Вы находитесь на странице: 1из 198

WatchGuard Certified Training

Network and Traffic Management


with Fireware
Fireware XTM and WatchGuard System Manager v11.9

Revised: October 2014


Updated for: Fireware XTM v11.9.3

Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in
examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express
written permission of WatchGuard Technologies, Inc.

Copyright and Patent Information


Copyright 2014 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or
trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is
covered by one or more pending patent applications.
All other trademarks and tradenames are the property of their respective owners.
Printed in the United States.

TRAINING
www.watchguard.com/training
training@watchguard.com

ii

SUPPORT
www.watchguard.com/support
support@watchguard.com
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456

WatchGuard Fireware Training

Table of Contents

Course Introduction ................................................................................................................


Training Overview ..........................................................................................................
Necessary Equipment and Software ............................................................................
Classroom Network Configuration ................................................................................

1
1
1
2

Student Device IP Addresses ....................................................................................................... 2


Instructor Device Network Configuration .................................................................................... 3
Configuration Changes for the Instructor Device ....................................................................... 5
(Optional) Set Up a Server to Host FTP and HTTP Downloads ................................................... 6

VLANs in Fireware XTM ........................................................................................................... 7


Introduction .................................................................................................................... 7
What You Will Learn ...................................................................................................................... 7
Exercises ....................................................................................................................................... 7
What VLANs Can Do For You ........................................................................................................ 7

Terms and Concepts You Should Know ....................................................................... 8


VLAN Requirements and Recommendations .............................................................. 9
Before You Begin ......................................................................................................... 10
Firewall Configuration ................................................................................................................. 10
Necessary Equipment and Services ......................................................................................... 10
Configuring the VLAN Switch .................................................................................................... 11

Exercise 1: Two VLANs on the Same Device Interface ................................................ 12


When to Use this Configuration ................................................................................................ 12
Network Topology ....................................................................................................................... 12
Configure the Device ................................................................................................................. 13
Configure the Switch ................................................................................................................. 15
Physically Connect all Devices ................................................................................................... 16
Test the Configuration ................................................................................................................ 16

Exercise 2: One VLAN Bridged Across Two Device Interfaces .................................... 17


When to Use this Configuration ................................................................................................. 17
Network Topology ....................................................................................................................... 18
Configure the Device ................................................................................................................. 18
Configure the Switch ................................................................................................................. 21
Physically Connect all Devices .................................................................................................. 21
Test the Configuration ............................................................................................................... 21

Exercise 3: One VLAN Bridged Across Two Device Interfaces (Alternate Configuration)
22
When to Use This Configuration ...............................................................................................
Network Topology .......................................................................................................................
Configure the Device .................................................................................................................
Configure the Switches .............................................................................................................
Physically Connect All Devices ..................................................................................................

22
22
23
25
25

Exercise 4: Two VLANs as External Interfaces on the Same Device .......................... 27


When to Use this Configuration ................................................................................................. 27
iii

Network Topology .......................................................................................................................


Configure the Device .................................................................................................................
Configure the Switch .................................................................................................................
Physically Connect All Devices ..................................................................................................
Test the Configuration ...............................................................................................................

27
28
30
30
30

Using VLANs in Device Policies ................................................................................... 31


Apply Firewall Policies to Intra-VLAN Traffic ............................................................................. 31
Aliases ........................................................................................................................................ 31

Exercise 5: Configure VLANs for Wireless Access Points ............................................ 33


When to Use This Configuration ............................................................................................... 33
Network Topology ....................................................................................................................... 33

Frequently Asked Questions .......................................................................................


What You Have Learned ..............................................................................................
Traffic Management .............................................................................................................
What You Will Learn .....................................................................................................
Control Bandwidth Use with Traffic Management Actions ........................................

38
38
39
39
39

Traffic Management Action Types ............................................................................................ 40


Traffic Management in Policies ................................................................................................ 40
Traffic Management in Application Control ............................................................................. 40
Traffic Management Action Precedence .................................................................................. 40
Monitoring Bandwidth Statistics ................................................................................................ 41

Control Traffic Priority with QoS .................................................................................. 41


About Interface QoS Settings ..................................................................................................... 41
About Policy QoS Settings .......................................................................................................... 41
About Traffic Priority ................................................................................................................... 41
About Outgoing Interface Bandwidth ....................................................................................... 42

Exercise 1: Use a Traffic Management Action to Guarantee Bandwidth ................... 43


Enable Traffic Management and QoS ...................................................................................... 43
Verify the OS Compatibility Setting ........................................................................................... 43
Define Outgoing Interface Bandwidth ...................................................................................... 43
Create a Traffic Management Action ....................................................................................... 44
Modify Policy Configuration ....................................................................................................... 45
Set Up Service Watch ................................................................................................................ 46
See the Results of the Configuration ........................................................................................ 47

Exercise 2: Use a Traffic Management Action to Limit Bandwidth ............................. 50


Re-Define Outgoing Interface Bandwidth ................................................................................
Create a Traffic Management Action .......................................................................................
Modify Policy Configuration .......................................................................................................
See the Results of the Configuration .......................................................................................

50
51
51
52

Exercise 3: Use Traffic Management with Application Control ................................... 55


Create two Traffic Management Actions ..................................................................................
Configure Application Control ...................................................................................................
Configure Application Control in Policies .................................................................................
Monitor the Traffic Management Actions in Firebox System Manager ..................................

55
56
58
59

Exercise 4: Use QoS to Mark and Prioritize Traffic ...................................................... 61


Before You Begin .......................................................................................................................
Enable Prioritization by QoS Marking on Interfaces ................................................................
Prioritize Traffic by Policy ...........................................................................................................
See the Results of the Configuration .......................................................................................

61
61
63
64

What You Have Learned .............................................................................................. 65


Link Aggregation ................................................................................................................... 67
Introduction .................................................................................................................. 67
iv

WatchGuard Fireware Training

What You Will Learn ................................................................................................................... 67


Course Outline ........................................................................................................................... 67

Terms and Concepts You Should Know ..................................................................... 67


Link Aggregation ........................................................................................................................
Link Aggregation Group (LAG) ..................................................................................................
Link Aggregation Interface ........................................................................................................
Link Aggregation Member Interface ........................................................................................
Link Aggregation Modes ...........................................................................................................
Link Aggregation Interface Identifiers ......................................................................................

67
68
68
68
69
69

Link Aggregation with Other Networking Features .................................................... 70


Exercise 1: Configure Active-Backup Link Aggregation ............................................... 71
Network Topology ........................................................................................................................ 71
Before You Begin ....................................................................................................................... 72
Add the Link Aggregation Interface .......................................................................................... 72
Add Member Interfaces .............................................................................................................. 74
Connect the Switches ................................................................................................................ 75
Monitor the Link Aggregation Interface .................................................................................... 76

Exercise 2: Static and Dynamic Link Aggregation ....................................................... 78


Topology ...................................................................................................................................... 78
Before You Begin ....................................................................................................................... 78
Add the Link Aggregation Interface .......................................................................................... 79
Add Member Interfaces ............................................................................................................. 80
Configure the Switch and Connect the Device to the Switch .................................................. 81
Connect the Device to the Switch .............................................................................................. 81
Monitor the Link Aggregation Interface ................................................................................... 82
Use Dynamic Mode .................................................................................................................... 82

Exercise 3: Use Link Aggregation with a VLAN ............................................................. 83


Network Topology .......................................................................................................................
Before You Begin .......................................................................................................................
Configure the Device .................................................................................................................
Configure the Switch .................................................................................................................
Physically Connect all Devices ..................................................................................................

83
83
84
86
86

What You Have Learned .............................................................................................. 87


Multi-WAN Methods ............................................................................................................. 89
Introduction .................................................................................................................. 89
What You Will Learn ................................................................................................................... 89
Exercises .................................................................................................................................... 89
What Multi-WAN Can Do For You .............................................................................................. 89

Terms and Concepts You Should Know ..................................................................... 90


Outgoing Traffic and Multi-WAN ................................................................................................ 90
Incoming Traffic ......................................................................................................................... 90
IPSec VPN Traffic ....................................................................................................................... 90
Equal-Cost Multi-Path Routing (ECMP) ..................................................................................... 90
Sticky Connections ..................................................................................................................... 91
Load Balancing Interface Group (LBIG) .................................................................................... 91
Policy-Based Routing ................................................................................................................. 92
Link Monitor Settings ................................................................................................................ 92
Failover/Failback ....................................................................................................................... 93

The Round-Robin Multi-WAN Method ......................................................................... 94


When to Use It ............................................................................................................................
How It Works ..............................................................................................................................
Calculate Weights for Round-robin ...........................................................................................
How to Configure It ....................................................................................................................

94
94
95
96
v

When an External Interface Fails ............................................................................................... 97

The Failover Multi-WAN Method ................................................................................. 98


When to Use It ............................................................................................................................
How It Works ..............................................................................................................................
How to Configure It ....................................................................................................................
When an External Interface Fails ..............................................................................................

98
98
98
98

The Interface Overflow Multi-WAN Method ................................................................ 99


When to Use It ............................................................................................................................
How It Works ..............................................................................................................................
How to Configure It ....................................................................................................................
When an External Interface Fails ..............................................................................................

99
99
99
99

The Routing Table Multi-WAN Method ...................................................................... 100


When to Use It ..........................................................................................................................
How It Works ............................................................................................................................
How to Configure It ..................................................................................................................
When an External Interface Fails ............................................................................................

100
100
100
100

Before You Begin ....................................................................................................... 101


Necessary Equipment and Services .......................................................................................
Management Computer Configuration ...................................................................................
Firewall Configuration ..............................................................................................................
Bandwidth Available at Each External Interface ...................................................................
Physically Connecting your Devices ........................................................................................

101
101
102
102
102

Exercise 1: Demonstrate the Interface Overflow Multi-WAN Method and Sticky


Connections .................................................................................................................. 103
When to Use the Interface Overflow Method .........................................................................
Network Topology .....................................................................................................................
Configure the Device ...............................................................................................................
Demonstrate It .........................................................................................................................

103
103
104
108

Exercise 2: Demonstrate the Failover Multi-WAN Method and Policy-Based Routing ....
112
When to Use the Failover Method ...........................................................................................
Network Topology .....................................................................................................................
Configure the Device ...............................................................................................................
Demonstrate It .........................................................................................................................

112
112
113
117

Exercise 3: Demonstrate Load Balancing with the Round Robin Multi-WAN Method ....
118
Configure the Device ............................................................................................................... 118
Demonstrate It ......................................................................................................................... 119

Frequently Asked Questions ..................................................................................... 120


Appendix ..................................................................................................................... 121
How Fireware XTM Makes Multi-WAN Routing Decisions For Outbound Traffic ................. 121
Multi-WAN Routing Decision Flow Chart ................................................................................ 122

What You Have Learned ............................................................................................ 124


Routing ................................................................................................................................ 125
Introduction ................................................................................................................ 125
What You Will Learn ................................................................................................................. 125

Terms and Concepts You Should Know .................................................................... 126


Route ........................................................................................................................................
Router .......................................................................................................................................
Routing Table ...........................................................................................................................
Route Metric .............................................................................................................................
Routing Protocol .......................................................................................................................
vi

126
126
126
126
126

WatchGuard Fireware Training

Convergence Time ................................................................................................................... 127

Decide Which Type of Routing to Use ...................................................................... 128


Static vs. Dynamic Routing ..................................................................................................... 128
Supported Dynamic Routing Protocols .................................................................................. 128

Dynamic Routing Policies .......................................................................................... 130


Network Link Types .................................................................................................... 131
A Common Cause of Routing Inconsistency .......................................................................... 133

Routing and Branch Office VPNs .............................................................................. 134


BOVPN Virtual Interface Routing Scenarios .......................................................................... 135
Failover from a Dynamic Route to a VPN that is not a BOVPN Virtual Interface ................. 136

Monitoring Tools ........................................................................................................ 137


The Status Report .................................................................................................................... 137
Diagnostic Logging .................................................................................................................. 138

Exercise 1: Configure Static Routing Over a Point-to-Point Link ............................... 139


Add a Static Route to the Site A Device .................................................................................
Add a Static Route to the Site B Device .................................................................................
Review the Routing Tables ......................................................................................................
Test the Static Route ...............................................................................................................
The Disadvantage of Using Only Static Routes .....................................................................

140
141
142
143
144

Exercise 2: Configure Dynamic Routing over a Point-to-Point Link .......................... 145


Network Topology .....................................................................................................................
Remove the Static Routes .......................................................................................................
Configure Dynamic Routing with OSPF ..................................................................................
Review the Routing Table ........................................................................................................
Add a New Network at Site B ..................................................................................................

145
145
146
147
148

Exercise 3: Configure Static Routing Over a Multi-Hop Link ..................................... 150


Network Topology .....................................................................................................................
Before You Begin .....................................................................................................................
Configure the Peer Interfaces .................................................................................................
Configure Static Routes Between the Trusted Networks at Each Site .................................
Test the Static Route ...............................................................................................................

150
150
151
151
153

Exercise 4: Dynamic Routing Over a Multi-Hop Link ................................................. 154


Before You Begin .....................................................................................................................
Configure Static Routes Between the Peer Interfaces ..........................................................
Configure Dynamic Routing with BGP ....................................................................................
Review the Routing Table ........................................................................................................
Test the Static Route ...............................................................................................................

154
155
158
159
159

What You Have Learned ............................................................................................ 159


FireCluster .......................................................................................................................... 161
Introduction ................................................................................................................ 161
What You Will Learn ................................................................................................................. 161

About FireCluster ....................................................................................................... 161


Terms and Concepts You Should Know ................................................................... 162
Cluster Member .......................................................................................................................
Active/Active Cluster ................................................................................................................
Active/Passive Cluster .............................................................................................................
Load Balance Methods ...........................................................................................................
Cluster ID ..................................................................................................................................
Cluster Interface ......................................................................................................................
Cluster Interface IP Address ....................................................................................................
Management Interface ............................................................................................................

162
162
162
162
163
163
163
164

About Failover ............................................................................................................ 164


vii

Causes of FireCluster Failover ................................................................................................. 164


What Happens During a Failover ............................................................................................ 166

Monitoring Tools ........................................................................................................ 167


Firebox System Manager ......................................................................................................... 167
Diagnostic Logging .................................................................................................................. 168

FireCluster Requirements ......................................................................................... 169


Hardware Requirements .........................................................................................................
License Requirements .............................................................................................................
Network Configuration Requirements ....................................................................................
Switch and Router Requirements ...........................................................................................
FireCluster Pre-Configuration Checklist ..................................................................................

169
169
169
170
171

Exercise 1: Set Up an Active/Passive Cluster ............................................................ 172


Configure the External Interface to Use a Static IP Address ................................................ 172
Configure the Trusted Interface .............................................................................................. 173
Disable Unused Network Interfaces ........................................................................................ 174
Decide Which Interfaces and Interface Address to Use ....................................................... 175
Connect the Cables .................................................................................................................. 176
Run the FireCluster Setup Wizard ........................................................................................... 177
Discover the Second Cluster Member .................................................................................... 186

Exercise 2: Monitor Cluster Status ............................................................................. 187


Monitor the Cluster .................................................................................................................. 187
Monitor a Cluster Member ...................................................................................................... 188

Exercise 3: Test FireCluster Failover .......................................................................... 189


Force a Failover from Firebox System Manager ....................................................................
Trigger a Failover Due to Link Status ......................................................................................
Use the Backup Cluster Interface ...........................................................................................
Trigger a Failover Due to Power Failure ..................................................................................
Test Failover with Network Traffic ...........................................................................................
Use Leave/Join in Firebox System Manager ..........................................................................

189
189
189
190
190
190

What You Have Learned ............................................................................................ 190

viii

WatchGuard Fireware Training

Fireware Training

Course Introduction
Network and Traffic Management with Fireware
This training is for:
Devices

WatchGuard XTM 330 or higher

Device OS versions

Fireware XTM v11.9.x*

Management software versions

WatchGuard System Manager v11.9.x

* The exercises in this course require Fireware with a Pro upgrade, which is included with most device models.
For some 5 Series models (505, 510, 520, 530), you can purchase the Fireware XTM Pro upgrade for your device.

Training Overview
The WatchGuard Fireware XTM Network and Traffic Management with Fireware course covers these
topics:

VLAN
Traffic Management and QoS
Link Aggregation
Multi-WAN
Routing
FireCluster

About Side Notes


Side notes are extra
information that is
not necessary to
understand the
training. They might
be configuration or
troubleshooting tips,
or extra technical
information.

This course assumes that you have completed the Fireware Essentials course and that you know how to
set up and configure basic networking features. This Course Introduction describes the software,
hardware, and network environment required to complete the exercises in this training courseware.

Necessary Equipment and Software


Because this course includes networking exercises, the training environment must include the
following network equipment in order to support all of the exercises in this course.

One WatchGuard XTM 33 or higher device for each student


One WatchGuard Firebox or XTM device configured by the instructor as the default gateway
Fireware XTM v11.9 or higher installed on each Firebox or XTM device
One Windows computer per student, with WatchGuard System Manager v11.9 or later installed
Three network hubs or switches, each with enough interfaces for the instructor and all of the
student Firebox or XTM devices to connect.
- One switch is the primary external network for the student devices
- One switch is the secondary external network (WAN2) for the student devices in the
Multi-WAN exercises
- One switch is used for the multi-hop link in the Routing exercises
Two managed switches with 802.1Q and 802.3ad support per student, for VLAN and Link
Aggregation exercises. Or students can pair up for these exercises.
1

FTP Server (optional for some exercises)

Classroom Network Configuration


The exercises in this course are designed using RFC 5737 documentation IP addresses to represent
public network IP addresses. The exercises in this training assume the following classroom network
configuration:

Figure 1: Training network configuration

Student Device IP Addresses


Students may be assigned a number (10,20,30,etc.) to identify the last IP address octet for their external
addresses, or their third octet for internal addresses in relation to their devices. This allows for similar
configuration among devices and prevents IP address conflicts and subnet overlap.
The student devices are configured with these addresses, where X is the student number:

Eth0 External (WAN1) 203.0.113.X/24, Default Gateway 203.0.113.1


Eth1 Trusted 10.0.X.1/24
Eth2 Optional 172.16.X.1/24
Eth3 External or VLAN Configuration varies by exercise
WatchGuard Fireware Training

Classroom Network Configuration

Eth4, Eth5 - Link Aggregation Configured in Link Aggregation exercises only


The student number is also used in the FireCluster exercises as the cluster ID. We recommend that you
assign student numbers in increments of at least 10, so the cluster ID does not create a virtual MAC
address conflict between multiple FireClusters.
In the exercises, your external interface and trusted interface IP addresses are determined by your
student number. Replace the X in the exercises with your student number.

