Ping some external IP addresses to see the Firebox send the echo requests through the
Main-Internet interface with the policy-based routing you enabled for the Ping policy.
Your instructor will cause your Firebox Main-Internet interface to fail by causing pings to the link
monitor target to fail.
After the failover event, browse some web sites again to see the connections go out the
Secondary-Internet interface.
Your pings to external locations will fail, because you did not enable failover for the Ping policys
policy-based routing.
Demonstrate It
To generate traffic for multiple connections, browse to several web sites and start some videos.
In Firebox System Manager, look at the log messages in the Traffic Monitor tab to see which
interfaces the outgoing traffic uses.
Connect to the Fireware XTM Web UI, and use the FireWatch dashboard to see information about
outbound connections for each interface.
7. Do the interface aliases in the policys To list contain all the members of a load balancing interface Load-balancing
group? interface groups
pertain only to the
- If Yes use the specified multi-WAN routing method: weighted Round-robin, Failover, or
Round-robin, Failover,
Interface Overflow. and Interface
- If No use the Equal Cost Multi-Path (ECMP) routing method to send the packet. Overflow multi-WAN
methods. A
The following flow chart diagram is split on two pages. It shows how the Firebox decides which load-balancing
interface to use to send an outgoing connection. interface group
includes all the
The notes that follow the diagram correspond to the numbered Earth icons in the diagram. interfaces you specify
to participate in the
Round-robin, Failover,
Multi-WAN Routing Decision Flow Chart or Interface Overflow
configuration.
If the [source IP / destination IP] hash of an outgoing connection matches an entry in the hash
table, the external interface associated with that entry in the table is used for that connection.
A timer counts down for each entry in the table. The time for a table entry starts with the value
specified in your configuration for sticky connections. When a new outgoing connection matches
an entry in the hash table, the time for that table entry is reset to the full time for sticky connections
and the timer starts again. When the timer for an entry in the hash table reaches zero, the entry is
purged from the table.
5. A load balancing interface group is the group of interfaces you include when you click
Configure at the top of the Multi-WAN tab in Policy Manager. You can exclude any external
interface from participating in the multi-WAN method that you use.
Load balancing interface groups apply only to the Round-robin, Failover, and Interface Overflow
methods. The Routing Table method does not use the load balancing interface group because the
ECMP (equal-cost multi-path) routing algorithm manages all routing decisions.
Routing
Configure Static and Dynamic Routing
Introduction
You can use static and dynamic routing to ensure connectivity between networks that connect to your
Firebox. Static routing is the use of manually configured non-changing routes in a Firebox or routers
routing table. Dynamic routing allows your device and connected network routers to share information
about network accessibility and to dynamically update their local routing tables based on changes to
the network topology.
127
Terms and Concepts
To understand routing, you should be familiar with these terms and concepts:
Route
A route is the sequence of devices that network traffic must go through to get from its source to its
destination. A packet can go through many network points with routers before it reaches its
destination. Routes can be static or dynamic.
Static Route A manually configured route to a specific network or host. A static route includes
the destination network or host IP address and a gateway IP address.
Dynamic Route A route automatically learned and updated by a router, based on
communication with adjacent network routers. You configure dynamic routing to control which
routes your device dynamically shares with other network routers.
Router
The device on a network that uses a routing table to find the next network point through which to send
the network traffic toward its destination.
RouteTable
The route table in A router, or a network device such as a Firebox, stores information about static and dynamic routes in a
Fireware v11.9.x and route tables. The device looks in the route tables to find a route to send each received packet toward its
lower looks different
destination.
than what is shown in
this training. You can see the route tables for a Firebox in Firebox System Manager, on the Status Report tab. The
route tables in the Status Report are called IPv4 Routes and IPv6 Routes. Each route table includes
these routes:
Routes to networks for all enabled device interfaces
Routes to networks for all enabled BOVPN virtual interfaces
Static network routes or host routes you add to your device configuration, if the device has a route
to the gateway configured for each route.
Routes the device learns from dynamic routing processes that are enabled on the device
Note
Policy-based routes, described in the Multi-WAN module, do not appear in the Route Table.
Route Metric
Each route in the routing table has an associated metric, which is a number that indicates the cost
associated with the route. A lower metric for a route indicates a lower cost, and higher priority for the
route. If the routing table includes more than one route to the same destination, the Firebox uses the
route that has the lower metric. For a static route, to control the priority of each route, you manually set
the metric. If you use dynamic routing, the dynamic routing protocol automatically sets the metric for
each route based on characteristics such as the link speed, hop count, or time delay.
Routing Protocol
Dynamic routing protocols enable routers to communicate with each other and share information
about the status of network accessibility. All dynamic routing protocols perform these tasks:
Send information about network accessibility to other routers
Receive information about network accessibility from other routers
Determine the best routes based on the known accessibility information and save the best routes
in the local routing table
React to and advertise network topology changes
Convergence Time
Convergence time refers to the time it takes for connected routers to establish consistent and
correct routing tables after a network topology change. Convergence time is shorter for the BGP
and OSPF protocols than it is for the RIP dynamic routing protocol.
Routing 129
Routing Types and Protocols
Note
The exercises in this course focus on IPV4 dynamic routing, but the concepts are the same for IPv6.