Instructor Device Network Configuration


Several interfaces on the instructor Firebox or XTM device must be configured to support the exercises
in this course. The instructor device acts as the default gateway for the primary student external
network, 203.0.113.0/24. For the Multi-WAN exercises that require a second external network, we use
192.51.100.1/24. The instructor device acts as the default gateway for both of these networks.
The instructor Firebox or XTM device is configured with these addresses:
Eth0 (External) Use appropriate addressing for a training environment with an Internet
connection.
Eth1 (Trusted) 203.0.113.1/24 The default gateway for the primary external interface on
student devices.
Eth2 (VLAN) Send and receive untagged traffic for VLAN10. Also used as the default gateway for
the secondary external interface on student devices when a second WAN interface is configured.
Eth3 (VLAN) Send and receive tagged traffic for VLAN10 and VLAN20. Used when students
configure a VLAN with an external interface.
Eth4 (Trusted) 172.16.10.1/30 as the primary IP address, and 172.16.X.1/30 as secondary
addresses for the optional networks on each student device. Used to simulate a multi-hop link for
some dynamic routing exercises.

You must also


configure a DNS
server, in the
Network >
Configuration >
WINS/DNS tab, to
allow DNS to operate
from the training
environment.
For DNS to function
for students, the
student Firebox or
XTM devices and
computers must also
be configured to use
the DNS server.

Figure 2: Instructor Firebox or XTM device network interfaces configuration

Course Introduction

The instructor device must have 2 VLANs configured:


VLAN10 Trusted 198.51.100.1/24, ID:10 Untagged eth2, tagged eth3
VLAN20 Trusted 192.0.2.1/24, ID:20 Tagged eth3

Figure 3: Instructor Firebox or XTM device VLAN configuration

The instructor device must have addresses defined on eth4 for the optional networks for all student
devices. These are used for the multi-hop dynamic routing exercises.
Primary (for the Optional network of student 10) 172.16.10.1/30 for s
Secondary (for the Optional network of students 20 and higher) 172.16.X.1/30

Figure 4: Secondary IP addresses for Eth4 on the instructor device, for a total of 8 students

WatchGuard Fireware Training

Classroom Network Configuration

Configuration Changes for the Instructor Device


To make the training network functional for these exercises, the instructor must make three more
configuration changes to the instructor Firebox or XTM device.

1. Create an Any policy to allow traffic between the trusted interfaces.

Figure 5: Any policy configuration for the instructor Firebox or XTM device

2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NAT to add a
dynamic entry for Any-Trusted - Any-External.
Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a
dynamic NAT rule for 203.0.113.0/24 Any-External)

Figure 6: NAT configuration for the instructor Firebox or XTM device

Course Introduction

3. To configure the instructor Firebox or XTM device to simulate a multi-hop link for the routing
exercises, you must add static routes to route traffic to the trusted network on each student device.
The next hop for each is the IP address of the optional interface on each student device.
The gateway corresponds to the primary and secondary networks defined for Eth4 on the instructor device.

Figure 7: Static route configuration for the instructor Firebox or XTM device for a class with 8 students.

(Optional) Set Up a Server to Host FTP and HTTP Downloads


Several of the exercises in this courseware require that the students download a file from an FTP server
or browse to a web site to observe the results of a configuration change. If your training environment
does not have Internet access, you can use the subsequent steps to help you build an FTP server and a
Web server on an existing Windows 2003 Server on your network, that students can use for the
exercises.

1. Connect the servers network card to the same hub or switch that connects the device external
interface to the Internet router.
Usually, you would connect your device directly to the LAN interface of your Internet router. For
this exercise, you must use a hub or switch to connect the Windows 2003 Server to the external
network of the device.
2. Set up the FTP server.
For more information, see this Microsoft article: http://support.microsoft.com/kb/323384.
3. Create a 350 MB text file named 350mbfile.txt and save it in the ftproot folder. The default
location for this folder is c:\inetpub\ftproot.
To create a file in Windows, at the Command Prompt, type the fsutil command:
fsutil file createnew c:\inetpub\ftproot\350mbfile.txt 358400000

4. Set up the web server on your Windows 2003 Server.


For more information, see this Microsoft article: http://support.microsoft.com/kb/324742
5. Copy the 350mbfile.txt file from the C:\inetpub\ftproot to the C:\inetpub\wwwroot
directory.

WatchGuard Fireware Training

Fireware Training

VLANs in Fireware XTM


Four Ways to Configure a Device for VLANs

Introduction
A virtual local area network (VLAN) is a collection of computers on a LAN or LANs that are grouped
together in a single broadcast domain independent of their physical location. A VLAN allows you to
group devices according to function or traffic patterns instead of location or IP address. Members of a
VLAN can share resources as if they were connected to the same LAN.

What You Will Learn


This course explains the concept of a VLAN and describes several different VLAN technologies that are
in use today. You will learn everything necessary to successfully deploy VLANs with your Firebox or XTM
device. We will present four typical use cases with VLANs, and you will configure the Firebox or XTM
device for each of these situations.

Exercises
The exercises demonstrate situations in which you would use different VLAN configurations, a
simplified view of the network topology for each setup, and step-by-step procedures for how to
configure each setup. The exercises include:

Two VLANs on the same Firebox or XTM device interface


One VLAN bridged across two Firebox or XTM device interfaces
One VLAN bridged across two Firebox or XTM device interfaces (alternate configuration)
Two VLANs as External Interfaces on the same Firebox or XTM device
Three VLANs for two SSIDs on an AP device

The course concludes with frequently asked questions about how to configure firewall policies to
restrict incoming and outgoing access on VLAN interfaces, or to allow or deny traffic between different
VLANs.

You can also use


VLANs with link
aggregation. An
exercise for that
configuration is
included in the link
aggregation section
of this training.

What VLANs Can Do For You


VLANs provide three main benefits:
Increased performance by confining broadcasts.
Each computer you add to a LAN increases the amount of background (broadcast) traffic, which
can reduce performance. With VLANs, you can restrict this traffic and reduce the amount of
bandwidth used by your network.
Improved manageability and simplified network tuning.
When you consolidate common resources into a VLAN, you reduce the number of routing hops
needed for those devices to communicate. You can also manage traffic from each functional group
more easily when each group uses a different VLAN.

Increased security options.


By default, members of one VLAN cannot see the traffic from another VLAN. You can apply separate
security policies to VLANs. By contrast, a secondary network on a Firebox or XTM device interface
gives no additional security because there is no separation of traffic. The Firebox or XTM device
does not filter traffic between the primary network of an interface and a secondary network on
that interface. It automatically routes traffic between primary and secondary networks on the same
physical interface with no access restrictions.

Terms and Concepts You Should Know


VLAN trunk interface
The physical interface (switch interface or device interface) that connects a VLAN device to another
VLAN device. Some vendors use this term only for a switch interface that carries traffic for more than
one VLAN. We use this as a general term to indicate an Ethernet interface on a VLAN-capable device
that connects the device to another VLAN-capable device.
VLAN ID (VID)
A number from 1 to 4094 associated with the VLAN. Every VLAN you use has a unique number.
Tag
This term has two meanings: one for the verb usage, and one for the noun usage.
[noun] Information that is added to the header of an Ethernet frame. The format of the tag is defined
by the IEEE 802.1Q standard.
[verb] To add a VLAN tag to a data frames Ethernet header. The tag is added by an 802.1Q-compliant
device such as an 802.1Q switch or router, or the Firebox or XTM device.
Because the physical segment between two 802.1Q devices normally carries only tagged data
packets, we call it the tagged data segment.
Untag
To remove a VLAN tag from a frames Ethernet header. When an 802.1Q device sends data to a
network device that cannot understand 802.1Q VLAN tags, the device untags the data frames.
Because the physical segment between a VLAN device and a device that cannot understand VLAN
tags normally carries only untagged data packets, we call it the untagged data segment.
Tagging and untagging per interface
When you assign VLAN membership for an Ethernet interface on an 802.1Q device, you also tell the
interface whether to send and accept tagged or untagged data frames. Some VLAN devices allow
one Ethernet interface to accept both tagged and untagged frames. This depends on which VLANs
the interface is a member of.
When you configure a Firebox or XTM device Ethernet interface for VLAN, the interface will accept
both tagged and untagged data frames, but only for VLANs in the trusted, optional, and custom
security zones. For an external VLAN a device VLAN interface will accept only tagged data frames.
Use these two rules to decide whether to configure a switch interface for Tag or Untag:
- If the interface connects to a device that can receive and understand 802.1Q VLAN tags,
configure the switch interface for Tag. Devices you connect to this interface are usually VLAN
switches (managed switches) or routers.
- If the interface connects to a device that cannot receive and understand 802.1Q VLAN tags,
configure the switch interface for Untag. (Such devices will likely strip the VLAN tag from the
Ethernet header, or drop the frame altogether.) Devices you connect to this interface are
usually computers or printers.

WatchGuard Fireware Training

VLAN Requirements and Recommendations

Switches
When you configure a Firebox or XTM device Ethernet interface for VLAN, the switches that you
connect to the device interface must be able to use VLAN tags as defined in IEEE 802.1Q. A switch of
this type is commonly called a managed switch or an 802.1Q switch.
Types of VLANs
VLANs can use different parameters to assign membership:
- 802.1Q VLANs (used by the Firebox or XTM device)
The Institute of Electrical and Electronic Engineers (IEEE) publishes the 802.1Q standard to
define the format of VLAN tags. This standard lets you use VLANs with any vendors
equipment that conforms to 802.1Q standards.
- MAC address-based VLANs use the physical address on a computers network interface card
to put it in the correct logical group.
- VLANs based on multicast groups put computers into VLANs based on whether the
computer has subscribed to a particular multicast group.
- Protocol-based VLANs put computers into VLANs based on the communication protocol
each uses (such as IP, IPX, DECnet, or AppleTalk).

VLAN Requirements and Recommendations


To use a VLAN with a Firebox or XTM device:
If your Firebox or XTM device is configured in drop-in mode, you cannot use VLANs.
If your Firebox or XTM device is configured in bridged mode you cannot configure VLANs on the
device.
- The device in bridge mode can pass VLAN tagged traffic between 802.1Q bridges or
switches.
- You can configure a device in bridge mode to be managed from a VLAN that has a specified
VLAN tag.
Each VLAN interface can send and received untagged traffic for only one trusted or optional VLAN.
For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN-10, it
cannot also send and receive VLAN traffic for any other VLAN at the same time. Also, a VLAN
interface cannot be configured to send and receive untagged traffic for an external VLAN.
Multi-WAN configuration settings are applied to VLAN traffic. However, it can be easier to manage
bandwidth when you use only physical interfaces in a multi-WAN configuration.
Your device model and license controls the number of VLANs you can create. To see the number of
VLANs you can add to your Firebox or XTM device, Open Policy Manager and select Setup >
Feature Keys. Find the row labeled Total number of VLAN interfaces.
We recommend that you do not create more than 10 VLANs that operate on external interfaces.
Too many VLANs on external interfaces affect performance.
All network segments you want to add to a VLAN must have IP addresses on the VLAN network.

VLANs in Fireware XTM

Before You Begin


Before you begin the exercises, you must:

1. Make sure the switches that connect to the Firebox or XTM device do not use Spanning Tree
Protocol. Disable this protocol for any switch interface that connects to a device Ethernet interface.
2. Know how to configure your VLAN switch. You should be familiar with how to configure your VLAN
switch. Consult the documentation from the device manufacturer for help.

Firewall Configuration
If your Firebox or XTM device is not yet configured, run the Quick Setup Wizard first to configure it.
Use the Routed mode for the Quick Setup Wizard. (You cannot use VLANs with Drop-in mode or
Bridge mode.) The Quick Setup Wizard with Routed mode has these defaults:
- The external Interface 0 is configured and enabled with static IP address 203.0.113.X/24.
Replace X in the external IP address with the student number your instructor gives you.
- The trusted Interface 1 is configured and enabled with IP address 10.0.X.1/24.
Replace X in the trusted IP address with the student number your instructor gives you.
- All of the other interfaces are set to Disabled.
- There are five policies in Policy Manager: FTP, Ping, WatchGuard WebUI, WatchGuard, and
Outgoing.
The trusted interface (Interface 1) is not a member of any VLAN in any of the exercises.
The management computer is connected directly to the trusted interface with an Ethernet cable.
Make sure your management computer has an IP address in the same subnet as the trusted
interface, with the correct subnet mask. Make sure the default gateway for the computer is the
trusted interface IP address.

Necessary Equipment and Services


Management computer
Use a computer with WSM version 11.9 or higher software installed to configure the Firebox or
XTM device. This computer is connected to the device trusted interface in all exercises.
Two additional computers
To test traffic flow with the VLANs you send traffic between two computers. Each computer is
connected to a VLAN switch or to the Firebox or XTM device itself, depending on the exercise.
You can also use the management computer for one of the two computers to test traffic flow
between VLANs.
WatchGuard Firebox or XTM device with Fireware XTM OS v11.9 or higher
In the exercises, we assume that you ran the Quick Setup Wizard to configure the Firebox or XTM
device and you selected Routed mode (not Drop-in or Bridge mode).
802.1Q VLAN switches
- One switch for Exercises 1 and 2
- Two switches for Exercise 3 and 4
- One switch for Exercise 5
Ethernet cables
At a minimum, to complete all the exercises you must have:
- Six Ethernet cables To interconnect the devices altogether.

10

WatchGuard Fireware Training

Before You Begin

Configuring the VLAN Switch


Each physical interface on a VLAN switch is generally classified as one of two types:
VLAN Access port
A switch interface of this type removes VLAN tags from data frames before it sends them to the
device attached to it. The interface also adds a VLAN tag to untagged frames it gets from the
connected device.
You connect computers, printers, and other networked devices to this type of interface.
Configure this type of switch interface for untag mode.
VLAN Trunk port
A switch interface of this type preserves any VLAN tags in the data frames it receives. It also
preserves VLAN tags when it sends tagged data frames to the device attached to it.
You connect other VLAN-capable devices such as VLAN switches and routers to this type of
interface. You also connect this type of interface to a Firebox or XTM device interface configured to
accept tagged data frames.
Configure this type of switch interface for tag mode.

Select the VLAN ID Numbers


By default, each interface on most new, unconfigured switches belongs to VLAN number 1. Because
this VLAN exists on every interface of most switches by default, the possibility exists that this VLAN can
accidentally span the entire network, or at least very large portions of it.
We recommend you use a VLAN ID number other than 1 for any VLAN that passes traffic to the Firebox
or XTM device.

About the PVID


Some switch manufacturers require you to assign a Port VLAN ID (PVID) to each interface. The PVID
number determines the VLAN ID number that the switch adds to the untagged packets it gets from
devices connected to the interface. If you do not configure a PVID for an interface, it is possible that the
switch can tag the data packets it gets on that interface with the default VLAN ID of 1. This is the case
even if you configure the interface to untag for a different VLAN ID number.
When you change the PVID setting on a switch interface to a PVID number that matches a VLAN
number, the switch adds a VLAN tag for that VLAN to untagged packets it receives on this interface. If
your switch uses PVID numbers, be sure to configure each switch interface that connects a computer to
use the correct PVID number.

VLANs in Fireware XTM

11

Exercise 1:

Two VLANs on the Same Device Interface

When to Use this Configuration


A Firebox or XTM device interface is a member of more than one VLAN when the switch that connects
to that interface carries traffic from more than one VLAN.
You use multiple VLANs on one Firebox or XTM device interface when you want to split a device
interface into multiple broadcast domains or multiple security zones. When you separate the traffic
from different functional groups before it enters the device interface, you get two major benefits:
Broadcast traffic is confined within each VLAN, which reduces congestion.
You can make access policies to allow limited traffic or no traffic between the VLANs. You also
control access from each VLAN to other parts of your network and to the Internet.
Compare the second benefit to the situation when you configure a Firebox or XTM device interface as a
physical interface (instead of as a VLAN) with a secondary network also configured on the interface: The
device does not filter traffic between the primary network of an interface and a secondary network on
that interface. The primary network is not protected from a secondary network on that interface.

Network Topology
This exercise shows how to connect one switch that carries traffic from two different VLANs to one
Firebox or XTM device interface. In the subsequent diagram, the computers are connected to the
802.1Q switch, and the switch is connected to Firebox or XTM device interface 3. The switch carries
traffic from two different VLANs.

Figure 1: Network topology for Exercise 1


12

WatchGuard Fireware Training

Before You Begin

Configure the Device


1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.

2. Select the VLAN tab.

Figure 2: VLAN tab of Network Configuration dialog box

3. Click Add and create a new VLAN.


4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces.
For this example, type VLAN10.
5. (Optional) In the Description text box, type a description.
For this example, type Accounting.
6. In the VLAN ID text box, type or select a number for the VLAN.
For this example, select 10.
7. From the Security Zone drop-down list, select the security zone for the VLAN.
For this example, select Trusted.
8. In the IP Address text box, type the IP address of the VLAN gateway.
For this example, type 192.168.10.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.