When you connect your network to two different ISPs, it is called multihoming. Multihoming provides
redundancy and network optimization. You can use eBGP to make sure that the Firebox routes
outbound traffic to the ISP that can provide the best path to the destination.
When you use eBGP to exchange BGP routes with an upstream ISP peer, the eBGP peer might send you
these different types of routes:
Default route the 0.0.0.0/0 route. The ISP can send you a default route if they use the BGP
command default-information originate. The default router your ISP sends you does not
affect the Firebox, because when you configure an external interface, you must specify a gateway
IP address, which is the default route for that interface.
Customer routes the collection of all static and dynamic routes to other customers who are
subscribed to the same ISP.
Default and customer routes the combined list of default route and customer routes
Full routes the list of all customer routes and all other dynamic routes learned from the ISPs
upstream (higher tier) ISP and peer ISPs that are part of a local Internet exchange point network.
Note
An Internet exchange point (IX or IXP) is neutral location located between some Tier 2 and lower ISPs
that allows the ISPs to directly exchange Internet traffic between their networks without the need to
route through a Tier 1 ISP.
You can use the access-list and route-maps BGP commands to filter BGP route updates that come from
an eBGP peer.
For the exercises in this training, we only configure iBGP, but it is important to know that eBGP can
result in a very large routing table that you must manage.
Routing 131
Dynamic Routing Policies
When you enable a dynamic routing protocol, Policy Manager automatically creates the necessary
policy to allow required dynamic routing traffic, if an existing policy to allow the traffic does not exist.
The automatically added policies for each protocol are:
DR-RIP-Allow
This is the automatically created dynamic routing policy for RIP. The DR-RIP-Any policy is
configured to allow RIP multicasts to the reserved multicast address for RIP v2.
If you use RIP v1, you must configure the RIP policy to allow RIP broadcasts from the network
broadcast IP address to the Firebox. For example, if your external interface IP address is 203.0.113.2/
24, you must configure the RIP policy to allow traffic from the broadcast address 203.0.113.255 to
the Firebox.
DR-RIPng-Allow
This is the automatically created dynamic routing policy for RIPng. The DR-RIPng-Allow policy is
configured to allow RIPng multicasts to the reserved multicast address for RIPng, FF02::9.
DR-OSPF-Allow
This is the automatically created dynamic routing policy for OSPF. The DR-OSPF-Any policy is
configured to allow OSPF multicasts to the reserved IPv4 multicast addresses for OSPF.
DR-OSPFv3-Allow
This is the automatically created dynamic routing policy for OSPFv3. The DR-OSPFv3-Allow policy
is configured to allow OSPF multicasts to the reserved IPv6 multicast addresses for OSPFv3, FF02::5
and FF02::6
DR-BGP-Allow
This is the automatically created dynamic routing policy for BGP.
You can edit these policies to add authentication or restrict the policy to listen on only the correct
interfaces.
If you remove or disable these dynamic routing policies, or if you remove the necessary multicast IP
addresses from the To section of the policies, dynamic routing cannot function.
Point-to-Point Link
In a point-to-point link connection, interfaces on two Fireboxdevices connect directly to each other.
The peer interfaces are on the same subnet and can communicate directly. Typical examples of a
point-to-point link between two sites are fiber-to-Ethernet converters, layer 2 VLAN connections, a
fiber optic connection, or a leased line with serial-to-Ethernet converters at each end.
Routing 133
This diagram is A point-to-point link could also be a direct link between devices at the same location, such as devices
intended to represent that connect to networks for different departments.
a section of a larger
network topology
that would include
the connections to
other departments
and to the Internet.
Multi-Hop Link
In a multi-hop link connection, the Fireboxdevices do not connect to the same network. The device at
each site connects to a local router or other networking device. Those routers between the Fireboxs
connect to each other. A typical example of this type of connection is a leased line terminated on
routers at each site. Or, the connection between the routers could be over an MPLS network.
Routing 135
Routing and Branch Office VPNs
You can use a branch office VPN (BOVPN) to make a secure connection between networks at different
locations. There are two methods you can use to can configure a BOVPN tunnel. The method you use
determines how the Firebox devices decides whether to route traffic through the BOVPN tunnel.
Branch office VPN BOVPN Gateway and BOVPN Tunnels
configuration is You can configure a BOVPN gateway and add one or more BOVPN tunnels that use that gateway.
covered in the
When you use this configuration method, the Firebox always routes a packet through the BOVPN
Fireware Essentials
course. tunnel if the source and destination of the packet match a configured BOVPN tunnel.
BOVPN Virtual Interface
You can configure a branch office VPN as a BOVPN virtual interface. BOVPN virtual interface routes
appear in the routing table, and the decision about whether to send traffic through the VPN tunnel
or through another interface is affected by static and dynamic routes, and by policy-based routing.
This provides more flexibility in how you can configure routing through the tunnel.
When you have configured a BOVPN virtual interface, you can add an IPv4 or IPv6 BOVPN virtual
interface route, which is a static route through the BOVPN virtual interface.
If you enable the Figure 5: The Add Route dialog box for a BOVPN virtual interface route
global VPN setting to
remove VPN routes, Route metrics are the same for a BOVPN virtual interface route as for routes through any other
you must either interface. You can set the metric for a static BOVPN virtual interface route to make it a higher or
enable policy-based lower metric than other routes, to control which is the preferred route.
routing for the BOVPN
virtual interface or, in The global VPN setting controls whether VPN routes are removed if a BOVPN virtual interface is
the BOVPN virtual down.
interface settings,
select the Start
Phase1 tunnel when
it is inactive option.
Figure 6: The VPN setting to remove VPN routes when the tunnel is down
Routing 137
Failover from a Dynamic Route to a Branch Office VPN
When you use dynamic routing to establish the routes between networks behind two Firebox devices,
you can optionally configure automatic failover to a VPN connection if a route between the networks is
not present in the routing table. When you use dynamic routing, the failover happens automatically,
when the route between two devices is removed from the routing table.
To configure network failover to a branch office VPN you must:
1. Configure dynamic routing between the two sites over the primary connection.
2. Configure a branch office VPN tunnel between the two sites over another Firebox interface.
3. Enable the global VPN setting Enable the use of non-default (static or dynamic) routes to
determine if IPSec is used.
This setting enables the automatic failover to the VPN based on changes to the routing table.
Figure 7: Select the check box to enable the use of non-default routes
When you use dynamic routing, if the primary network link fails, the route is automatically removed
from the routing table. When the route is removed, if this global VPN setting is enabled, the Firebox
automatically uses the VPN tunnel to routes packets between the two networks. When the primary
routing problem is resolved, the dynamic routing protocol adds the route back to the table, and the
Firebox automatically begins to use that route instead of the VPN tunnel for traffic between the two
networks.
Figure 8: Branch Office VPN as a failover for a connection between two devices
Note
For a complete description of this VPN failover configuration, with sample configuration files, see the
Branch Office VPN Failover from a Private Network Link example on the WatchGuard Configuration
Examples page at http://www.watchguard.com/help/configuration-examples/index.asp.
Monitoring Tools
Routing 139
- RUNNING the dynamic routing process is running
- STOP the dynamic routing process is stopped
- LICENSED the dynamic routing protocol is licensed
- CFGSYNC reserved for future use
Under the Dynamic Routing section are these sections with information about the status of each
dynamic routing protocol:
- RIP RIP routes and status
- OSPF OSPF routes and status
- BGP BGP routes and status
- RIPng RIPng routes and status
- OSPFv3 OSPFv3 routes and status
Routing 141
Exercise 1: Configure Static Routing Over a Point-to-Point Link
You can use static routing to route traffic between any two networks, as long as the networks are
connected by one or more Firebox devices or routers. To configure static routing, you must add static
routes to all Firebox devices and routers that route traffic between the two networks.
This exercise shows how to configure static routing between two devices that are connected by a
point-to point link. In a point-to-point link connection, the Fireboxdevices connect directly to the same
network.
For this exercise, we assume the point-to-point link in the training environment looks like this:
For example, for student 10 and student 20, the network interface configuration looks like this:
Routing 143
5. In the Route To text box, type the IP address of the Site B trusted network.
The Site B trusted network is 10.0.B.0/24
6. In the Gateway text box, type the IP address of the Site B external interface.
The Gateway (next hop) is 203.0.113.B.
Replace the B in the IP address with the student number your instructor gives to the student who
manages the Site B device.
7. Save the configuration to the Site A device.
Figure 14: The Add Route dialog box configured for a route to the student 10 Firebox
4. From the Destination Type drop-down list, select Network IPv4.
5. In the Route To text box, type the IP address of the Site A trusted network.
The Site A trusted network is 10.0.A.0/24.
6. In the Gateway text box, type the IP address of the Site A external interface.
The Gateway (next hop) is 203.0.113.A.
Replace the A in the IP address with the student number your instructor gives to the student who
manages the Site A device.
7. Save the configuration to the Site B device.
Note
A configured static route does not appear in the route table if there is no route to the gateway
specified in the static route. If you add a static route, and the route does not appear in the route
table, check the gateway you specified in the static route, and make sure your device can route to
that gateway IP address. For example, in this exercise, if you add a static route, and specify the
gateway incorrectly (203.0.114.A), the route does not appear in the routing table.
Routing 145
Test the Static Route
To test the static route, you can ping a device or interface on the remote network.
Because this exercise uses the external interface as the point-to-point link, you must update the ping
policy to allow the ping between networks for testing. The default Ping policy does not allow ping
traffic in through the external interface.
To enable ping traffic for testing:
1. In Policy Manager, double-click the Ping policy to edit it.
2. Add Any-External to the From section of the policy.
3. Save the configuration to the device.
4. Repeat these steps to enable ping traffic on the other device.
Now that ping traffic is allowed from the external network, you can use the ping command to test the
static routes between these two sites. To do this, open the Windows command prompt on the
management computer connected to the Site A network and issue a ping command to the IP address
of a device on the private network on the Site B device. Or, you can use Firebox System Manager to
issue a ping.
To issue a ping from Firebox System Manager for the Site A device:
1. Select the Traffic Monitor tab.
2. Right-click anywhere on the tab.
A context menu appears.
3. From the context menu, select Diagnostic Tasks.
The Diagnostic Tasks dialog box appears.
Routing 147
Exercise 2: Configure Dynamic Routing over a Point-to-Point Link
You can use dynamic routing to simplify the management of configuration updates to your network as
the topology at each site changes. In this exercise you configure static routing between two Firebox
devices connected over a point-to-point link. This exercise also demonstrates how dynamic routing
automatically adds new routes to one device after you change the network configuration on the other
device.