9. (Optional) Configure DHCP for the new VLAN.


a. Select Use DHCP Server.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 for
the Ending Address.
d. Click OK.

Security zones
correspond to aliases
for interface security
zones. For example,
VLANs of type
Trusted are handled
by policies that use
the alias
Any-Trusted as a
source or destination.
VLANs can be defined
as Trusted, Optional,
or Custom.

The new address pool appears in the Address Pool list.

10. Click OK.


The new VLAN appears.

Figure 3: VLAN tab with new VLAN10

11. Click Add and create another new VLAN.


12. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For this
example, type VLAN20.

VLANs in Fireware XTM

13

13. (Optional) In the Description text box, type a description.


For this example, type Sales.
14. In the VLAN ID text box, type or select a number for the VLAN.
For this example, select 20.
15. From the Security Zone drop-down list, select the security zone for the VLAN.
For this example, select Optional.
16. In the IP Address text box, type the IP address of the VLAN gateway.
For this example, type 192.168.20.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.

17. (Optional) Configure DHCP for the new VLAN.


a. Select Use DHCP Server.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
For this example, type 192.168.20.10 for the Starting Address and 192.168.20.20 for
the Ending Address.
d. Click OK.
The new address pool appears in the Address Pool box.

18. Click OK.


Both VLANs now appear.

Figure 4: Two new VLANS: VLAN10 and VLAN20

19. Select the Interfaces tab.


20. Select Interface 3 and click Configure.
21. From the Interface Type drop-down list, select VLAN.
Because you cannot
add a secondary
network to a VLAN
interface, the
Secondary tab
remains unavailable
here.

The Interface Type Configuration section appears on the IPv4 tab. Both new VLANs appear in the list.

22. Select Send and receive tagged traffic for selected VLANs.
23. In the Member column, select the check boxes for VLAN10 and VLAN20.

With Fireware XTM


v11.8.1 or higher, you
can add secondary
networks to each of
the VLAN members.
To do this, edit the
VLAN members in the
VLAN tab.

Figure 5: The Member column shows which VLANs the interface is a member of.

24. Click OK.


This interface now appears as type VLAN in the list of interfaces.
14

WatchGuard Fireware Training

Before You Begin

25. Check your work.


The Interfaces tab should look like this.

Figure 6: Firebox or XTM device Interface 3 is now type VLAN

The VLAN tab should look like this.

Figure 7: VLAN tab after the VLANs are defined

26. Click
and save this configuration to the device.
Or, select File > Save > To Firebox.

Configure the Switch


Refer to the instructions from your switch manufacturer to configure your switch.

1. Add two VLANs to the 802.1Q switch configuration.


Set the VLAN ID numbers for these VLANs to 10 and 20.
2. Configure the switch interface that connects the switch to the device interface 3.
a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure this interface on the switch to be a member of both VLANs 10 and 20.
c. Configure this interface to tag for both VLANs.
d. If necessary for your switch operating system, configure the switch mode to trunk.
e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.
3. Configure the switch interfaces that connect computers in VLAN10 to the switch.
a. Configure each switch interface that will connect a computer in VLAN10 to be a member of
VLAN10.
b. Configure these interfaces to untag for VLAN10.
4. Configure the switch interfaces that connect computers in VLAN20 to the switch.
a. Any switch interface that will connect a computer in VLAN20 must be a member of VLAN20.
b. Configure these interfaces to untag for VLAN20.

VLANs in Fireware XTM

As a general rule,
remember that the
physical segment
between this switch
interface and the
Firebox or XTM device
is a tagged data
segment. Traffic that
flows over this
segment must use
802.1Q VLAN tagging.
Some switch
manufacturers refer
to a switch interface
that is configured like
Step 2 a trunk port or
trunk interface.

15

As a general rule,
remember that the
physical segment
between a switch
interface and a
computer (or other
networked device)
that connects to it is
an untagged data
segment. Traffic that
flows over this
segment does not
have VLAN tags.
Most switches sold
today have interfaces
that can auto-sense
MDI/MDI-X for the
Ethernet connection.
When the interface
senses a physical link,
it automatically
configures itself to be
a normal or uplink
interface. If you do not
get link lights on the
Ethernet interfaces
with one type of
Ethernet cable
(straight-through or
crossover), try the
other type of Ethernet
cable.

16

Physically Connect all Devices


1. Connect one end of an Ethernet cable to the device interface 3.
2. Connect the other end of the Ethernet cable to the interface on the switch that you configured to
tag for VLANs 10 and 20 (to the VLAN trunk interface of the switch).
3. Connect a computer to the interfaces on the switch that you configured to untag for VLAN10.
4. If you configured VLAN10 to use the DHCP server, configure the computers network card to use
DHCP to get an IP address automatically.
For more information, see Step 9 on page 13.
5. If you did not configure the VLAN to use the DHCP server, configure the computers network card
with an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the
computers default gateway to the device VLAN IP address, 192.168.10.1.
6. Repeat Steps 13 to connect a computer to a switch interface that you configured to untag for
VLAN20.

Test the Configuration


From the computer in VLAN10, you should be able to ping the computer in VLAN20, as well as ping the
VLAN10 computer from the VLAN20 computer. The two computers can ping each other because the
default settings of the Ping policy allow Any-Trusted and Any-Optional to send ICMP echo requests to
Any.
No other traffic is allowed between the two VLANs unless there is a policy that specifically allows it. The
basic configuration loaded by the Quick Setup Wizard does not allow any other traffic between the
VLANs.

WatchGuard Fireware Training

Before You Begin

Exercise 2:

One VLAN Bridged Across Two Device Interfaces

When to Use this Configuration


The primary benefit of this configuration is the ability to bridge a VLAN between computers connected
to a VLAN switch and computers directly connected to the Firebox or XTM device. A typical network
topology is this:
You have a relatively large number of computers connected by way of a VLAN switch to one device
interface.
You have a single computer (or a small group of computers) that must share the same resources as
the first group, but it is physically separated from the first group.
It is more convenient or cost-effective to connect the smaller group directly to the device.
To solve the challenge of putting all these computers into one logical group, you configure the Firebox
or XTM device with a VLAN that bridges two device interfaces:
One device interface tags for the VLAN.
This interface connects, by way of an Ethernet cable, to the VLAN switch that links the majority of
the computers in this logical group.
The other device interface untags for the VLAN.
This interface has a direct Ethernet connection to one computer (or a small group of computers) in
the logical group. This second connection can be a shared media connection such as a hub
connected to the interface, or a single computer connected to the interface with a crossover
Ethernet cable.
With this configuration, all the computers can easily share resources, and their broadcasts are confined
to the VLAN.

VLANs in Fireware XTM

17

Network Topology
The untagged Firebox
or XTM device
interface in Figure 8
(Interface 4, with one
computer connected)
operates in much the
same way as an
untagged switch port
on a VLAN switch.

This exercise shows how to connect a switch to one Firebox or XTM device interface, and computers to
another Firebox or XTM device interface. Figure 8 shows that the computers connected to the switch
and to device interface 4 are in the same VLAN.

Figure 8: Network topology for Exercise 2

Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.

Configure the Device


1. From Policy Manager, select Network > Configuration.
2. Select the VLAN tab.
3. Click Add and create a new VLAN.
The New VLAN Configuration dialog box appears.

4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces.
For this example, type VLAN10.
5. (Optional) In the Description text box, type a description of the VLAN.
For this example, type Accounting.
6. In the VLAN ID text box, select a number for the VLAN.
For this example, type 10.
7. From the Security Zone drop-down list, select the security zone for the VLAN.
For this example, select Trusted.

18

WatchGuard Fireware Training

Before You Begin

8. In the IP Address text box, type the IP address of the VLAN gateway.
For this example, type 192.168.10.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.

9. (Optional) Configure DHCP for the new VLAN.


a. Select Use DHCP Server.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 for
the Ending Address.
d. Click OK.
The new address pool appears in the Address Pool list.

10. Click OK.


The new VLAN is added.

The Interfaces
column is blank for a
new VLAN because no
Firebox or XTM device
interfaces have been
assigned to it yet. You
assign the VLAN to
Firebox or XTM device
interfaces in the next
steps.

Figure 9: VLAN10 on the VLAN tab

11. To make device Interfaces 3 and 4 members of the new VLAN, select the Interfaces tab.
12. Select Interface 3 and click Configure.
13. From the Interface Type drop-down list, select VLAN.
14. Select Send and receive tagged traffic for selected VLANs.
15. In the Member column, select the check box for VLAN10.

You configure
interface 3 to handle
tagged VLAN traffic,
because it connects to
a VLAN switch that
sends it traffic with
VLAN tags.

Figure 10: Select the check box to make the interface a member of the VLAN

16. Click OK.


This interface now appears as type VLAN in the list of interfaces.

17. Double-click Interface 4 and configure it to untag for VLAN10.


18. From the Interface Type drop-down list, select VLAN.

VLANs in Fireware XTM

19

You can only select


one VLAN for
untagged traffic.
This option is not
available if you
choose a VLAN that
has external specified
as the zone. You
cannot configure an
interface to send and
receive both tagged
and untagged traffic
when a VLAN is
configured as an
external zone.
If you do not want
computers connected
to a Firebox or XTM
device interface to be
part of a VLAN, then
do not configure the
interface to be of type
VLAN. Instead,
configure the
interface to be of type
Trusted or Optional.

19. At the bottom of the dialog box, select the Send and receive untagged traffic for selected VLAN
check box. From the adjacent drop-down list, select VLAN10 (192.168.10.1/24).

Figure 11: Make Interface 4 an untagged switch port

20. Click OK and check your work.


The Interfaces tab should now look like this.

Figure 12: Firebox or XTM device interfaces 3 and 4 now appear as type VLAN

The VLAN tab should look like this.

Figure 13: The VLAN interface used by interfaces 3 and 4

The VLAN settings list includes information about which interface tags and which interface untags
for a particular VLAN. It uses either boldface type or normal type for the numbers in the Interfaces
column:
- boldface type entries are Untag
- normal type entries are Tag.

21. Save this configuration to the Firebox or XTM device.

20

WatchGuard Fireware Training

Before You Begin

Configure the Switch


Refer to the instructions from your switch manufacturer to configure your switch.

1. Configure the switch interface that connects the switch to the Firebox or XTM device interface 3.
a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure this interface on Switch A to be a member of VLAN10.
c. Configure this interface to tag for VLAN10.
d. If necessary for your switch operating system, configure the switch mode to trunk.
e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.
2. Configure the switch interfaces that connect computers to the switch.
3. Configure the other switch interfaces to be members of VLAN10 and to untag for VLAN10.
As a general rule, remember that the physical segment between this switch interface and the
device is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN
tagging.
As a general rule, remember that the physical segments between each of the other switch
interfaces and the computers (or other networked devices) that connect to them are untagged
data segments. Traffic that flows over these segments does not have VLAN tags.

Some switch
manufacturers call an
interface configured
this way either a
trunk port or a trunk
interface.

Physically Connect all Devices


1. Connect one end of an Ethernet cable to the Firebox or XTM device interface 3.
2. Connect the other end of the Ethernet cable to the interface on the switch that you configured to
tag for VLAN10 (to the VLAN trunk interface of the switch).
3. Connect a computer to the one of the interfaces on the switch that you configured to untag for
VLAN10.
4. If you configured VLAN10 to use the DHCP server, configure the computers network card to use
DHCP to get an IP address automatically.
See Step 9 on page 19.

5. If you did not configure the VLAN to use the DHCP server, configure the computers network card
with an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the
computers default gateway to the device VLAN IP address 192.168.10.1
6. Repeat these steps to connect a computer to device interface 4.

Test the Configuration


You should be able to send a ping from the computer connected to the switch to the computer
connected to device interface 4, and from the computer connected to device interface 4 to the
computer connected to the switch. The two computers can communicate as though they were
connected to the same physical LAN.

VLANs in Fireware XTM

21

Exercise 3:

One VLAN Bridged Across Two Device Interfaces


(Alternate Configuration)

When to Use This Configuration


You might use a configuration like this if your organization is spread across multiple locations. For
example, suppose your network is on the first and second floors in the same building. Some of the
computers on the first floor are in the same functional group as some of the computers on the second
floor. You want to group these computers into one broadcast domain so that they can easily share
resources, such as a dedicated file server for their LAN, host-based shared files, printers, and other
network accessories.
You connect the computers on one floor to one VLAN switch, and connect that switch to a Firebox or
XTM device interface. You connect the computers on the other floor to one VLAN switch, and connect
that switch to another Firebox or XTM device interface. This puts all of the computers into one LAN.
One of the main benefits in this setup is cost savings: it is not necessary to connect another device to
combine the traffic from the two switches before it enters the device. The device combines the traffic,
and lets you apply strict security policies between the VLANs, the rest of your network, and untrusted
segments such as the Internet. This saves you the cost of a different device, such as a router or a layer 3
switch.

Network Topology
This exercise shows how to connect two 802.1Q switches, both of which send traffic from the same
VLAN, to two different Firebox or XTM device interfaces. The subsequent shows how computers are
connected to 802.1Q switches, and how the switches are connected to the device. Two 802.1Q
switches connected to device interfaces 3 and 4 carry traffic from the same VLAN.

Figure 14: Network topology for Exercise 3


22

WatchGuard Fireware Training

Before You Begin

Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.

Configure the Device


1. From Policy Manager, select Network > Configuration.
2. Select the VLAN tab.
The VLAN settings list is empty because you have not defined any VLANs

3. Click Add and create a new VLAN.


The New VLAN Configuration dialog box appears.

4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces.
For this example, type VLAN10.
5. (Optional) In the Description text box, type a description of the VLAN.
For this example, type Accounting.
6. In the VLAN ID text box, select a number for the VLAN. For this example, type 10.
7. From the Security Zone drop-down list, select the security zone for the VLAN.
For this example, select Trusted.
8. In the IP Address text box, type the IP address of the VLAN gateway.
For this example, type 192.168.10.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.

9. (Optional) Configure DHCP for the new VLAN.


a. Select Use DHCP Server.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 for
the Ending Address.
d. Click OK.
The new address pool appears in the Address Pool list.

10. Click OK.


The new VLAN appears.

Figure 15: The VLAN tab with new VLAN10

11. To make device Interfaces 3 and 4 members of the new VLAN, select the Interfaces tab.
12. Select Interface 3 and click Configure.
Or, double-click the interface.
13. From the Interface Type drop-down list, select VLAN.

VLANs in Fireware XTM

23

Interface 3 will be a
tagged VLAN
interface because it
connects to a VLAN
switch that sends it
traffic with VLAN tags.

14. Select Send and receive tagged traffic for selected VLANs.
15. In the Member column, select the check box for VLAN10.

Figure 16: Select the check box to make the interface a member of the VLAN

16. Click OK.


This interface now appears as type VLAN in the list of interfaces.

17. Repeat Steps 1116 for Interface 4 to make that interface a member of VLAN10.
18. Check your work.
The Interfaces tab should look like this:.

Figure 17: Interfaces 3 and 4 are both type VLAN


The numbers in the
Interfaces column
use normal type to
indicate that these are
tagged interfaces. If
the interfaces are
configured as
untagged switch
ports, the entry
appears in bold type.

The VLAN tab should look like this:.

Figure 18: The VLAN tab shows that interfaces 3 and 4 are members of VLAN10

19. Click
and save this configuration to the device.
Or, select File > Save > To Firebox.

24

WatchGuard Fireware Training

Before You Begin

Configure the Switches


Refer to the instructions from your switch manufacturer to configure your switch.

Switch A
1. Configure the switch interface that connects the switch to the Firebox or XTM device interface 3.
a. Configure this interface on Switch A to be a member of VLAN10.
b. Configure this interface to send traffic with the VLAN10 tag.
c. If necessary, set the switch mode to trunk.
d. If necessary, set the encapsulation mode to 802.1Q.
As a general rule, remember that the physical segment between this switch interface and the
Firebox or XTM device is a tagged data segment. Traffic that flows over this segment must use
802.1Q VLAN tagging.
2. Configure the switch interfaces that connect computers to the switch.
Configure the other switch interfaces to be members of VLAN10. You must also configure these
interfaces to send untagged traffic for VLAN10.

Some switch
manufacturers refer
to an interface that is
configured like this as
a trunk port or a trunk
interface.

As a general rule, remember that the physical segments between each of the other switch
interfaces and the computers (or other networked devices) that connect to them are untagged
data segments. Traffic that flows over these segments does not have VLAN tags.

Switch B
Repeat the previous steps to configure Switch B:

1. Configure the switch interface that connects the switch to the device interface 4.
a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure one interface on Switch B to be a member of VLAN10.
c. Configure this interface to send traffic with the VLAN10 tag.
d. If necessary, set the switch mode to trunk.
e. If necessary, set the encapsulation mode to 802.1Q.
As a general rule, remember that the physical segment between this switch interface and the
Firebox or XTM device is a tagged data segment. Traffic that flows over this segment must use
802.1Q VLAN tagging.
2. Configure the switch interfaces that connect computers to the switch.
3. Configure the other switch interfaces to be members of VLAN10. You must also configure these
interfaces to send untagged traffic for VLAN10.
As a general rule, remember that the physical segments between each of the other switch
interfaces and the computers (or other networked devices) that connect to them are untagged
data segments. Traffic that flows over these segments does not have VLAN tags.

Physically Connect All Devices


1. Connect one end of an Ethernet cable to the device interface 3.
2. Connect the other end of this Ethernet cable to the interface on Switch A that you configured to
tag for VLAN10 (to the VLAN trunk interface of Switch A).
3. Connect one end of an Ethernet cable to the device interface 4.
4. Connect the other end of this Ethernet cable to the interface on Switch B that you configured to
tag for VLAN10 (to the VLAN trunk interface of Switch B).
5. Connect a computer to the one of the interfaces on Switch A that you configured to untag for
VLAN10.

VLANs in Fireware XTM

25

6. If you configured VLAN10 to use the DHCP server, configure the computers network card to use
DHCP to get an IP address automatically.
See Step 9 on page 23.

7. If you did not configure the VLAN to use the DHCP server, configure the computers network card
with an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the
computers default gateway to the device VLAN IP address 192.168.10.1
8. Repeat these steps to connect a computer to Switch B.

Testing the Connection


You should be able to ping from a computer connected to Switch A to a computer connected to Switch
B, and from a computer connected to Switch B to a computer connected to Switch A. Because they are
in the same VLAN, the two computers can communicate as if they were connected to the same physical
LAN.

26

WatchGuard Fireware Training

Before You Begin

Exercise 4:

Two VLANs as External Interfaces on the Same Device

When to Use this Configuration


You use VLANs as External interfaces when your service provider gives you Internet and MPLS
connections on a single Ethernet cable, logically separated by VLANs. Rather than connecting the cable
to a managed switch, then to separate physical interfaces on your Firebox or XTM device, you can
connect the cable directly to a single physical interface configured as a trunk on your device.

Network Topology
This exercise simulates two service provider connections ISP-1 (VLAN 10) and ISP-2 (VLAN 20) carried
by a single trunk port of the switch to one Firebox or XTM device interface. In the subsequent diagram,
the WAN connection is connected to the 802.1Q switch, and the trunk port of the switch (Switch A) is
connected to device interface 3.

Fireware XTM OS
versions prior to v11.7
had a hard limit of
four WAN interfaces.
You can use VLANs as
External interfaces
when you need more
than four WAN
interfaces. You can
configure up to ten
External VLANs in
addition to the four
physical External
interfaces.

Figure 19: Network topology for Exercise 4

Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.

VLANs in Fireware XTM

27

Configure the Device


1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.

2. Select the VLAN tab.


3. Click Add to create a new VLAN.
The New VLAN Configuration dialog box appears.

4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For this
example, type External-VLAN10.
5. (Optional) In the Description text box, type a description. For this example, type ISP-1.
Security zones
correspond to aliases
for interface security
zones. For example,
VLANs of type
External are
handled by policies
that use the alias
Any-External as a
source or destination.

6. In the VLAN ID text box, type or select a number for the VLAN. For this example, select 10.
7. From the Security Zone drop-down list, select the security zone for the VLAN. For this example,
select External.
8. Select Use Static IP.
9. In the IP Address text box, type the IP address. For this exercise, type 198.51.100.X/24.
Replace the X in the IP address with the student number your instructor gives you. For example, if
your student number if 10, type 198.51.100.10/24
10. In the Default Gateway type the gateway address. For this exercise, type 198.51.100.1.
This configuration must have a corresponding upstream connection that is the default gateway
(198.51.100.1).

11. Click OK.


12. Click Add and create another new VLAN.
The New VLAN Configuration dialog box appears.

13. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For this
example, type External-VLAN20.
14. (Optional) In the Description text box, type a description. For this exercise, type ISP-2.
15. In the VLAN ID text box, type or select a number for the VLAN. For this example, select 20.
16. From the Security Zone drop-down list, select the security zone for the VLAN. For this example,
select External.
17. Select Use Static IP.
18. In the IP Address text box, type the IP address. For this example, type 198.0.2.X/24. Replace
the X in the IP address with the student number your instructor gives you. For example, if your
student number if 10, type 198.0.2.10/24
19. In the Default Gateway type the gateway address. For this exercise, type 198.0.2.1.
This configuration must have a corresponding upstream connection that is the default gateway (198.0.2.1).

20. Click OK.


The new VLANs appear.

Figure 20: VLAN tab with new External-VLAN10 and External-VLAN20

21. Select the Interfaces tab.


28

WatchGuard Fireware Training

Before You Begin

22. Select Interface 3. Click Configure.


23. From the Interface Type drop-down list, select VLAN.
The Interface Type Configuration section appears on the IPv4 tab. Both new VLANs appear in the list.

24. Select Send and receive tagged traffic for selected VLANs.
25. In the Member column, select the check boxes for External-VLAN10 and External-VLAN20.

Figure 21: The Member column shows which VLANs this interface is a member of.

26. Click OK.


27. Check your work.
The Interfaces tab should look like this.

Figure 22: Interface 3 is now type VLAN

The VLAN tab should look like this.

Figure 23: VLAN tab after the VLANs are defined

28. Save this configuration to the device.

VLANs in Fireware XTM

29

Configure the Switch


Add VLANS to the switch that connects to your ISP. In the diagram, this is labeled Switch A.
Refer to the instructions from your switch manufacturer to configure VLAN tagging on your switch.

1. Add two VLANs with the ID numbers 10 and 20 to the 802.1Q switch configuration.
2. Configure the switch interface that connects the switch to the Firebox or XTM device interface 3.
a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure this interface on the switch to be a member of both VLANs 10 and 20.
c. Configure this interface to tag for both VLANs.
d. If necessary for your switch operating system, set the switch mode to trunk.
e. If necessary for your switch operating system, set the encapsulation mode to 802.1Q.
3. Configure the switch interface that connects ISP-1 in VLAN10 to the switch.
a. Configure the switch interface that will connect to ISP-1 to be a member of VLAN10.
b. Configure this interface to untag for VLAN10.
4. Configure the switch interface that connects ISP-2 in VLAN20 to the switch.
a. Configure the switch interface that will connect to ISP-2 to be a member of VLAN20.
b. Configure this interface to untag for VLAN20.
As a general rule, remember that the physical segment between this switch interface and the Firebox
or XTM device is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN
tagging.
Some switch manufacturers refer to a switch interface that is configured like Step 2 a trunk port or
trunk interface.
As a general rule, remember that the physical segment between a switch interface and the networked
device that connects to it is an untagged data segment. Traffic that flows over this segment does not
have VLAN tags.
You can use another
Firebox or XTM device
to simulate ISP-1 and
ISP-2 connections.
Configure a Trusted
interface with an IP
Address of
198.51.100.1/24 and
another Trusted
interface with an IP
Address 198.0.2.1/24
on another Firebox or
XTM device. Make
sure that these
subnets
(198.51.100.0/24 and
198.0.2.0/24) are
included on the
Dynamic NAT and
that these translate to
Any-External to get an
Internet connection.

30

Physically Connect All Devices


1. Connect one end of an Ethernet cable to the device interface 3.
2. Connect the other end of the Ethernet cable to the interface on the switch that you configured to
tag for VLANs 10 and 20 (to the VLAN trunk interface of the switch).
3. Connect the interface on the switch that you configured to untag for VLAN10 to the upstream
internet connection of ISP-1.
4. Connect the interface on the switch that you configured to untag for VLAN20 to the upstream
internet connection of ISP-2.

Test the Configuration


From the management computer or any computer on the trusted zone, you should be able to access
the Internet. Create an HTTP Policy and enable logging for the allowed packets. You should see which
External interface each packet uses to reach the destination. You may also enable logging on the
Outgoing and Ping policies to try using other protocols. This should log which External Interface each
packet used reach its destination.

WatchGuard Fireware Training

Using VLANs in Device Policies

Using VLANs in Device Policies


Apply Firewall Policies to Intra-VLAN Traffic
You can configure more than one device interface as a member of the same VLAN. By default, policies
are not applied to traffic that passes through the firewall between hosts on different interfaces that are
on the same VLAN. If you want to apply policies to VLAN traffic between local interfaces you must edit
the VLAN settings for that VLAN to enable it.
For example, you might want to do this if the VLAN member interfaces connect to networks for two
departments, and you want to control whether users on one interface can have access to network
resources on the other interface.

1. Select Network > Configuration.


2. Select the VLAN tab.
3. Double click the VLAN to edit.
4. At the bottom of the Edit VLAN dialog box, select the Apply firewall policies to intra-VLAN
traffic check box.
5. Save the configuration to the device.
If you want to apply policies to intra-VLAN traffic, make sure that no alternate path exists between the
source and destination. The VLAN traffic must go through the device for firewall policies to apply.
Intra-VLAN policies are applied by IP address, user, or alias. If the intra-VLAN traffic does not match any
defined policy, the traffic is denied as unhandled packets. Intra-VLAN non-IP packets are allowed.

Aliases
When you add the new VLAN, the VLAN name appears as a new alias in the list of Firebox or XTM device
aliases.
To open the Aliases dialog box, select Setup > Aliases.

Figure 24: The aliases list

VLANs in Fireware XTM

31

You can use this alias in Firebox or XTM device policies to specify the new VLAN.
For example, to specify that users in Trusted-VLAN30 are allowed to make SSH connections to a server
in the trusted network with IP address 10.0.1.56, configure an SSH policy as shown in the subsequent
image.

Figure 25: SSH policy

Three other aliases can include a VLAN Any-Trusted, Any-Optional, and Any-External:
If you configure the VLAN in the Trusted security zone, then the Any-Trusted alias includes the
VLAN. The Any-Trusted alias includes VLANs that use the Trusted security zone, and all networks
connected to a device interface of type Trusted.
If you configure the VLAN in the Optional security zone, then the Any-Optional alias includes the
VLAN. The Any-Optional alias includes VLANs that use the Optional security zone, and all networks
connected to a device interface of type Optional.
If you configure the VLAN in the External security zone, then the Any-External alias includes the
VLAN. The Any-External alias includes VLANs that use the External security zone, and all networks
connected to a device interface of type External.
If you configure the VLAN in the Custom security zone, then the VLAN is not included in the
Any-Trusted, Any-Optional, or Any-External aliases. As a result, traffic for the VLAN is not handled
by the policies that use these aliases. You must add the VLAN interface name to the policy so that
the policy applies to traffic for that VLAN.
32

WatchGuard Fireware Training

Using VLANs in Device Policies

Exercise 5:

Configure VLANs for Wireless Access Points

WatchGuard AP devices, such as the AP100, AP102, and AP200, are wireless access points that you can
connect to the trusted, optional, or custom network of a Firebox or XTM device. The connected AP
devices are managed by the Fireware XTM Gateway Wireless Controller. You configure AP devices with
one or more SSIDs that wireless users can connect to. In this exercise you configure VLANs for use with
AP device SSIDs.
Note
This exercise includes steps to manually add an AP device to the Firebox or XTM device
configuration. It is not necessary for you to have an AP device to complete this exercise.

When to Use This Configuration


You can optionally use VLAN tagging for AP device SSIDs if you want your AP deployment to meet one
or both of these requirements:
You want to separate the traffic for users connected to different SSIDs
You want to apply different policies to the traffic for different SSIDs
This exercise shows how to configure VLANs to separate traffic for trusted and guest wireless users.

Network Topology
This exercise simulates the situation where you have an AP device with two SSIDs, one SSID for trusted
wireless users, and another for guest wireless users.

Figure 26: AP device connected to a VLAN interface

For this exercise, you must configure three VLANs, a tagged VLAN for each SSID, and an untagged VLAN
for AP device management:
VLAN 10 for trusted wireless users (Tagged VLAN, Trusted security zone)
VLAN 20 for guest wireless users (Tagged VLAN, Custom security zone)
VLAN 30 for management connections to the AP device (Untagged VLAN, Trusted security zone)
When you enable VLAN tagging for an AP device, you can connect the AP device directly to a device
interface, or to a switch configured to handle traffic for the same VLAN IDs. For this exercise, we assume
the AP device is directly connected to Eth6.
Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN
interface you configured in that exercise before you begin this one.

VLANs in Fireware XTM

33

Configure VLANs
1. In Policy Manager, select Network > Configuration.
2. Select the VLAN tab.

In this exercise, you


configure the VLAN
for wireless guest
users in the Custom
security zone. You
could instead use the
Optional zone, if that
is appropriate for your
network.

3. Add a new VLAN with these settings:


- Name: VLAN10-Trusted-W
- VLAN ID: 10
- Security Zone: Trusted
- IP Address: 192.168.10.1/24
- DHCP Server Address Pool: 192.168.10.10 - 192.168.10.100
4. Add a new VLAN with these settings:
- Name: VLAN20-Guest-W
- VLAN ID: 20
- Security Zone: Custom
- IP Address: 192.168.20.1/24
- DHCP Server Add dress Pool: 192.168.20.10 - 192.168.20.100
5. Add a new VLAN with these settings:
- Name: VLAN30-AP-Mgmt
- VLAN ID: 30
- Security Zone: Trusted
- IP Address: 192.168.30.1
- DHCP Server Add dress Pool: 192.168.30.10 - 192.168.30.100
6. Verify that the list of configured VLANs looks like this:

Figure 27: The VLAN tab with three VLANs configured

7. Select the Interfaces tab.


8. Select Eth6. Click Configure.
This is the interface for the network to which the Access Point will be connected.

9. From the Interface Type drop-down list, select VLAN.

34

WatchGuard Fireware Training

Using VLANs in Device Policies

10. Configure this interface to send and receive tagged traffic for VLANs 10 and 20.

Figure 28: The tagged VLANs, one Trusted and one Custom

11. Configure this interface to send and receive untagged VLAN traffic for VLAN 30.

Figure 29: The untagged VLAN for AP management

12. Close the Network Configuration dialog box.

Configure AP SSIDs and Access Point


Add the SSIDs for Trusted and Guest Wireless Users
1. In Policy Manager, select Network > Gateway Wireless Controller.
The Gateway Wireless Controller dialog box appears.

2. Select the Enable the Gateway Wireless Controller check box. Click OK.
3. Type a pairing passphrase for your AP devices.
This is the passphrase used for management connections to the AP device. For this exercise, type wgwap.

4. In the SSIDs tab, click Add.


The Add SSID dialog box appears.

5. In the Network Name (SSID) text box, type Trusted-Wireless.


6. Select the Enable VLAN tagging check box.
7. In the VLAN ID text box, type 10, the VLAN ID of the VLAN10-Trusted-W VLAN.
8. Select the Security tab.
The security mode you select is not important to this exercise, but it is a good practice to configure the
security settings when you create an SSID.

9. From the Security Mode drop-down list, select WPA/WPA2 (PSK).

VLANs in Fireware XTM

35

10. In the Passphrase text box, type the passphrase that trusted wireless users must know to connect
to this SSID.
11. Click OK.
12. Repeat the previous steps to add a second SSID with these properties:
- Network Name (SSID): Guest-Wireless
- VLAN ID: 20
- Security: WPA/WPA2 (PSK), with a passphrase for wireless guest users
When you are finished, the SSIDs tab contains SSIDs for trusted and guest wireless users.

Figure 30: Two configured SSIDs

Add an AP Device
If you have an AP
device you can
connect it to the VLAN
interface you just
configured, and pair it
to the Firebox or XTM
device.

So that you can complete the configuration without an AP device, this exercise includes steps to
manually add an AP100 wireless access point to the Gateway Wireless Controller

1. Select the Access Points tab.


2. Click Add.
3. Type the default pairing passphrase, wgwap. Click OK.
The Add Access Point dialog box appears.

Click Help in Policy


Manager for detailed
instructions.

Figure 31: Settings for a manually added AP device, with Management VLAN tagging enabled

4. In the Serial Number text box, type the serial number of an Access Point device. If you dont have
an Access Point device, you can just type any string of 13 letters and numbers. For this exercise,
type AP10012345678.
5. Select the Enable Management VLAN tagging check box.

36

WatchGuard Fireware Training

Using VLANs in Device Policies

6. In the Management VLAN ID text box, type 30, the untagged VLAN for interface 6.
7. In the list, add the Trusted-Wireless and Guest-Wireless SSIDs.

Figure 32: Two SSIDs added to the SSID list

8. Click OK.

The Gateway Wireless


Controller on the
Firebox or XTM device
uses the untagged
VLAN to discover and
manage the
WatchGuard Access
Point. You can also
use this VLAN if you
want to connect to
the Access Point Web
UI.

The AP device is added to the Access Points list.

Figure 33: The manually added Access Point

9. Click OK.

Configure Policies for the Custom VLAN


Because VLAN 20 is in the Custom security zone, traffic from that VLAN is not allowed by the policies
that use the Any-Trusted and Any-Optional aliases. In this exercise you edit the Outgoing policy to
allow traffic from the custom VLAN interface for wireless guest users. In an actual deployment, you
might want to create separate policies to allow specific types of traffic for wireless users who connect
to the wireless guest network.

1. Edit the Outgoing policy.


2. In the From list of this policy, add VLAN20-Guest-W. Because VLAN20-Guest-W is in the Custom
security zone, it is not included in the Any-Trusted and Any-Optional aliases in this policy.

The requirement to
create or edit policies
is not unique to VLAN
interfaces. Whenever
you configure an
interface as Custom,
you must also
configure policies to
allow traffic for that
interface.