Network Topology
For this exercise, we will configure dynamic routing over the point-to-point network we configured in
Exercise 1.
Routing 149
If Student 10 manages the Site A device, and Student 20 manages the Site B device, the finished
dynamic routing configuration for these two sites looks like this:
Figure 18: OSPF dynamic routing configurations for Site A (left) and Site B (right)
Figure 19: The OSPF network routing table at Site A includes a route to the trusted network at Site B
4. Scroll to the Routes section. Or press Ctrl+F and type Routes find this section.
The dynamic routes appear in the IPv4 Routes section of the status report.
Figure 20: The IPv4 Routes table with the dynamic route added
Routing 151
5. In the FSM status report for Site A, review the OSPF network routing table.
Network Topology
To configure the Firebox for this exercise, you must connect interface 2 to a switch that connects to the
instructor Firebox.
Figure 22: Multi-hop link training network topology, with IP addresses for student 10 and student 20
Routing 153
Configure the Peer Interfaces
Configure interface 2 on each device as the peer interface to use for dynamic routing over the
multi-hop link.
Figure 23: The Add Route dialog box with the route to the Firebox of student 20
Figure 24: The Add Route dialog box with the route to the Firebox of student 10
4. From the Destination Type drop-down list, select Network IPv4.
5. In the Route To text box, type 10.0.A.0/24, the IP address of the Site A trusted network.
For example, if the Site B device is managed by Student 10, use 10.0.10.0.
6. In the Gateway text box, type 172.16.B.1, the IP address of the instructor device that connects to
both networks.
For example, if your student number is 20, type 172.16.20.1
7. Save the configuration to the device.
Routing 155
Add Static Routes to Routers Between the Two Sites
If the Firebox devices at each site were connected to routers, you would need to add a static route to
the routers at each site. In the training network configuration, the instructor device has multiple IP
addresses assigned to one interface, so it acts as a router for both sites. To complete the static route
configuration, the instructor must add static routes to the instructor device. The configuration for the
static routes on the instructor device looks like this:
Figure 25: Static routes configured on the instructor device for all student trusted networks. The routes to the
networks for student 10 and student 20 are circled.
Figure 26: The IPv4 Routes table oshows the static route to the Student 20 trusted network through the
gateway at 172.16.10.1.
You can use the Ping command in the Windows command line to test the static route between the two
sites. For example, you can ping the address of the trusted interface of the device at Site B from the
management computer connected to Site A.
Network Topology
To configure the Firebox for this exercise, you must connect interface 2 to a switch that connects to the
instructor device. The network topology for this exercise is exactly the same as for Exercise 3.
Routing 157
Configure Static Routes Between the Peer Interfaces
To configure static routing over a multi-hop link, you must add static routes on each Firebox and on any
network routing devices between them to correctly direct the traffic between the two networks. The
peer interfaces are the device interfaces that connect to the router between the sites. To configure
static routing over a multi-hop link, you must add static routes on each device and on the routers
between them to correctly direct the traffic between the two peer interfaces, 172.16.A.2 at Site A, and
172.16.B.2 at Site B.
The first thing you must do is look at your network topology to determine all the devices that route
traffic between these two interfaces. You can then determine what static routes must be added to
allow the two Firebox devices to communicate. For this network, we must add a static route to each of
the devices.
There is no need for the instructor to add static host routes to the device in the middle, since the
instructor device already connects directly to the networks for the optional interfaces of both Firebox
devices.
Note
The difference between the static routes in this exercise and the static routes added in the prior
exercise, is that these are host routes to the IP address of the peer interface, rather than network
routes to the private network on the peer device.
Figure 28: The Add Route dialog box with the route to the Firebox of student 20
4. From the Destination Type drop-down list, select Host IPv4.
5. In the Route To text box, type 172.16.B.2, the IP address of the Site B peer interface.
6. In the Gateway text box, type 172.16.A.1, the IP address of the instructor Firebox interface that
connects to the peer interface on the Site A Firebox.
7. Save the configuration to the device.
Figure 29: The Add Route dialog box with the route to the device of student 10
4. From the Destination Type drop-down list, select Host IPv4.
5. In the Route To text box, type 172.16.A.2, the IP address of the Site A peer interface.
6. In the Gateway text box, type 172.16.B.1, the IP address of the instructor Firebox interface that
connects to the peer interface on the Site B Firebox.
7. Save the configuration to the device.
Routing 159
Test the Static Route Between the Peer Interfaces
You cannot use the After you configure the static routes on the Firebox devices and routers, you can use the Diagnostic
ping command from Tasks in Firebox System Manager to test the static route between the peer interfaces, External
the Windows
(203.0.113.A) at Site A, and external interface (192.51.100.B) at Site B.
command line to test
this static route, since 1. In Firebox System Manager for the Site A Firebox, select Tools > Diagnostic Tasks.
the static route is only This is the same Diagnostic Tasks dialog box you opened before from within the Traffic Monitor tab.
between the peer
interfaces. 2. Select the Advanced Options check box.
When you enable Figure 30: Diagnostic Tasks ping command, advanced options
Advanced Options,
you can move the 3. In the Arguments text box, type:
mouse pointer over -I<source interface IP address> <destination IP address to ping>
the Arguments text This starts an extended ping from the Firebox. The -I option allows you to specify the IP address of
box to see a list of the the interface to ping from. For this exercise, we use these addresses:
available arguments.
- Source address: 172.16.A.2
- Destination address: 172.16.B.2
For example, to ping from the Student 10 peer interface to the Student 20 peer interface, type:
-I172.16.10.2 172.16.20.2
4. Click Run Task.
It can take more than a minute for the results to appear in the Results text box.
Repeat the above steps from the Firebox at Site B to test routing to the peer interface at Site A. At Site B,
the arguments for the extended ping are reversed:
Source address: 172.16.B.2
Destination address: 172.16.A.2
If the static route test does not work the first time, check your cabling and static route configuration.
After you verify that the peering interfaces can communicate, you are ready to set up dynamic routing
between the two networks.
Routing 161
Review the Route Table
Now, review the routing table to verify that the expected routing table entries were added.
1. Connect to the Site A Firebox with Firebox System Manager.
2. Select the Status Report tab.
3. Scroll down to the BGP section.
The BGP network routing table shows the dynamic routes added by BGP.:
5. Repeat these steps to examine the routing table in the status report for the Site B Firebox.
Troubleshooting
If the dynamic routes from one device do not appear in the route table of the peer device, use these
steps to troubleshoot the problem:
1. Make sure you have saved the configuration to each device.
2. Verify that each device has a working static route to the external interface on the peer device.
If necessary, use the steps earlier in this exercise to test the static route.
3. Make sure there is a policy to allow BGP traffic between the two devices.
The DR-BGP-Allow policy should have been automatically created on each device when you enabled BGP.
Routing 163
164 WatchGuard Fireware Training
Fireware Training
FireCluster
Redundancy and Load Sharing for Your Network
Introduction
About FireCluster
A FireCluster is a pair of Firebox devices configured to provide network redundancy and improved
scalability. Both devices connect to routers or switches connected to each network. The Firebox devices
also connect directly to each other to exchange information necessary for the operation of the cluster.
165
To set up a FireCluster, you first configure one device with the network and policy configuration you
want to use for the cluster. You reset the second device to factory default settings. When you connect
the two devices to each other and enable FireCluster, the connected devices synchronize their
configuration and operate as a cluster.
When you configure Firebox devices as a FireCluster, there are some management limitations:
You cannot use Fireware Web UI to configure a cluster or change the FireCluster settings.
You cannot use WSM with a Management Server to schedule an OS updated for a FireCluster
member.
Cluster Member
A device that is part of a FireCluster. A cluster member can take on one of two roles in the cluster.
Cluster master The device that updates and maintains all the connection and session
information for the cluster, and synchronizes that information with the backup master. In an active/
active cluster, the cluster master assigns connections and sessions to itself or to the backup master.
Backup master The device that monitors the cluster master, and automatically takes over the
role of cluster master in the event of a failover.
Active/Active Cluster
In an active/active cluster, both cluster members share the load of traffic that passes through the
cluster. An active/active cluster improves scalability because both devices share the load. If either
member of an active/active cluster fails, the other member takes on the entire load for the cluster. To
add both redundancy and load sharing to your network, select an active/active cluster.
Active/Passive Cluster
In an active/passive, also known as an active/standby cluster, only the cluster master handles network
traffic. The backup master actively monitors and synchronizes status with the cluster master. If the
cluster master fails, the backup master becomes cluster master, and takes over all the traffic for the
cluster. An active/passive cluster provides redundancy, but not increased scalability, because the traffic
load is handled by only one device at a time. To add redundancy, choose an active/passive cluster.
Cluster ID
The cluster ID uniquely identifies your FireCluster. The default cluster ID is 1. If you enable more than
one FireCluster on the same network, it is important to assign each cluster a different cluster ID.
An active/passive FireCluster uses a virtual MAC address, calculated based on the Cluster ID and the You can see the virtual
interface numbers. If you configure more than one active/passive FireCluster on the same subnet, it is MAC address in
Firebox System
important to know how to set the Cluster ID to avoid a possible virtual MAC address conflict.
Manager, in the
The virtual MAC addresses for interfaces on an active/passive FireCluster start with 00:00:5E:00:01. The details for each
sixth octet of the MAC address is set to a value that is equal to the interface number plus the Cluster ID. interface.
For example, if you set the Cluster ID to 1, the virtual MAC addresses for the first three interfaces are:
Interface 0: 00:00:5E:00:01:01
Interface 1: 00:00:5E:00:01:02
Interface 2: 00:00:5E:00:01:03
If you add a second active/passive FireCluster to the same subnet, you must set the Cluster ID to a
number that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC
address conflict between interfaces on the two FireClusters.
It is also possible that the FireCluster virtual MAC addresses can conflict with HSRP and VRRP devices on
your network. Keep this in mind when you decide which Cluster ID to use.
Cluster Interface
The cluster interface is an interface on each cluster member that is dedicated to communication
between the cluster members. The cluster interfaces of the cluster members must connect to each
other. You must define at least one cluster interface. You can optionally configure a second cluster
interface that is only used if communication over the primary cluster interface is interrupted.