Figure 34: The Outgoing policy with the VLAN20-Guest-W custom VLAN added

3. Save the configuration to the device.


VLANs in Fireware XTM

37

Frequently Asked Questions


If I want to allow traffic to a VLAN from a device outside the VLAN, do I need a policy for it?
Yes.
By default, the Firebox or XTM device does not allow traffic to a device in any VLAN. To allow this
traffic, add a policy for it and include the VLANs alias name in the To section.
If I want to allow traffic that starts in a VLAN and leaves the VLAN, do I need a policy for it?
Yes.
Traffic is not allowed to leave a network protected by the Firebox or XTM device unless there is a
policy to allow it. However, the default configuration the Quick Setup Wizard creates for the Firebox
or XTM device includes the Outgoing policy, which allows traffic from Any-Trusted to the external
network.
If your VLAN uses the Trusted security zone, any device in the VLAN can use the Outgoing policy to
send traffic to the external network. This is because a VLAN that uses the Trusted security zone is
included in the Any-Trusted alias.
If I want to allow traffic that starts in one VLAN and goes to another VLAN, do I need a policy
for it?
Yes.
By default, devices in one VLAN cannot see the traffic from another VLAN. You can apply separate
security policies to VLANs.
If I want to allow traffic that starts in a VLAN and goes to a device in the same VLAN, do I need
a policy for it?
No.
If a computer connected to Switch A sends traffic to a computer connected to Switch B (see
Figure 14 on page 22 in Exercise 3), and both computers are in the same VLAN, the Firebox or XTM
device does not filter this traffic. In this setup, the Firebox or XTM device serves as a VLAN bridge
between the two computers and the two switches. The two computers communicate as if they
were in the same physical LAN, not separated by the Firebox or XTM device.
How many VLANs can I use?
The number of VLANs you can add to your configuration is 50 to 500, depending on the Firebox or
XTM device model. To verify the number of VLANs you can add to your device:

1. From Policy Manager, select Setup > Feature Key.


The Firebox Feature Key dialog box appears.

2. Scroll down to find the Total Number of VLAN Interfaces row.


The number of available VLANs appears in the Value column.

Out of the above number of VLANs how many External VLANs can I use?
The recommended maximum number of External VLANs is ten.

What You Have Learned


In this module you have learned:

38

What a VLAN is.


Some benefits of using VLANs in your network.
How VLANs work on the Firebox or XTM device.
How to configure a Firebox or XTM device to use VLANs in five different configurations.
WatchGuard Fireware Training

Fireware Training

Traffic Management
Traffic Shaping and Prioritization
What You Will Learn
Many organizations have mission-critical, real-time network applications that must take priority over
other traffic. You can use bandwidth restrictions and reservations, together with prioritization, to make
sure critical applications have the bandwidth they need. In this module, you learn how to:

Create Traffic Management actions to guarantee or restrict bandwidth


Apply Traffic Management actions to policies and applications
Prioritize traffic by QoS marking or policy
Use Service Watch and Traffic Management monitoring to see your changes at work

All exercises in this course module were designed for a controlled environment using a LAN network.
Real-world tests introduce volatility and latency associated with the Internet. Tests run in such an
environment can produce unexpected results.

Control Bandwidth Use with Traffic Management Actions


Traffic Management enables you to set the maximum bandwidth available for different types of traffic,
and to guarantee a minimum amount of bandwidth for specific traffic flows. Although the Firebox or
XTM device has no control over the rate at which packets arrive at a given interface, you can use Traffic
Management settings to:
Guarantee Bandwidth
Set the minimum bandwidth to guarantee for traffic managed by a Traffic Management action.
Limit Bandwidth
Set the maximum bandwidth to allocate to traffic managed by a Traffic Management action.
Bandwidth limits and guarantees apply only if the necessary bandwidth is available through the
interface that handles the traffic.
Traffic Management configuration is very flexible, and enables you to control traffic by policy,
application, traffic direction, and source IP address. For example, you can use Traffic Management
actions to:

Limit bandwidth for HTTP for all users on the trusted interface to the Internet
Guarantee 10 Mbps bandwidth for HTTP traffic for a specific user or group
Guarantee or limit bandwidth used by specific applications or application categories
Limit the bandwidth for a group
Limit the bandwidth used for FTP per source IP address

39

Traffic Management Action Types


There are three types of Traffic Management actions.
All Policies
The action applies to the combined bandwidth of all policies that use it. If the action is used for
multiple policies, all policies share the bandwidth guarantee or maximum specified in the action.
Per Policy
The action applies individually to each policy that uses it. If the action is used for multiple policies,
the bandwidth maximum or guarantee specified in the action applies separately to each policy.
Per IP Address
The action applies individually to each client source IP address. When you configure a Per IP Address
action, you also specify the Maximum Instance, which is the number of client source IP addresses
that the bandwidth constraints in the action can individually apply to.
If the number of concurrent clients that use a Per IP Address action is larger than the Maximum
Instance, clients with different source IP addresses begin to share the bandwidth specified in the
action. A round-robin algorithm determines which source IP addresses share bandwidth. Recently
connected source IP addresses share bandwidth with source IP addresses that have been
connected longest.
If you apply a Per IP Address action to multiple policies, the action applies to each client source IP
address for the combined traffic handled by all policies that use the action. It functions similar to an
All Policies action, except on a per-IP address basis.

Traffic Management in Policies


In a policy, you can configure two Traffic Management actions, a Forward Action and a Reverse Action.
The Forward Action applies to traffic that originates from the addresses in the From list (source) in the
policy. The Reverse Action applies to traffic that originates from the To list (destination).
If a policy uses the same Traffic Management action for traffic in both directions, the action applies to
the combined bandwidth of traffic in both directions.

Traffic Management in Application Control


If you have an Application Control subscription, you can also use Traffic Control actions to control the
bandwidth used by applications and application categories. If you apply a Traffic Control action to an
application category, all applications in the category share the bandwidth specified in the Traffic
Management action.
In Application Control, there is no separate forward and reverse action. Traffic Management actions
apply to application traffic in both directions for all policies that use the Traffic Management action.

Traffic Management Action Precedence


It is possible that more than one Traffic Management action could apply to traffic. For example, you
could configure the HTTP policy to use a Traffic Management action, and you could also configure
Application Control to use a Traffic Management action for video streaming applications that use HTTP.
If multiple Traffic Management actions could apply, the most specific action is used. The order that
actions are applied, from most to least specific is:

1. Application
2. Application category
3. Policy

40

WatchGuard Fireware Training

Control Traffic Priority with QoS

Monitoring Bandwidth Statistics


You can see bandwidth statistics for each Traffic Management action in the Firebox System Manager
Traffic Management tab, and the Fireware XTM Web UI Traffic Management System Status page.

Control Traffic Priority with QoS


Although the Firebox or XTM device has no control over the QoS marking of packets that arrive at a
given interface, you can use QoS settings to:
Manage QoS Marking by interface or policy
Fireware XTM supports two types of QoS marking: IP Precedence (also known as Type of Service)
and Differentiated Service Code Point (DSCP). You can use QoS Marking on a per-interface or
per-policy basis. When you define QoS Marking for an interface, packets leaving that interface are
marked. QoS Marking for a policy marks traffic that uses the policy and overrides any QoS Marking
configured on an interface.
Prioritize traffic based on QoS Marking
Traffic prioritization using QoS Marking allows the firewall to operate as part of a network-wide
QoS solution. Prioritization in Fireware XTM is equivalent to ToS levels 0 to 7, where 0 is routine
priority (default) and 7 is the highest priority using strict priority queuing.
Assign custom levels of priority to policies
Custom prioritization by policy allows you to override the priority that would be given by QoS
marking, without modifying the marking itself. This enables Fireware XTM to elevate or lower
priority of traffic within a policy without impacting how the packet is prioritized on the rest of the
network.

About Interface QoS Settings


On each interface, you can configure a QoS marking type: IP Precedence (ToS) or DSCP. You can then
choose to Preserve the existing marking, Clear the existing marking, or Assign a new one. Remember that
the QoS Marking behavior occurs for packets leaving the interfaces and does not apply to packets
entering the interface. Interfaces set to Prioritize traffic based on QoS Marking will use the marking
configuration for prioritization.

About Policy QoS Settings


Within each policy, you can override the per-interface QoS settings. In addition to QoS Marking
options, you also have the ability to configure prioritization by a custom ToS value, giving a different
priority to this policy than the QoS Marking without modifying the marking itself.

About Traffic Priority


The networking industry has many different algorithms to prioritize network traffic. Fireware XTM uses
strict priority queuing to handle priority. Prioritization in Fireware XTM is equivalent to ToS levels 0 to 7,
where 0 is routine priority (default) and 7 is the highest priority. When enabled, traffic prioritization
always occurs, but there is nothing to prioritize until the Firebox or XTM device interface has queued
traffic.

Traffic Management

41

You can set traffic priority for each policy on the Advanced tabs QoS tab. Use this table as a guideline
when you assign priorities:

While DSCP can be configured for QoS marking, the ToS equivalent Class Selector value is used for
prioritization. This gives the IP Precedence, DSCP, and Custom Value options equivalent 0-7 priorities.
For more information on QoS, see the Fireware XTM WatchGuard System Manager Help.

About Outgoing Interface Bandwidth


In Fireware XTM
v11.8.x and lower,
Policy Manager
would warn you if you
create or edit Traffic
Management actions
that exceed the
outgoing interface
bandwidth. In
Fireware v11.9 and
higher, Traffic
Management actions
are not defined per
interface, so this
warning does not
appear.

You can optionally give each interface a bandwidth limit, known as Outgoing Interface Bandwidth. This
limit is applied to the traffic that is transmitted by that interface.
To limit the speed of uploads from your private networks to the Internet, you can set the Outgoing
Interface Bandwidth on the external interface.
To limit the bandwidth used by downloads to your trusted network, you can set the Outgoing
Interface Bandwidth on the trusted interface.
If you configure an interface a bandwidth limit, Fireware XTM refuses packets that exceed the limit. One
reason to set the Outgoing Interface Bandwidth is to restrict throughput to make sure that queuing
occurs on the interface, as you will see in Exercise 3.
When you set Outgoing Interface Bandwidth on the external interface, you should set your LAN
interface bandwidth based on the minimum link speed supported by your LAN infrastructure.
Note
For the Outgoing Interface Bandwidth setting, make sure to set your speeds in kilobits or megabits
per second (Kbps or Mbps) rather than kilobytes or megabytes per second (KBps or MBps).

42

WatchGuard Fireware Training

Control Traffic Priority with QoS

Exercise 1:

Use a Traffic Management Action to Guarantee


Bandwidth

Some applications require a minimum bandwidth to operate smoothly and effectively. Real-time
connections can be disrupted if other applications begin to transmit data. For example, a large FTP
download could degrade or disrupt an HTTP session during bandwidth saturation, which could result
in choppy video in a YouTube download. This exercise shows how to guarantee minimum bandwidth
that is shared between more than one policy. When configured this way, all policies compete for the
same bandwidth.
Requirements for this exercise:
One computer connected to the Firebox or XTM device trusted interface.
An HTTP and FTP server connected to the external interface with a switch, or Internet access.
Each Firebox or XTM device must be configured using the WAN1 and Trusted interface
configuration described in the Course Introduction.

Enable Traffic Management and QoS


1. Select Setup > Global Settings.
The Global Settings dialog box appears.

2. Select the Networking tab.


3. Select the Enable all traffic management and QoS features check box. Click OK.
You must complete this step before you can configure any Traffic Management settings.

Figure 1: Global setting to enable Traffic Management and Quality of Service

Verify the OS Compatibility Setting


If you edit a configuration opened from an Firebox or XTM device that uses Fireware XTM v11.9, the OS
Compatibility setting will already be set correctly. If you have created a new configuration file, you must
set the OS Compatibility setting before you configure Traffic Management.

1. Select Setup > OS Compatibility.


2. Select 11.9 or higher.
This enables configuration of features that are new or different in Fireware XTM v11.9 and higher.

Define Outgoing Interface Bandwidth


Because your computers on the trusted network download files from a server on the external network,
you define Outgoing Interface Bandwidth on the device trusted interface. You do not need to define
Outgoing Interface Bandwidth on the external interface for this exercise.

1. Select Network > Configuration.


2. Edit the trusted interface (Interface 1).
3. Select the Advanced tab.

Traffic Management

43

4. Set the Outgoing Interface Bandwidth to 1500 Kbps. Click OK.

The Outgoing Interface Bandwidth limits the Trusted interface transmission rate.

5. Close the Network Configuration dialog box and return to Policy Manager

Create a Traffic Management Action


1. Select Setup > Actions > Traffic Management.
The Traffic Management Actions dialog box appears.

2. Click Add.
The New Traffic Management Action Configuration dialog box appears.

3. In the Name text box, type Min500Kbps.


We will use this action to guarantee bandwidth for a group of policies.
In the Traffic
Management
settings, 1 Kbps is
equal to 1024 bits per
second.

4. In the Guaranteed Bandwidth text box, type 500.

Figure 2: A Traffic Management action to guarantee minimum bandwidth for all policies that use it

44

WatchGuard Fireware Training

Control Traffic Priority with QoS

Modify Policy Configuration


To apply the traffic management action to guarantee minimum bandwidth for HTTP downloads, you
enable it as the Reverse action in the HTTP policy.

1. Click .
Or, select Edit > Add Policy.
The Add Policies dialog box appears.

2. Expand the Packet Filters folder and select HTTP. Click Add.
The New Policy Properties dialog box appears.

3. Select the Advanced tab.


4. From the Reverse drop-down list, select Min500Kbps.

Figure 3: The HTTP policy Advanced tab with traffic management enabled for reverse traffic

5. Click OK to return to the Add Policies dialog box.


The Add Policies dialog box appears.

6. In the Packet Filters list, select DNS.


Make sure you do not select DNS-proxy in the Proxies list.

7. Click Add.
The New Policy Properties dialog box appears.

8. Select the Advanced tab.


9. From the Reverse drop-down list, select Min500Kbps.
10. Click OK to return to the Add Policies dialog box. Click Close.

Traffic Management

45

11. Right click the Outgoing policy and select Disable Policy.

Figure 4: The icons in the Action column show that Traffic Management is enabled in the HTTP and DNS
policies, and the Outgoing policy is disabled.

12. Save the configuration to the device.

Set Up Service Watch


1. Open WatchGuard System Manager and connect to your device.
2. Start Firebox System Manager, and select the Service Watch tab.
3. Right-click anywhere in the window and select Settings.
The Settings dialog box appears.

Figure 5: Select the color settings and graph scale

46

WatchGuard Fireware Training

Control Traffic Priority with QoS

4. From the Chart Type drop-down list, select Bandwidth.


5. From the Graph Scale drop-down list, keep the default value setting, Auto-Scale.
6. In the Show list, select all policies not used in this exercise and click Remove.
Keep only the DNS, FTP, and HTTP policies.
7. Click OK.
The Service Watch tab now shows data for only the DNS, FTP, and HTTP policies

See the Results of the Configuration


Both the DNS and the HTTP policy use the same Traffic Management action, Min500Kbps. When
necessary, the policies that use this action will have a minimum of 500Kbps between them, otherwise
this bandwidth will be available for other policies.

1. Close all programs. Results can vary if other applications on your computer have access to the
network.
2. With your computer connected to the trusted interface, start an FTP session to download a large
file.
If you are unable to identify a sufficient public FTP resource, follow the previous steps to set up a
server on your external interface. You can use either the command line, Internet Explorer, or an FTP
client of your choice to make the connection.
3. Select the Service Watch tab.
The graph shows that the FTP transfer takes all of the available bandwidth. This should be
approximately equal to the value you set for Outgoing Interface Bandwidth on the Trusted
interface (1500 Kbps).

Figure 6: Monitoring bandwidth usage in Service Watch

4. On the same computer you used for the FTP transfer, start watching a YouTube video or your
favorite HTTP video site.
Traffic Management

47

If you use a local web server, to use the 350MB file in the root of C:\inetpub\wwwroot folder, use
this URL:
http://<web server IP address>/350mbfile.txt

Make sure the FTP transfer is still active before you start the HTTP transfer.

5. In Service Watch, look at the amount of bandwidth that is used by both policies.
After you start the HTTP transfer, the amount of bandwidth used by the FTP transfer is reduced, to
allow at least 500Kbps for DNS and HTTP.

Figure 7: FTP cannot use all the bandwidth if it is needed for HTTP traffic

48

WatchGuard Fireware Training

Control Traffic Priority with QoS

6. Select the Traffic Management tab.


Here you can see a graph of the total bandwidth managed by each rule.

The Usage for this


action is 0% because
the action has no
maximum defined.
Usage is the Rate
divided by the
Maximum.

Figure 8: The Traffic Management tab shows statistics about the traffic management action. You can also
click the graph to see statistics for any point.

7. Click the Traffic Management action name in the Action column to see which policies use this
action.

Figure 9: The pop-up shows that this action is used by two policies as the reverse action.

Traffic Management

49

Exercise 2:

Use a Traffic Management Action to Limit Bandwidth

When you use multiple internal interfaces, it might not be appropriate to reduce the Outgoing
Interface Bandwidth on a Trusted or Optional interface, because this would prevent transfers between
internal interfaces from using their link speed. You can achieve similar results by restricting the
bandwidth of policies that would consume bandwidth needed for more important business functions.
This exercise is intended to be completed after Exercise 1 and follows the same requirements.

Re-Define Outgoing Interface Bandwidth


Because your computers on the trusted network download files from a server on the external network,
you define Outgoing Interface Bandwidth on the device trusted interface. You do not need to define
Outgoing Interface Bandwidth on the external interface for this exercise.

1. Select Network > Configuration


The Network Configuration dialog box appears.

2. In the Interfaces list, select Trusted (Interface 1). Click Configure.


The Interface Settings dialog box appears.

3. Select the Advanced tab.

Figure 10: Advanced interface settings

4. Set the Outgoing Interface Bandwidth to 0 Kbps. Click OK.


When you select 0 Kbps, Fireware XTM uses the physical link speed to determine the available bandwidth.

5. Close the Network Configuration dialog box.

50

WatchGuard Fireware Training

Control Traffic Priority with QoS

Create a Traffic Management Action


We will use this action to limit bandwidth for a group of policies.

1. Select Setup > Actions > Traffic Management.


The Traffic Management Actions dialog box appears.