FireCluster 167
Management Interface
You must select one of the active traffic interfaces as the interface for management IP address. Set this to
the interface your management computer is connected to. This is usually the trusted network. You
must also configure a management IP address for each cluster member. The address must be an unused
IP address on the network for the selected interface. You can also use a VLAN as the cluster
management interface.
If the interface you select as the interface for management IP address has IPv6 enabled, you can assign
an IPv6 management IP address for each cluster member.
Management software uses the Management IP address to connect to cluster members for upgrade,
failover, reboot, shutdown and other operations. You can also use the IPv4 or IPv6 management IP
address to connect to a specific cluster member with the management software.
About Failover
Failover occurs when one of the cluster members experiences a failure and the other cluster member
takes over the traffic that was assigned to the failed device. The cluster master is constantly monitored
by the backup master.
The cluster health factors that can trigger a failover are collectively referred to as the Weighted Average
Index (WAI). The WAI takes into account the link status of monitored interfaces, and other factors that
indicate a software or hardware malfunction. If the WAI of the backup master is greater than the WAI of
the master, failover of the cluster master is triggered.
You can see the WAI in the Cluster Health section of the status report in Firebox System Manager.
Cluster Health
--------------
Member Id = 80B0030CA6EE9
Member cluster Role = 3
System Health Index (SHI) = 100
Hardware Health Index (HHI) = 100 (disabled)
Monitored Ports Health Index (MPHI) = 100
Weighted Avg Index (WAI) = 100
Member Id = 80B0030EBCFAA
Member cluster Role = 2
System Health Index (SHI) = 100
Hardware Health Index (HHI) = 100 (disabled)
Monitored Ports Health Index (MPHI) = 100
Weighted Avg Index (WAI) = 100
For each cluster member, the Status Report shows these health index values:
System Health Index (SHI)
This number indicates the status of monitored processes on the device. If all monitored processes
are active, the SHI value is 100.
Hardware Health Index (HHI)
This number indicates the status of critical hardware components. If no hardware failures are
detected, the HHI value is 100. If a critical monitored hardware component fails, the HHI value is
zero. The HHI is based on the status of hardware components such as the CPU, fans, and power
supply.
If (disabled) appears adjacent to the HHI number in the Status Report, the HHI is not used in the
calculation of the WAI, and so is not a criteria for failover. This is the default setting.
Monitored Ports Health Index (MPHI)
This number indicates the link status of monitored ports. If all monitored ports are up, the SHI value
is 100. The status of wireless connections are not monitored as part of this index.
Weighted Average Index (WAI)
This number is used to compare the overall health of two cluster members, as a criteria for failover.
By default, the WAI for a cluster member is a weighted average of the SHI, and MPHI for that device,
but does not include the HHI.
If you enable the HHI to be used in the calculation of the WAI, the WAI is a weighted average of the
HHI, SHI, and MPHI. The one exception is that if the HHI of a device is zero, the WAI for that device is
also zero.
To enable the HHI to be used in the calculation of the WAI, select the Monitor hardware status as a
criteria for FireCluster failover check box in FireCluster Advanced settings.
FireCluster 169
What Happens During a Failover
It is possible for either device in a cluster to fail. In an active/passive cluster, only failure of the cluster
master impacts connections. In an active/active cluster, because connections can be assigned to either
device, failure of either device can interrupt proxy and mobile VPN connections assigned to the device
that failed.
Failure of the cluster master
When a failover of the cluster master occurs, the backup master becomes the cluster master. The
original cluster master may rejoin the cluster as the backup master. When a failover occurs, the
cluster maintains all packet filter connections, branch office VPN tunnels, and user sessions. This is
the same for an active/active or an active/passive FireCluster.
Failure of the backup master
If the backup master fails in an active/active cluster, the cluster master maintains all packet filter
connections, branch office VPN tunnels, and user sessions. Proxy connections and Mobile VPN
connections are interrupted if they are assigned to the backup master.
In an active/passive cluster, if the backup master fails, there is no interruption of connections or
sessions because no traffic is assigned to the backup master.
Monitoring Tools
Firebox System Manager and the Fireware log files are useful tools to monitor the status and operation
of your FireCluster.
FireCluster 171
Diagnostic Logging
If you need to troubleshoot issues with FireCluster, it can be useful to change the diagnostic log level
for FireCluster. By default, the FireCluster diagnostic log level is set to Error. You can increase the level
to see more detailed information in the log files.
To configure the diagnostic log level for FireCluster:
1. In Policy Manager, select Setup > Logging.
2. Click Diagnostic Log Level.
From the category list, expand FireCluster.
FireCluster Requirements
To use FireCluster, your Firebox devices and network configuration must meet these requirements:
Hardware Requirements
Both Firebox devices in a FireCluster must be the same model. FireCluster is supported on most Firebox
models.
FireCluster restrictions on Firebox wireless devices (Firebox T10-W, XTM 25-W, 26-W, and 33-W):
When you enable the external interface as a wireless interface, FireCluster is not supported.
When you enable wireless access points on an Firebox wireless device, you can configure
FireCluster only as active/passive.
FireCluster is not supported on:
XTMv virtual devices on Hyper-V
Firebox T10, XTM 21/22/23 or XTM 21-W/22-W/23-W models
License Requirements
Both devices in a FireCluster must use the same version of Fireware.
Both devices must have an active LiveSecurity Service subscription.
For an active/active cluster, we recommend both devices have active licenses for the same set of
security services such as Gateway AV, Intrusion Prevention Service, and Application Control. For an
active/passive cluster, you need an active license for any security services on only one of the cluster
members, and that license is used by whichever device is active.
FireCluster 173
Switch and Router Requirements
Switch and router requirements depend on the type of FireCluster.
Active/Active or Active/Passive FireCluster
In any FireCluster, all active traffic interfaces must be connected to a separate switch or VLAN.
Active/Active FireCluster
For an active/active FireCluster, your configuration must also meet these requirements:
All switches and routers in the broadcast domain must not block ARP requests if the response
contains a multicast MAC address.
- This is the default behavior for most layer 2 switches.
The default ARP - For routers and layer 3 switches, the default behavior is to follow RFC 1812. If possible, disable
behavior is described this behavior. If you are unable to block RFC 1812 support, you might need to configure static
in RFC 1812, section MAC and static ARP entries on your routing device.
3.3.2.
All switches in the broadcast domain must be configured to forward traffic to all ports connected
to FireCluster members when the destination MAC address is the multicast MAC address of the
FireCluster.
To find the multicast - For unmanaged layer 2 switches, this should be the default behavior.
MAC addresses for the
- For managed switches, you could need to add static MAC and static ARP entries for the
FireCluster, select
FireCluster >
FireCluster.
Configure. You could need to add the IP address and MAC address of each router or layer 3 switch in the
broadcast domain as a static ARP entry in the FireCluster configuration.
To add static ARP entries:
1. Find the IP address and MAC address of your layer 3 switch.
2. In Policy Manager, select Network > ARP Entries.
Member 1:__________________________________
Member 2: _________________________________
_______ You have saved the feature keys for both devices to a local file.
_______ You have one switch or router for each active traffic interface.
You have decided which interfaces and IP addresses to use for this FireCluster. Record
_______ these in the table below.
Note
Do not assign IP addresses in the range 10.0.0.1 - 10.0.13.254 to the primary or backup cluster
interfaces. This address range includes Firebox default interface IP addresses and cannot be used for
the cluster interfaces.
For the FireCluster Management IPaddress, select an unused IP address on the same subnet as the
address assigned to the management interface. For example, if you select the trusted interface as the
management interface, choose two unused IP addresses from your trusted subnet to use as the
FireCluster management IP addresses. If you choose the External interface as the Interface for
management IP address, choose two unused external IP addresses on the same subnet as the External
interface IPaddress that you can dedicate to FireCluster management functions.
Note
If you set the Management IP addresses of a FireCluster member to an IP address that is not on the
same subnet as the IP address of the FireCluster management interface, make sure your network
configuration includes routes to allow the management software to communicate with FireCluster
members, and to allow the FireCluster members to communicate with each other.
FireCluster 175
Exercise 1: Set Up an Active/Passive Cluster
In this exercise you learn how to configure two Firebox devices as an active/passive FireCluster.
To complete this exercise, you must have:
Two supported Firebox devices of the same model number.
Fireware v11.10 or higher installed on both devices.
Fireware Pro enabled in the feature key for both devices.
Feature key for both devices saved locally in a file.
A switch or router for each enabled network interface.
In this exercise, we refer to the members of the FireCluster as Member 1 and Member 2, because that is
how the FireCluster Setup wizard names them by default. Member 1 is the first device you configure.
Member 2 is the second device that you add when you enable FireCluster. For the first part of this
exercise, Member 2 must be powered off.
Note
It is important that you do not use the default IP address, 10.0.1.1, for interface 1, because that
would create a temporary IP address conflict with the second device before the cluster is formed.
4. In the DHCP Address Pool list, configure the address range 10.0.X.2 - 10.0.X.100. We set the IP address
range here, so that we
can identify an
address outside of this
range to use for the
Management IP
address.
FireCluster 177
Disable Unused Network Interfaces
In this exercise, we assume there is only one trusted network, connected to Interface 1. Before you
enable FireCluster, you must disable any unused interfaces. This is an important step, because
FireCluster monitors the link status of all enabled interfaces to determine whether to start failover.
1. Select Network > Configuration.
The Network Configuration dialog box appears.
Figure 6: Interfaces configuration for student 10, with unused interfaces enabled
2. If there are any unused interfaces enabled, select an unused interface and click Configure.
3. From the Interface Type drop-down list, select Disabled. Click OK.
Repeat this for all the other unused interfaces.
Figure 7: Interfaces configuration for student 10, with unused interfaces disabled
4. Save the configuration to the Firebox.
Because you have changed the trusted IP address, you must use the new address, 10.0.X.1 to reconnect
to the device in WatchGuard System Manager.
Replace the X in the IP address with the student number your instructor gives you.
Figure 8: Network configuration diagram for a FireCluster with two cluster interfaces
1. Make sure that Member 2 is powered off before you connect the cables.
2. Use a red cross-over cable to connect interface 6 on Member 1 to interface 6 on Member 2.
3. Use a red cross-over cable to connect interface 5 on Member 1 to interface 5 on Member 2.
4. Connect interface 0, the external interface of both devices, to a switch or router.
5. Connect interface 1, the trusted interface of both devices, to another switch or router.
6. Connect the management computer to the switch or router on the trusted network.
FireCluster 179
Run the FireCluster Setup Wizard
1. Connect to Member 1 with WatchGuard System Manager at 10.0.X.1.
2. Start Policy Manager
Select FireCluster > Setup.