2. Click Add.
The New Traffic Management Action Configuration dialog box appears.

3. In the Name text box, type Max1000Kbps.

Figure 11: This traffic management action limits bandwidth

4. Click OK.
5. Close the Traffic Management Actions dialog box.

Modify Policy Configuration


1. Edit the FTP policy.
2. Select the Advanced tab.

Figure 12: Configure the policy to use the Traffic Management action you just configured as the Reverse
action

3. From the Traffic Management drop-down list, select Max1000Kbps.


4. Click OK.
The FTP policy is now limited to a maximum of 1000Kbps.

5. Save the configuration to the device.

Traffic Management

51

See the Results of the Configuration


With the FTP policy restricted to 1000Kbps, other policies will have the remaining bandwidth available.
If we assume that the downstream bandwidth of the external interface was 1500Kbps, this
configuration leaves 500Kbps available for HTTP and DNS. While this configuration does not restrict the
Trusted interface to 1500Kbps, the FTP policy cannot use additional bandwidth, even if it is available.

1. Close all programs. Results can vary if other applications on your computer have access to the
network.
2. With your computer connected to the trusted interface, start an FTP session to download a large
file.
If you are unable to identify a sufficient public FTP resource, follow the steps in Exercise 1 to set up
a server on your external interface. You can use either the command line, Internet Explorer, or an
FTP client of your choice to make the connection.
3. Open Firebox System Manager and select the Service Watch tab.
The graph shows that the FTP transfer takes only the allotted bandwidth (1000Kbps).

Figure 13: Monitoring bandwidth usage in Service Watch

4. On the same computer you used for the FTP transfer, start watching a YouTube video or your
favorite HTTP video site.
If you use a local web server, to use the 350MB file in the root of C:\inetpub\wwwroot folder, use
this URL: http://<web server IP address>/350mbfile.txt
Make sure the FTP transfer is still active before you start the HTTP transfer.

52

WatchGuard Fireware Training

Control Traffic Priority with QoS

5. In Service Watch, look at the amount of bandwidth that is used by both policies. After you start
the HTTP transfer, the amount of bandwidth used by the FTP transfer could be reduced, however
500Kbps is available for the HTTP and DNS connections.

Figure 14: Monitoring bandwidth usage for FTP and HTTP traffic

6. Now, apply the Max1000Kbps Traffic Management as the Reverse action in the HTTP policy.
Because this is an All Policies traffic Management action, the traffic management action is applied to the
combined bandwidth of all policies where it is assigned.

7. Save the configuration to the device.

Traffic Management

53

8. Start additional HTTP and FTP connections while you monitor Service Watch.

Figure 15: The traffic management action is applied to the combined bandwidth of the FTP and HTTP policies
to which it is assigned.

9. Edit the Max1000Kbps Traffic Management action.


10. From the Type drop-down list, select Per Policy.

11. Save the configuration to the device.


12. Restart the FTP download and the video over HTTP, if necessary to generate more traffic.
13. In Service Watch, look at the amount of bandwidth that is used by both policies.
The maximum bandwidth now applies individually to each policy.

54

WatchGuard Fireware Training

Control Traffic Priority with QoS

Exercise 3:

Use Traffic Management with Application Control

You can use Traffic Management actions with Application Control when you want to limit the
bandwidth used by certain applications or application categories. This can be a good alternative to
blocking application use completely. In this exercise, you use Application Control to limit the
bandwidth used by streaming media applications to 100 Kbps per user.
Note
To complete this exercise, your device must have a feature key that enables Application Control.

Create two Traffic Management Actions


You will use these actions to limit bandwidth for applications

1. Select Setup > Actions > Traffic Management.


The Traffic Management Actions dialog box appears.

2. Click Add.
The New Traffic Management Action Configuration dialog box appears.

3. In the Name text box, type Max100Kbps.


4. From the Type drop-down list, select Per IP Address.
5. Set the Maximum bandwidth to 100 Kbps.

Figure 16: This traffic management action limits bandwidth per client IP address

6. Click OK.
7. To add another Traffic Management action, click Add.
The New Traffic Management Action Configuration dialog box appears.

8. In the Name text box, type Max2Mbps.


9. From the Type drop-down list, select Per IP Address.

Traffic Management

55

10. Set the Maximum bandwidth to 2 Mbps.

Figure 17: This traffic management action limits bandwidth per client IP address

11. Click OK.


12. Close the Traffic Management Actions dialog box.

Configure Application Control


Next, you configure an Application Control action to use the Traffic Management action.

1. Select Subscription Services > Application Control.


2. Click Add.
3. In the Name text box, type Limit_Streaming.
4. Click Select by Category.
The Select by Category dialog box appears.

Figure 18: The Select by Category dialog box

5. Select the Streaming Media check box. From the adjacent drop-down list select Max100Kbps.

56

WatchGuard Fireware Training

Control Traffic Priority with QoS

6. Click OK.
This action now uses the selected Traffic Management action for all streaming media applications. Because
this is a Per IP Address action, each user gets a total of 100 Kbps bandwidth for all streaming media
applications.

7. From the Category drop-down list, select Streaming Media.


The list of applications is filtered to show just the streaming media applications.

Figure 19: The action for Streaming Media applications is set by the application category

If you want to set a different Traffic Management action, or disable Traffic Management for an
application in the category, you can edit the action for the individual application. Application-specific
actions take precedence over application category actions. For example, if you want to make an
exception for Adobe Flash, you can configure a separate action for that application.
Note
To override a Traffic Management action for a specific application in the category, you must assign a
different Traffic Management action to the application. If you disable Traffic Management an
application in the category, the Traffic Management action for the category still applies to traffic for
that application.

Traffic Management

57

1. Select the Adobe Flash application and click Edit.


2. From the Set the action for all behaviors drop-down list, select Allow.
When you set the action to Allow, the Traffic Management check box and the Traffic Management action
configured for the category are automatically selected. To override the Traffic Management action configured
for the application category, you must select a different Traffic Management action for this application.

3. Select the Max2Mbps Traffic Management action.

Figure 20: Application Control settings for a single application.

4. Click OK.
The Adobe Flash application now uses a different Traffic Management action than other streaming media
applications.

5. Click OK to add the Application Control action.

Configure Application Control in Policies


After you add the Application Control action, you must enable Application Control in proxy policies
that handle the application traffic. Most streaming media is handled by HTTP, so for this exercise you
add an HTTP-proxy policy that uses this Application Control action.

1. Select Edit > Add Policy.


2. Expand the Proxies list, and select the HTTP-proxy.
3. Click Add.
4. Select the Enable Application Control check box.
5. From the adjacent drop-down list, select Limit_Streaming.

Figure 21: The Application Control setting in a proxy policy

6. Click OK to add the policy.


7. Click Close.
8. Save the configuration to the device.

58

WatchGuard Fireware Training

Control Traffic Priority with QoS

Monitor the Traffic Management Actions in Firebox System Manager


1. Connect to the device with Firebox System Manager.
2. Select the Traffic Management tab.
The statistics for the Max 100Kbps rule appear in the table. These statistics are the combined statistics for all
clients in this Per IP Address rule. Note that the maximum is the

3. Expand the Max1000Kbps action


Statistics for each client appear.

Figure 22: The Traffic Management tab with details for a Per IP Address Traffic Management action.

4. Start a streaming video from YouTube or your favorite video site.


The statistics appear for the client, and in the overall statistics for the action.

5. In a web browser, connect to the Web UI for your device on the trusted interface at
https:\\<trusted-ip-address>:8080.
Your trusted IP address should be 10.0.X.1, where X is your student number.

6. Log in with the admin or status user account credentials.

Traffic Management

On the Traffic
Management System
Status page in the
Web UI the graph
shows the newest
data on the right side.
This is the opposite of
the graph in the
Traffic Management
tab in Firebox System
Manager.

59

7. Select System Status > Traffic Management.


The Traffic Management System Status page shows a similar table and graph, and shows the IP address of
each client.

Figure 23: The Traffic Management System Status page in the Fireware XTM Web UI.

8. Log out of the Web UI.

60

WatchGuard Fireware Training

Control Traffic Priority with QoS

Exercise 4:

Use QoS to Mark and Prioritize Traffic

Bandwidth reservation and restriction can be useful to ensure performance with known bandwidth
requirements. When the bandwidth necessary for a critical application is variable or otherwise
unknown, Quality of Service (QoS) allows you to prioritize traffic despite the uncertainty.
The requirements for this exercise are the same as for Exercise 1 and 2. If you have completed a
previous exercise, disable any traffic management action applied to your policies.

Before You Begin


Before you begin this exercise, you must:

Enable Traffic Management and QoS features


Disable previous Traffic Management actions
Disable the Outgoing policy
Configure HTTP, FTP, and DNS policies
Configure Service Watch to monitor only the DNS, HTTP, and FTP packet filter policies

If you have not already completed these steps, see the previous procedures in Exercises 1 and 2.

Enable Prioritization by QoS Marking on Interfaces


1. Select Network > Configuration
The Network Configuration dialog box appears.

2. In the Interfaces list, select Trusted (Interface 1). Click Configure.


The Interface Settings dialog box appears.

3. Select the Advanced tab.


4. Select the Prioritize traffic based on QoS Marking check box.
This setting enables the prioritization of queued packets as they egress from the interface. From here, the
markings can be cleared, preserved, or a new IP Precedence or DSCP marking can be applied.

Figure 24: Enable Traffic Management and QoS Marking

Traffic Management

61

5. Set the Outgoing Interface Bandwidth to 1500 Kbps. Click OK.


This restricts throughput to make sure that queuing occurs on the trusted interface to illustrate the use of
prioritization.

6. In the Interfaces list, select External (Interface 0). Click Configure.


The Interface Settings dialog box appears.

7. Select the Advanced tab.

Figure 25: Prioritize traffic based on QoS Marking

8. Select the Prioritize traffic based on QoS Marking check box.


9. Click OK.
10. Click OK to close the Network Configuration dialog box and return to Policy Manager.

62

WatchGuard Fireware Training

Control Traffic Priority with QoS

Prioritize Traffic by Policy


1. Double-click the HTTP policy.
The Edit Policy Properties dialog box appears.

2. Select the Advanced tab.


3. Select the QoS tab.
4. Select the Override per-interface settings check box.
5. Configure the QoS settings to Assign an IP Precedence value of 2 (Immediate), and Prioritize
Traffic Based On QoS Marking.

Note that the same


QoS marking options
seen within interface
configuration are
available by policy.
Also, if you want to
mark packets for your
network at a value
different from your
prioritization, you can
prioritize traffic by
Custom Value and
choose a higher or
lower priority than
the marking.

Figure 26: Override the per-interface settings in the HTTP policy Advanced settings

6. Click OK to return to Policy Manager


7. Double-click the DNS policy.
The Edit Policy Properties dialog box appears.

8. Select the Advanced tab.


9. Select the QoS tab.
10. Select the Override per-interface settings check box.
11. Modify the settings to Assign an IP Precedence value of 2 (Immediate), and Prioritize Traffic
Based On QoS Marking.
12. Click OK to return to Policy Manager.
13. Save the configuration to the device.

Traffic Management

63

See the Results of the Configuration


Both the DNS and HTTP policies are prioritized higher than other traffic. While this configuration does
not dedicate specific bandwidth, the prioritization does improve the performance of these policies
when there is network congestion.

1. Close all programs. Results can vary if other applications on your computer have access to the
network.
2. With your computer connected to the trusted interface, start an FTP session to download a large
file.
3. Select the Service Watch tab.
The graph shows that the FTP transfer takes all of the available bandwidth. This should be
approximately equal to the value you set for Outgoing Interface Bandwidth on the Trusted
interface (1500 Kbps).

Figure 27: Monitor the FTP bandwidth in Service Watch

4. On the same computer you used for the FTP transfer, start watching a YouTube video or your
favorite HTTP video site.
If you use a local web server, to use the 350MB file in the root of C:\inetpub\wwwroot folder, use
this URL: http://<web server IP address>/350mbfile.txt
Make sure the FTP transfer is still active before you start the HTTP transfer.

64

WatchGuard Fireware Training

What You Have Learned

5. On the Service Watch tab, look at the amount of bandwidth that is used by both policies.

Figure 28: Monitor the bandwidth usage in Service Watch

After you start the HTTP transfer, the amount of bandwidth used by the FTP transfer is reduced, to
allow more bandwidth for the higher priority DNS and HTTP traffic.

What You Have Learned


You have learned that you can use bandwidth restrictions and reservations, together with
prioritization, to make sure critical applications have the bandwidth they need.
In this module, you learned how to:

Create Traffic Management actions to guarantee or restrict bandwidth


Use Traffic Management actions with Application Control
Prioritize traffic by QoS marking or policy
Use Service Watch to see your changes at work

Traffic Management

65

66

WatchGuard Fireware Training

Fireware Training

Link Aggregation
Increase Interface Aggregate Throughput and Redundancy

Introduction
A link aggregation (LA) interface is a group of physical interfaces that you configure to work together as
a single logical interface. You can use a link aggregation interface to increase the aggregate
throughput beyond the capacity of a single physical interface, and to provide redundancy if there is a
physical link failure.

What You Will Learn


This course explains the concept of link aggregation and describes how to configure different link
aggregation interface modes. It also describes some ways that you can use link aggregation with other
networking features.

Course Outline
The exercises provide step-by-step procedures for how to set up several link aggregation
configurations. The exercises include:

Configure a link aggregation interface in active-backup mode


Configure a link aggregation interface in static mode
Configure a link aggregation interface in dynamic mode
Configure a link aggregation interface as a member of a VLAN

Terms and Concepts You Should Know


Link Aggregation
Link Aggregation, also known as Port Trunking, Port Teaming, Ethernet Trunking, or Link Bundling,
refers to the concept of grouping multiple ethernet ports to function as a single connection between
networked devices.
Link Aggregation provides two main benefits.
Provides graceful recovery from link failures
For all link aggregation types, if a single interface in a link aggregation group fails, traffic can flow
through the other member interfaces in the link aggregation group.
Increases aggregate throughput between devices
For static or dynamic link aggregation, traffic flows over all member interfaces. This increases the
aggregate throughput, because different traffic flows are load balanced between different
member interfaces. Because each traffic flow uses a single interface, the maximum throughput for
a single connection does not increase beyond the bandwidth of a single interface. But the
aggregate bandwidth increases because different traffic flows can use different member interfaces.

67

Link Aggregation Group (LAG)


A link aggregation group, or LAG, is a group of Ethernet interfaces configured as a group for the
purposes of link aggregation. When you configure a link aggregation on a Firebox or XTM device, it is
called a link aggregation interface. The term LAG is also used by some switch vendors to refer to link
aggregation in general.

Link Aggregation Interface


A link aggregation interface is a logical interface that includes one or more physical member interfaces.
It is a LAG on the Firebox or XTM device.
To configure a link aggregation interface, your Firebox or XTM device must be configured in mixed
routing mode. You can set the link aggregation interface type to External, Trusted, Optional, VLAN, or
Bridge. You can use a link aggregation interface in most of the same ways that you use a physical
interface. For example, you can use it in the configuration of policies, multi-WAN, VLANs, VPNs, DHCP,
and PPPoE.
In Policy Manager, you configure link aggregation interfaces in the Link Aggregation tab in the
Network Configuration dialog box.

Requirements and Limitations


XTM 21,22, and 23
devices cannot run
Fireware XTM v11.7,
so these models also
do not support link
aggregation.

Link Aggregation requires Fireware XTM v11.7 or higher with a Pro upgrade. You can configure link
aggregation on any Firebox or XTM device that runs Fireware XTM v11.7, with these exceptions.
XTMv devices do not support link aggregation.
XTM 25, 26, and 33 devices do not support dynamic link aggregation mode.
You cannot use link aggregation on an active/active FireCluster.
Link aggregation interface configuration is very similar to the configuration of any other interface.
There are only a few interface settings that you cannot configure for a link aggregation interface:
MAC access control
QoS, Traffic Management, and most other advanced interface settings

Link Aggregation Member Interface


Each physical interface that is assigned to a link aggregation interface is a link aggregation interface
member. Before you can assign a physical interface to a link aggregation interface, you must set the
physical interface Type to Link Aggregation. Then you select which Link Aggregation interface the
physical interface is a member of.
The number of member interfaces you can assign to a link aggregation interface is limited only by the
number of available physical interfaces on your Firebox or XTM device.
All interfaces that are members of the same link aggregation interface must support the same
maximum link speed.

68

WatchGuard Fireware Training

Terms and Concepts You Should Know

Link Aggregation Modes


You can configure a link aggregation interface in one of three modes. For all modes, a member
interface can be active only when the member interface link status is up. Whether a member interface
is active depends on both the link status of the physical interface and the link aggregation mode.
Dynamic (802.3ad)
All physical interfaces that are members of the link aggregation interface can be active. The same
member interface is always used for traffic between a given source and destination. The devices at
both sides use Link Aggregation Control Protocol (LACP) to negotiate which physical link to assign a
traffic flow to. LACP is described in the IEEE 802.3ad dynamic link aggregation specification.
Dynamic mode provides load balancing and fault tolerance.
Static
All physical interfaces that are members of the link aggregation interface can pass traffic at the
same time. The same member interface is always used for traffic between a given source and
destination based on source/destination MAC address and source/destination IP address. Static
mode provides load balancing and fault tolerance.
Active-backup
In this mode, at most only one member interface in the link aggregation group is active at a time.
The other member interfaces in the link aggregation group become active only if the active
interface fails. This mode provides fault tolerance for connections to network switches that do not
support link aggregation, but it does not provide load balancing.
To use dynamic or static link aggregation, you must also configure a link aggregation group on the
connected managed switch.
Both static and dynamic link aggregation modes can detect physical link failures within the LAG and
continue sending traffic through the other member interfaces. LACP can also detect some types of
switch or port failures that do not result in the loss of a link, which means that dynamic mode provide a
more resilient LAG. We recommend that you use dynamic link aggregation mode instead of static
mode, if your managed switch supports it.

Link Aggregation Interface Identifiers


Each link aggregation interface is identified by an interface number that starts with the prefix bond
followed by a number. The term bond is used because a link aggregation interface is a logical bond of
two or more interfaces.
Link aggregation interface identifiers are numbered consecutively in the order the link aggregation
interfaces were added. For example, if you enable two link aggregation interfaces, the first one you add
is identified as bond0 and the second is identified as bond1. Link aggregation identifiers appear in the
Firebox System Manager Front Panel tab, Status Report tab, routes table, and in log messages.

Link Aggregation

69

Link Aggregation with Other Networking Features


You can use a link aggregation interface in most of the same ways that you use a physical interface. For
example, you can use it in the configuration of policies, VLANs, multi-WAN, VPN, DHCP, and PPPoE.
You can use a link aggregation interface with most other networking features, just as you would use a
physical interface:

Multi-WAN
VLAN
FireCluster (active/passive only)
VPNs
Dynamic Routing
Network Address Translation (NAT)
Secondary networks

You cannot configure link aggregation interfaces to use these features:


Traffic Management
Quality of Service (QoS)
MAC Access control

70

WatchGuard Fireware Training

Link Aggregation with Other Networking Features

Exercise 1:

Configure Active-Backup Link Aggregation

You can configure a link aggregation interface in active-backup link aggregation mode to provide a
backup connection to the Firebox or XTM device. This use of link aggregation provides redundancy,
but not increased throughput. Computers connected to either switch can communicate with the
Firebox or XTM device even if one of the links goes down. The effective topology is that of cascaded
switches connected to the active member interface.

Network Topology
In this exercise you will configure Eth3 and Eth4 as members of a new link aggregation interface. After
you configure the link aggregation interface, you connect the physical interface members to two
different unmanaged switches that are also connected to each other. Because the link aggregation
interface is configured in active-backup mode, only one of the member interfaces is active at a time.

The topology used in


this exercise only
works for a link
aggregation interface
in active-backup
mode.
It is important that
both interfaces are
not active at the same
time, or this topology
causes a network
routing loop.

Figure 1: Active-backup link aggregation interface when the interface connected to Switch A is active.

Figure 2: Active-backup link aggregation interface when the interface connected to Switch B is active.

Link Aggregation

71

If two Firebox or XTM


devices share the
same switches for this
exercise, each device
could report spoofing
errors if it receives
traffic from the
network configured
on the other device.
This does not affect
the exercise.

If each student does not have two switches, two students can share a pair of switches. This network
topology is not something you would do on a production network, but may be necessary for training
purposes. If students must share switches, the cable configuration look like this.

Figure 3: Link aggregation active-backup topology for two students sharing two switches. For each link
aggregation group, either member interface could be the active interface.

Before You Begin


Before you begin this exercise:
Make sure you have two unmanaged switches, or that you have configured your switches in
unmanaged mode.
Disable any VLANs enabled in a prior exercise.
Make sure the device is configured with these interface settings:
- Eth0 (External) is 203.0.113.X/24
- Eth1 is a trusted interface, with the IP address 10.0.X.1/24.
- Eth3 and Eth4 are disabled.
Replace the X in the IP addresses with your student number.

Add the Link Aggregation Interface


1. Open the configuration for your Firebox or XTM device in Policy Manager.
2. Select Network > Interfaces.
3. Click the Link Aggregation tab.

Figure 4: Link aggregation interfaces appear here


72

WatchGuard Fireware Training

Link Aggregation with Other Networking Features

4. Click Add.
The New Link Aggregation Interface Configuration dialog box appears.

Notice that the MAC


Access Control tab
does not appear here.
Link aggregation
interfaces does not
support that feature.
Most of the settings
that would appear in
the Advanced tab for
a physical interface
are also not available
for link aggregation
interfaces.

Figure 5: Configure the link aggregation interface in Active-backup mode

5. In the Name (Alias) text box, type a name for this interface. For example, LA-Optional.
6. (Optional) In the Description text box type a description of this interface.
7. From the Mode drop-down list, select Active-backup.
8. From the Type drop-down list, select Optional.
9. In the IP Address text box, type 172.16.X.1/24.
Replace X in the address with your student number.

10. Click OK.


The new link aggregation interface appears on the Link Aggregation tab.

Figure 6: The configured link aggregation interface

Link Aggregation

73

Add Member Interfaces


After you create the link aggregation interface, you must assign at least one member interface. The
number of interfaces you can add is limited only by the available physical interfaces on your Firebox or
XTM device. For this exercise, you add two member interfaces.

1. Click the Interfaces tab.


2. Select interface 2 and click Configure.
The Interface Settings dialog box appears.
3. Set the Interface Type to Link Aggregation.
If a link aggregation
interface is not
already configured,
click New Link
Aggregation to create
a new one.

The configured link aggregation interface appears in the list.

Figure 7: A link aggregation interface member

4. In the Member column, select the link aggregation interface you just configured.
5. Click OK.
6. Select interface 3 and click Configure.
7. Set the Interface Type to Link Aggregation.
8. In the Member column, select the link aggregation interface you just configured.

74

WatchGuard Fireware Training

Link Aggregation with Other Networking Features

9. Click OK.
Interfaces 2 and 3 are now configured as type LA (Link Aggregation).

Figure 8: The interfaces of type LA are the two link aggregation member interfaces

10. Click the Link Aggregation tab.


The link aggregation interface shows interfaces 2 and 3 as members.

Figure 9: The interfaces column shows which physical interfaces are members

11. Save the configuration to the device.

Connect the Switches


If your switches support managed and unmanaged mode, make sure your switch is configured for
unmanaged mode.

1. Use a cross-over Ethernet cable to connect the two switches together.


For some switches, a cross-over cable might not be required to connect the switches together.

2. Use an Ethernet cable to connect interface 2 to one switch.


3. Use an Ethernet cable to connect interface 3 to the other switch.

Link Aggregation

75

Monitor the Link Aggregation Interface


It is not necessary to
connect the
management
computer to the
switch to monitor the
link aggregation
interface. We do so in
this exercise in order
to generate some
traffic over the link
aggregation
interface.

1. Disconnect the management computer from eth1 and connect it to an interface on one of the
switches.
2. Change the IP address of the management computer to an IP address on the 172.16.X.0/24
network configured on your link aggregation interface.
3. In WatchGuard System Manager, use the IP Address of the link aggregation interface, 172.16.X.1, to
connect to the device. Replace X with your student number.
4. Expand the Firebox Status tree to see the interface status.
The link aggregation interface is listed as bond0. The physical interface members are listed below it.

Figure 10: The bond0 interface in WatchGuard System Manager

5. Select Tools > Firebox System Manager to start Firebox System Manager.

76

WatchGuard Fireware Training

Link Aggregation with Other Networking Features

6. Expand Interfaces to show information for eth2, eth3, and bond0.

Figure 11: The bond0 and member interfaces in Firebox System Manager

7. Since this is an active-backup link aggregation interface, traffic goes through only one interface at
a time. Look at the sent and received statistics to see which interface is currently active. In the
example shown here, eth2 has sent only one packet, so we know that eth3 is the active interface.
If several computers were connected and sending traffic through the switch, traffic from all
computers would still go through only one interface at a time, because this link aggregation
interface is configured in active-backup mode.
8. Unplug the cable connected that connects the currently active interface to the switch.
Even if your management computer is connected to the switch you just unplugged from the Firebox or XTM
device, your connection to the Firebox or XTM device is not interrupted. Traffic for the link aggregation
interface goes through the other switch to the other member interface.

9. Click the Status Report tab.


10. Scroll down to the Network Configuration section.
The link status of the bond0 interface is up, even though the link status of a member interface is down.

Figure 12: The Network Configuration status in the Status Report

11. Reconnect the second link aggregation member interface to the second switch.
Watch the link status refresh in the status report.

Link Aggregation

77

Exercise 2:

Static and Dynamic Link Aggregation

In this exercise, you configure a link aggregation interface in static mode, and connect managed switch
interfaces that are also configured as a link aggregation group. Then you change this configuration to
dynamic mode (802.3ad).
Both static and dynamic modes load balance traffic across all member interfaces. The difference is in
how the individual traffic flows are distributed across the interfaces.

Topology
This exercise requires a Firebox or XTM device and a managed switch.

Figure 13: Link aggregation between a device and a switch.

Before You Begin


Before you begin this exercise:
Connect the management computer to Eth1 for the start of this exercise. You might need to
change the network settings on your computer if you assigned it a static IP address for the previous
exercise.
Make sure you have a managed switch, started in managed mode.
Remove any VLAN or link aggregation interfaces configured in a previous exercise.
Disconnect the Firebox or XTM device from any switches.
Make sure the Firebox or XTM device is configured with these interface settings:
- Eth0 (External) is 203.0.113.X/24
- Eth1 is a trusted interface, with the IP address 10.0.X.1/24.
- Eth3 and Eth4 are disabled.
Replace the X in the IP addresses with the student number.

78

WatchGuard Fireware Training

Link Aggregation with Other Networking Features

Add the Link Aggregation Interface


1. Open the configuration for your Firebox or XTM device in Policy Manager.
2. Select Network > Interfaces.
3. Click the Link Aggregation tab.
4. Click Add.
The New Link Aggregation Interface Configuration dialog box appears.

Figure 14: A static link aggregation interface

5. In the Name (Alias) text box, type a name for this interface. For example, LA-Trusted.
6. (Optional) In the Description text box type a description of this interface.
7. From the Mode drop-down list, select Static.
8. From the Type drop-down list, select Trusted.
9. In the IP Address text box, type 172.16.X.1/24.
Replace X in the address with your student number.

10. Click OK.


The new link aggregation interface appears on the Link Aggregation tab.

Figure 15: A link aggregation interface with no member interfaces

Link Aggregation

79

Add Member Interfaces


Next, you add the member interfaces.

1. Click the Interfaces tab.


2. Select interface 2 and click Configure.
3. Set the Interface Type to Link Aggregation.
The configured link aggregation interface appears in the list.

Figure 16: You must add at least one member interface to the link aggregation interface

4. In the Member column, select the link aggregation interface you just configured.
5. (Optional) In the Interface Name text box, change the interface name to something that indicates
this is part of a trusted link aggregation interface.
6. Click OK.
7. Select interface 3 and click Configure.
8. Set the Interface Type to Link Aggregation.
9. In the Member column, select the link aggregation interface you just configured.
10. (Optional) In the Interface Name text box, change the interface name to something that indicates
this is part of a trusted link aggregation interface.
11. Click OK.
Interfaces 2 and 3 are now configured as type LA (Link Aggregation).

Figure 17: Interfaces 2 and 3 configured as link aggregation interfaces

80

WatchGuard Fireware Training

Link Aggregation with Other Networking Features

12. Click the Link Aggregation tab.


The link aggregation interface shows interfaces 2 and 3 as members.

Figure 18: Verifying the interface members

13. Save the configuration to the device.

Configure the Switch and Connect the Device to the Switch


Refer to the instructions from your switch manufacturer for the steps to configure your switch.

1. On the managed switch, configure a link aggregation group with two interfaces as members.
The interfaces must support the same link speeds as the member interfaces on the Firebox or XTM device.

2. If link aggregation on the switch can be configured as either dynamic or static, supports both static
and dynamic link aggregation modes, configure the LAG to use static mode.
3. Make sure that the link speed for the link aggregation group on the switch match the settings on
the Firebox or XTM device. On the device, you can configure the link speed in the Advanced tab
when you edit a link aggregation interface. The default setting is Auto Negotiate.

On XTM 505, 510, 520,


or 530 devices,
interface 0 (Eth0)
supports a lower
maximum link speed
(100 Mbps) than the
other interfaces (1000
Mbps). If you use Eth0
as a member of a link
aggregation interface
on these models, you
must set the Link
Speed to 100 Mbps or
lower in the link
aggregation interface
configuration and on
the connected
network switch.

Figure 19: Link speed options for a link aggregation interface

If you configure the link aggregation interface on the Firebox or XTM device to use a specific link
speed, make sure that you also configure the link aggregation group on the switch to use the same
speed.

Connect the Device to the Switch


1. Connect interface 2 to one of the LAG member interfaces on the switch.
2. Connect interface 3 to the other LAG member interface on the switch.

Link Aggregation

81

Monitor the Link Aggregation Interface


It is not necessary to
connect the
management
computer to the
switch to monitor the
link aggregation
interface. We do so in
this exercise in order
to generate some
traffic over the link
aggregation
interface.

1. Disconnect the management computer from eth1 and connect it to an interface on the switch.
2. Change the IP address of the management computer to an IP address on the 172.16.X.0/24
network configured on your link aggregation interface.
3. In WatchGuard System Manager, use the IP Address of the link aggregation interface, 172.16.X.1, to
connect to the device. Replace X with your student number.
4. Start Firebox System Manager.
5. Expand Interfaces to show information for eth2, eth3, and bond0.
6. Even though this is a static link aggregation interface, traffic goes through only one interface when
only one computer is sending traffic through the interface.
In static mode, if several hosts are connected and sending traffic through the switch, traffic from
different hosts would go through different interfaces in the LAG.
7. If you have another computer available:
a. Connect the second computer to the switch and configure it with an IP address on the on the
172.16.X.0/24 network.
b. On the second computer, start a process, such as ping, to generate traffic to the 172.16.X.0/24
network. For example, you could ping the trusted interface at 10.0.10.X.
8. Watch the interface statistics in Firebox System Manager.
When traffic is coming from multiple hosts, you should see traffic statistics changing for both member
interfaces.

9. Unplug one of the cables that connects the device to the switch.
The computers connected to the switch should maintain their connection, even though the link status of a
member interface is down.

Use Dynamic Mode


Now that you have seen how static mode works, you can modify the link aggregation configuration on
the switch and on the Firebox or XTM device to use dynamic mode.
Refer to the instructions from your switch manufacturer to see if your switch supports dynamic link
aggregation mode, and how to configure it.

1. In Policy Manager, edit the existing static link aggregation interface.


2. Change the Mode from Static to Dynamic (802.3ad).
3. Save the configuration to the device.
4. On the switch, change the link aggregation group to use dynamic mode instead of static mode.
5. Monitor the link aggregation interface in Firebox System Manager.
It looks the same as when it was running in dynamic mode.
In Firebox System Manager,

6. In Firebox System Manager, click the Traffic Monitor tab.


If there is any misconfiguration, if you connect to the wrong switch port, or if your switch does not
support dynamic mode, you see errors in Traffic Monitor. For example, you could see the error
Check the configuration to verify that all adapters are connected to 802.3ad compliant switch ports.

82

WatchGuard Fireware Training

Link Aggregation with Other Networking Features

Exercise 3:

Use Link Aggregation with a VLAN

You can use a link aggregation interface, configured in any mode, as a VLAN interface. This can provide
higher aggregate throughput and redundancy for your VLAN connections. In this exercise, you
configure a link aggregation interface as a member of a VLAN.

Network Topology
This exercise shows how to configure a link aggregation interface as a member of a VLAN. In the
network diagram, the computers are connected to the 802.1Q switch, that has a link aggregation group
defined. The switch interfaces in the link aggregation group are connected to member interfaces of a
link aggregation interface on the Firebox or XTM device. On the device, the link aggregation interface is
configured as a member of the VLAN.

The VLAN part of this


exercise is similar to
exercise 1 in the VLAN
section of this
training, except that
in this exercise you
configure only one
VLAN.
If you want to extend
this exercise, you
could configure
another VLAN on the
Firebox or XTM device
and on the switch just
as you did in that
exercise.

Figure 20: Link aggregation interface configured as a member of a VLAN interface.

Before You Begin


Before you begin this exercise:

Connect the management computer to Eth1.


Make sure you have a managed switch, started in managed mode.
Disconnect the Firebox or XTM device from the switch.
Make sure the Firebox or XTM device is configured with these interface settings:
- Eth0 (External) is 203.0.113.X/24
- Eth1 is a trusted interface, with the IP address 10.0.X.1/24.
- Eth3 and Eth4 are link aggregation interface members
- One link aggregation interface is configured (from the previous exercise)

Replace the X in the IP addresses with the student number.


The steps in this exercise assume you already have a link aggregation interface configured on the
Firebox or XTM device and on the switch from the previous exercise. You can use any link aggregation
mode for this exercise.

Link Aggregation

83

Configure the Device


1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.

2. Select the VLAN tab.


The VLAN settings list is empty because you have not defined any VLANs.

3. Click Add and create a new VLAN.


The New VLAN Configuration dialog box appears.

4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces.
For this example, type VLAN10.
5. (Optional) In the Description text box, type a description.
For this example, type Accounting.
6. In the VLAN ID text box, type or select a number for the VLAN.
For this example, select 10.
7. From the Security Zone drop-down list, select the security zone for the VLAN.
For this example, select Trusted.
8. In the IP Address text box, type the IP address of the VLAN gateway.
For this example, type 192.168.10.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.

9. (Optional) Configure DHCP for the new VLAN.


a. Select Use DHCP Server.
b. In the Address Pool section, click Add.
c. Type or select the Starting Address and the Ending Address.
For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 for
the Ending Address.
d. Click OK.
The new address pool appears in the Address Pool list.

10. Click OK.


The new VLAN appears.

Figure 21: The VLAN tab with VLAN10 added

11. Select the Link Aggregation tab.


The link aggregation interface you configured in the previous exercise appears in the list.

12. Select the link aggregation interface and click Edit.

84

WatchGuard Fireware Training

Link Aggregation with Other Networking Features

13. Change the Interface Type from Trusted to VLAN.


The list of VLANs appears in the IPV4 tab. The new VLAN appears in the list.

Figure 22: The LA-Trusted interface configured as type VLAN

14. Select Send and receive tagged traffic for selected VLANs.
15. In the Member column, select the check box for VLAN10. Click OK.
16. Check your work.
The Link Aggregation tab should look like this.

Figure 23: The Link Aggregation tab shows one interface of type VLAN with two interface members

The VLAN tab should look like this.