The FireCluster Setup Wizard starts.
3. Click Next to continue.
The first page of FireCluster global properties appears.
If you had selected 4. Select the cluster type.
Active/Active cluster, For this exercise, select Active/Passive cluster.
you would also need
to select the load
balance method here.
6. Click Next.
The FireCluster global properties page appears.
Figure 10: These global properties apply to both devices in the cluster
7. Find the Member 1 Primary and Backup cluster interface and Management IP address interface
from the table at the start of this exercise.
- From the Primary drop-down list, select interface 5.
- From the Backup drop-down list, select interface 4.
- From the Interface for management IP address drop-down list, select interface 1.
Up to this point, the wizard has asked for global configuration settings that apply to the cluster as a
whole. In the next set of steps you configure properties that are unique to each cluster member.
FireCluster 181
8. Click Next.
The Feature key page appears.
Figure 11: The feature key for the first FireCluster member
9. For the first member, you have already imported the feature key. If you had not already done so,
you could click Import to add the feature key here. Verify that the serial number in this feature key
matches the serial number for the device you are connected to.
Click Next.
The Name and serial number page appears.
Figure 12: The FireCluster serial number is copied from the feature key
The wizard automatically gets the serial number from the feature key. The default member name
for the first device is Member1. For this exercise, do not edit the Member Name.
Figure 13: The cluster interface and management IP address configuration for the Member1 device
11. Type the cluster interface and management interface IP addresses for member 1 from the table at
the start of this exercise.
- For the Primary cluster interface IP address, type 169.254.5.1/24.
- For the Backup cluster interface IP address, type 169.254.4.1/24.
- For the IPv4 Management IP address, type 10.0.X.101/24.
Replace the X in the Management IP address with your student number.
12. Click Next.
The Add another cluster member page appears.
Figure 14: The wizard automatically asks if you want to configure another device
FireCluster 183
13. Select Yes to add another device. Click Next.
The Feature key page appears for the second device.
Figure 15: You must import the feature key for the second cluster member before you can continue
14. Click Import to add the feature key for the second cluster member.
The Import Firebox Feature Key dialog box appears.
15. Paste the feature key for the second device. Make sure the serial number matches. Click OK.
The feature key is added to the wizard.
16. Click Next.
The Name and serial number page appears.
Figure 16: The FireCluster serial number is pulled from the feature key
The wizard automatically gets the serial number from the feature key. The default member name
for the first device is Member2. For this exercise, do not edit the Member Name.
Figure 17: The cluster interface and management IP address configuration for the Member2 device
18. Type the cluster interface and management interface IP addresses for Member 2 from the table at
the start of this exercise.
- For the Primary cluster interface IP address, type 169.254.5.2/24.
- For the Backup cluster interface IP address, type 169.254.4.2/24.
- For the IPv4 Management IP address, type 10.0.X.102/24.
Replace the X in the management IP address with your student number.
FireCluster 185
19. Click Next.
The Summary page appears.
Figure 18: The wizard summarizes all of the settings you configured
20. Review your FireCluster settings carefully.
In the Global Properties, make sure the interfaces match the interfaces you have connected and
that you have set a unique FireCluster ID.
In the Member Properties, check these things:
- The primary cluster IP addresses for both members are on the same subnet
- The backup cluster IP addresses for both members are on the same subnet
- The cluster IP addresses do not use addresses in the range 10.0.0.1 - 10.0.13.254.
- The management IP addresses for both devices are on the trusted network.
21. Click Next.
The wizard completion page appears.
Figure 19: The FireCluster Configuration dialog box shows the settings you configured in the wizard
You can return to this dialog box at any time from Policy Manager. Select FireCluster > Configure.
From the FireCluster Configuration dialog box, you can enable or disable the FireCluster, or you
can review and change the configuration. There are three tabs:
- In the General tab you can see and configure the FireCluster global properties.
- In the Members tab you can see and configure the FireCluster member properties.
- In the Advanced tab you can see and configure FireCluster logging, notification, and
hardware monitoring settings.
23. Click OK to close the FireCluster configuration dialog box.
24. Select File > Save > To Firebox to save the configuration to the Firebox.
The first device is now the cluster master. Now you can add the second device to the cluster.
FireCluster 187
Reset the Second Device to Factory-Default Settings
To get the second device ready to be discovered by the cluster master, you must reset it to
factory-default settings. The steps to do this vary by device model.
Note
If the instructions to reset your Firebox are not described here, see the topic Reset a Device in
Fireware Help, or see the Hardware Guide for your Firebox model.
These procedures all start with the second device powered off.
FireCluster 189
Exercise 2: Monitor Cluster Status
In this exercise, you learn how to use Firebox System Manager to monitor the cluster and cluster
member status.
FireCluster 191
Exercise 3: Test FireCluster Failover
In this exercise you trigger a failover, and learn what to expect to see while you monitor the cluster
during a failover.
FireCluster 193
TRAINING COPYRIGHT 2014 WatchGuard Technologies, Inc. All rights reserved.
www.watchguard.com/training WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or
training@watchguard.com trademarks of WatchGuard Technologies, Inc. in the United States and/or other
countries.