Figure 24: The VLAN tab shows the link aggregation interface as a member of VLAN10

17. Save this configuration to the device.

Link Aggregation

85

Configure the Switch


This exercise assumes you have already configured the link aggregation group on the switch in the
previous exercise. Use these steps to
Refer to the instructions from your switch manufacturer to configure VLANs on your switch.

1. Add a VLAN to the 802.1Q switch configuration.


Set the VLAN ID number for this VLAN to 10.
2. Configure the LAG for the switch interfaces that connect to device interfaces 2 and 3.
a. Disable Spanning Tree Protocol on any switch interface that connects to the device.
b. Configure the LAG on the switch to be a member of VLAN 10.
c. Configure this interface to tag for VLAN 10.
d. If necessary for your switch operating system, configure the switch mode to trunk.
e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.
3. Configure the switch interfaces that connect computers in VLAN10 to the switch.
a. Configure each switch interface that will connect a computer in VLAN10 to be a member of
VLAN10.
b. Configure these interfaces to untag for VLAN10.

Physically Connect all Devices


1. Connect interface 2 on the Firebox or XTM device to one of the LAG member interfaces on the
switch.
2. Connect interface 3 on the Firebox or XTM device to the other LAG member interface on the
switch.
3. Connect a computer to the interface on the switch that you configured to untag for VLAN10.
4. If you configured VLAN10 to use the DHCP server, configure the computers network card to use
DHCP to get an IP address automatically.
For more information, see Step 9 on page 84.
5. If you did not configure the VLAN to use the DHCP server, configure the computers network card
with an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the
computers default gateway to the Firebox or XTM device VLAN IP address, 192.168.10.1.
6. On the management computer, ping the Firebox or XTM device at 192.168.10.1.
A ping response verifies that you are connected to VLAN10.

7. In WatchGuard System Manager, connect to the Firebox or XTM device at 192.168.10.1.

86

WatchGuard Fireware Training

What You Have Learned

8. Expand the Firebox Status tree to see the interface status.


The link aggregation interface is a physical interface member of vlan10.

Figure 25: The link aggregation interface is listed as a member of vlan10

What You Have Learned


In this module, you learned:

What link aggregation is


Learned some benefits of using link aggregation in your network
How link aggregation works on the Firebox or XTM device
How to configure a Firebox or XTM device to use link aggregation in three modes
How to configure a link aggregation interface as a VLAN member

Link Aggregation

87

88

WatchGuard Fireware Training

Fireware Training

Multi-WAN Methods
Exploring Multi-WAN Through Hands-On Training
Introduction
What You Will Learn
Many organizations have more than one Internet connection, or plan to have additional ones in the
future. This part of the course shows you how Fireware XTM manages outgoing traffic with each of the
four different multi-WAN modes of operation:
Round-robin The Firebox or Firebox or XTM device distributes a balanced traffic load among
the external interfaces. If you have a Fireware XTM with a Pro upgrade, you can assign a weight to
each interface.
Failover You select one external interface to be your primary external interface and define an
order for backup interfaces. If the primary interface goes down, the Firebox or XTM device sends all
traffic to the next interface.
Interface Overflow You define the order you want the Firebox or XTM device to send traffic
through external interfaces and configure each interface with a bandwidth threshold value. When
traffic sent through the first interface reaches its bandwidth threshold, the Firebox or XTM device
uses the next interface.
Routing Table If the Firebox or XTM device does not find a specified route from its internal
route table or from dynamic routing processes, it uses the ECMP (equal-cost multi-path) algorithm
to select the route.
You also learn how to monitor the status of your external connections, how sticky connections
influence routing decisions, and how to use policy-based routing.

Exercises

You must have a


Fireware XTM license
with a Pro upgrade to
use the Interface
Overflow method. See
the Frequently Asked
Questions section
near the end of this
document for
information on which
multi-WAN features
require Fireware XTM
with a Pro upgrade.

The step-by-step exercises in this course show how to configure two of the multi-WAN methods and
demonstrate how outgoing connections behave when certain events occur. The first exercise shows
the Interface Overflow multi-WAN method and sticky connections. The second one shows the Failover
multi-WAN method and policy-based routing.

What Multi-WAN Can Do For You


Multiple external connections provide several benefits:
Redundancy If the main Internet connection goes down, you can use a backup connection for
your outgoing connections.
More bandwidth available for outgoing connections An additional connection to the Internet
can reduce wait times for new connections and large downloads initiated from behind the Firebox
or XTM device.
Dedicated access through a preferred connection You can make mission-critical applications or
those that require a lot of bandwidth use a specified external interface.

89

Terms and Concepts You Should Know


Outgoing Traffic and Multi-WAN
In Fireware XTM, you can configure multiple Firebox or XTM device interfaces as type External. Because
each external interface must have a default gateway, each external interface provides a path that
Fireware XTM can use to send traffic to external destinations.
For every connection that starts in a network behind the Firebox or XTM device and goes to an external
destination, the Firebox or XTM device must decide which external interface to use to send the traffic.
Several factors determine whether the Firebox or XTM device allows an outgoing connection, and
which external interface the Firebox or XTM device uses for allowed traffic:

Policies in Policy Manager that allow and deny traffic


Multi-WAN method you use
Static and dynamic routes in the Firebox or XTM device routing table
Which external interfaces are currently able to send traffic
Per-policy settings that can override the multi-WAN method you use (policy-based routing and
sticky connections)

The Appendix section includes a flow chart diagram that illustrates how the Firebox or XTM device
makes these decisions.

Incoming Traffic
For incoming connections, the decision process is much more simple. An incoming connection is
allowed only if a policy in Policy Manager allows it. Any external interface can receive traffic, as long as
Firewares link monitors sense that the interface is active. The multi-WAN method you use does not
affect the path that incoming traffic takes to get to your Firebox or XTM device.
Because the Firebox or XTM device cannot control which external interface an incoming connection
attempts to come through, this training course does not discuss incoming connections. Instead the
focus is on understanding how Fireware XTM handles outgoing connections using the different
multi-WAN methods and options.

IPSec VPN Traffic


The concepts in this training apply only to non-IPSec traffic. The methods that Fireware XTM uses to
route normal (non-IPSec) traffic to external networks are distinct and separate from the way traffic is
sent to the remote side of an IPSec VPN. When the Firebox or XTM device sends traffic to the other side
of a VPN tunnel, it selects from the interfaces specified in the gateway settings for that tunnel. Multiple
external interfaces for IPSec VPNs are covered in a separate training module.

Equal-Cost Multi-Path Routing (ECMP)


ECMP is an algorithm for routing packets to destinations when there are multiple next-hop paths of
equal cost. The Routing Table multi-WAN method uses ECMP to evenly distribute outgoing traffic
across multiple external interfaces based on source and destination IP addresses, and based on the
number of connections that go through each external interface.
A routing table is a collection of data about destinations in a network and how to reach them. Fireware
XTM always consults the Firebox or XTM device routing table regardless of multi-WAN method.
Because of this, ECMP does not interfere with static routes you enter into Policy Manager, or with
dynamic routing protocols such as RIP, OSPF, and BGP.

90

WatchGuard Fireware Training

Terms and Concepts You Should Know

An ECMP group is the group of external interfaces used for ECMP calculations. When the Firebox or XTM
device determines that an external interface in the ECMP group is no longer able to forward traffic to
external networks, it removes that interface from the ECMP group. Fireware XTM puts the external
interface back into the ECMP group when it determines that the interface is available again. For more
information, see The Routing Table Multi-WAN Method on page 100.

Sticky Connections
Dynamic NAT changes the source IP address of an outgoing connection to match the IP address on the
external interface the Firebox or XTM device uses to send the connection. Some applications drop a
clients connection if the clients source IP address changes. The most common situation is when a user
is on a web site that uses HTTPS. Some HTTPS sites use a session cookie that includes the users source
IP address. If the user is on the site and the browser attempts a new connection (for example, a new
GET or POST request to the site causes a new TCP session), the site might deny the new connection if
the source IP address does not match what is in the session cookie.
You use sticky connections to make sure that when an outgoing traffic flow is established, all
connections between the inside users IP address and the external sites IP address use the same
external interface for a certain amount of time.
Fireware XTM keeps a dynamic table of sticky connections that includes the source/destination pair for
each outgoing connection, the external interface used for the connection, and the connections age. If
a new connection between the pair happens before the sticky connection timeout, the age is reset to
zero. When the age of an entry reaches the sticky connection limit, the entry is deleted from the hash
table. New connections between the two IP addresses can use a different external interface.
You cannot use sticky connection options when:
You use the Failover multi-WAN method.
You enable policy-based routing for a policy.
For any policy, you can override the global sticky connection setting. Policy-based sticky connection
settings specify that outgoing traffic that uses the policy has a shorter or longer sticky connection
setting than the global sticky connection setting. You can also disable sticky connections for a policy.
We recommend you use the default settings for sticky connections. The three-minute timeout prevents
most problems that arise when the source IP address of new traffic from behind the Firebox or XTM
device changes. If your users find that they need to re-authenticate more often to sites that use HTTPS,
you might want to raise the per-policy sticky timeout for the policy that allows outbound HTTPS traffic.
If you do not use a specific HTTPS policy in your Firebox or XTM device configuration (for example, you
have a policy that allows outbound connections over any TCP port), you might want to add a policy
that allows only port 443 traffic. You can adjust the sticky connection timeout in this policy without
affecting other connections.

Load Balancing Interface Group (LBIG)


The Load Balancing Interface Group is the group of interfaces you include when you click Configure at
the top of the Multi-WAN tab in the Policy Manager network configuration. You can include or exclude
any external interface from the multi-WAN method that you use, but you must include at least two
external interfaces in the group.
Load Balancing Interface Groups apply only to the Round-robin, Failover, and Interface Overflow
methods. The Routing Table method does not use the LBIG because the ECMP (equal-cost multi-path)
routing algorithm manages all routing decisions.

Multi-WAN Methods

91

Policy-Based Routing
Policy-based routing is the ability to specify, at a firewall policy level, that an outgoing traffic flow must
use a specific external interface if the source and destination IP addresses of the traffic match the From
and To lists of the policy. Policy-based routing lets you overrule the routing decision that Fireware XTM
would otherwise apply based on the multi-WAN method.
BOVPN virtual
interface
configuration is
covered in another
course.

You can also use policy-based routing to route traffic for a policy through a BOVPN virtual interface.

Link Monitor Settings


The Firebox or XTM device has two ways to tell if an external interface is available to send or receive
traffic:
Monitor the physical link state of the interfaces Ethernet peer.
The Firebox or XTM device monitors the physical link by default. If the kernel-level drivers sense
that the physical Ethernet link is down, the Firebox or XTM device immediately declares the
interface down. New connections begin to flow through the other external interfaces, depending
on various multi-WAN and per-policy configuration options you set.
Monitor the ability to make connections to external locations.
You can specify how the Firebox or XTM device determines if an external interface is available.
From Policy Manager, select Network > Configuration and select the Multi-WAN tab. Highlight
the interface to monitor in the External Interface column and view the settings on the Link
Monitor tab within the Multi-WAN tab.

Figure 1: Link Monitor tab

92

WatchGuard Fireware Training

Terms and Concepts You Should Know

Use these settings:


Select the Ping check box to add an IP address or domain name for the Firebox or XTM device to
ping to check for interface status.
Select the TCP check box to add the IP address or domain name where the Firebox or XTM device
sends a TCP SYN packet. Use the Port box to set the port the Firebox or XTM device uses when it
sends the SYN packet. If the target sends an ACK in reply, the Firebox or XTM device knows it can
reach the external target. The Firebox or XTM device closes the connection with a RST packet when
it gets an ACK.
Select the Both ping and TCP must be successful to define the interface as active check box if
you want the interface to be considered down when either a ping probe or a TCP packet probe
fails. If you do not select this box, then both the ping probe and the TCP packet probe must fail for
the Firebox or XTM device to consider the interface down.
Multi-WAN does not require that you use either the Ping or TCP check boxes, but we recommend that
you use one or both of them to determine whether the external interface can send traffic out of your
network. Select targets that have a record of high uptime, such as servers hosted by your ISP. If there is
a site you must be able to contact at all times, such as a credit card processing site or business partner,
it may be worthwhile to ask the administrator at that site if they have a device that you can use as a
monitoring target to verify connectivity to their site.
Use the Probe Interval setting to configure the frequency you want the Firebox or XTM device to
do the ping and TCP probes. By default, the Firebox or XTM device probes every 15 seconds.
Use the Deactivate after setting to change the number of consecutive probe failures that must
occur before failover. By default, after three probe failures, the Firebox or XTM device removes the
interface from the list of active external interfaces. Outgoing traffic continues based on the
multi-WAN method you use. See the next section, Failover/Failback.
Use the Reactivate after setting to change the number of consecutive successful probes through
an interface before an interface that was inactive becomes active again.

If you do not select


either of these check
boxes (Ping or TCP),
Fireware XTM
monitors each
interface by sending
an ICMP echo to the
interfaces default
gateway IP address.
Because this does not
test whether the
interface can send
traffic beyond the
edge of your network,
we recommend you
indicate probe
targets.

Configure these settings for each external interface.

Failover/Failback
Failover occurs when an interface that was previously active becomes unable to send traffic to external
networks. Failback occurs when an interface that was previously not able to reach external locations
becomes active again.

Failover On an External Interface


If an external interface goes down, the Firebox or XTM device removes that external interface from all
routing decisions. The action the Firebox or XTM device takes depends on the multi-WAN method
currently in use:
Round-robin The failed interface is removed from the Round-robin group. If your Round-robin
group has only two external interfaces, all outgoing connections now use the remaining active
interface. If your Round-robin group has more than two external interfaces, Fireware XTM reduces
the size of the group so that it includes only the remaining active interfaces. It continues to use the
relative weights of the remaining interfaces to make routing decisions.
Failover The failed interface is removed from the failover group. Traffic goes out through the
next available interface in the failover list.
Interface Overflow The failed interface is removed from the Interface Overflow group. The
Firebox or XTM device uses the Interface Overflow threshold assigned to each interface to
determine which to use for outgoing traffic. If your Interface Overflow interface group has only two
external interfaces, all outgoing connections now use the remaining active interface.

Multi-WAN Methods

93

Routing table The failed interface is removed from the ECMP group. ECMP continues to make
routing decisions based on the external interfaces that remain active.

Failback On an External Interface


When the Link Monitor probes determine that an interface is active again, the interface is made
available for outgoing traffic.
The Probe Interval and the Reactivate After settings on the Link Monitor tab determine how long
this takes. The defaults are to send a probe every 15 seconds and to reactivate the interface after three
successful probes. Failback can take up to a full minute if you use the default setting on the Link
Monitor tab.
New outgoing connections, unless they match an entry in the sticky connections table, start to use the
now-active external interface based on the multi-WAN method you select.
Existing connections (including traffic that matches an entry in the sticky connections table) behave
according to the option you select in the Failback for Active Connections drop-down list:
Immediate Failback
- The Firebox or XTM device drops all currently active connections.
- TCP RST packets are sent to close all open TCP connections.
- NAT ports that are open for return UDP packets are closed.
- The sticky connections table is purged.
Gradual Failback
- All currently active connections are allowed to finish before Fireware XTM begins to use the
multi-WAN method to send them through another external interface.
- The sticky connections table stays the same.
Select Immediate Failback if your backup line is expensive, you want to use the backup line only in
emergency, and your organization can tolerate dropped connections when the failback happens.
Select Gradual Failback if your organization cannot tolerate dropped connections when the failback
happens.

The Round-Robin Multi-WAN Method


When to Use It
Use the Round-robin method when:
You have a license for Fireware XTM with a Pro upgrade and you want to specify a weighted
distribution of outgoing traffic across your external interfaces.
You have a standard Fireware XTM license and you want to distribute bandwidth evenly among
your external interfaces. (If you have the standard Fireware XTM license, you cannot assign weights
to the interfaces.)

How It Works
The Round-robin method distributes traffic to each external interface based on bandwidth, not
connections. This gives you more control over how many bytes of data are sent through each ISP.
For light traffic loads, weighted Round-robin behaves like a connection-based Round-robin because
the weights you use tend to determine the number of connections through each external interface.
When the traffic load increases, weighted Round-robin behaves more like a load-based Round-robin
because the weights you assign tend to determine the load through each external interface.

94

WatchGuard Fireware Training

The Round-Robin Multi-WAN Method

The Round-robin method uses the run-time average of Tx (transmit) and Rx (receive) bytes through
each interface to balance outgoing traffic according to the relative weights you assign to the interfaces.
Fireware XTM takes a measurement four times a second to determine run-time traffic load on the
external interfaces. The Round-robin algorithm is applied only after routes, sticky connections, and
policy-based routing fail to give a routing decision.
The weights you assign are relative weights. For example, suppose interface 0 (eth0) is an external
interface and you give it a weight of 3. Interface 1 (eth1) is also an external interface and you give it a
weight of 2. For every three bytes of traffic that go through eth0, two bytes will go through eth1. The
byte count sent through eth0 will be one and one-half times as much as eth1.
To determine which interface to use for a new outgoing connection, weighted Round-robin calculates
the load:weight ratio (current traffic load as a proportion of the assigned weight) for each external
interface and chooses the interface with least value for the new connection.
For example, configure Interfaces 0, 1, and 2 as external interfaces, and use Round-robin weights of 8, 2,
and 1 for those interfaces respectively. Assume that new connections happen in sequence, and each
new connection increases the load on an interface equally. The algorithm assigns the new connections
as shown in the table in Figure 1:

Current ratio of
{traffic load : weight}
Interface 0

Current ratio of
{traffic load : weight}
Interface 1

Current ratio of
{traffic load : weight}
Interface 2

New connection
uses
this interface

0:8

0:2

0:1

1:8

0:2

0:1

1:8

1:2

0:1

1:8

1:2

1:1

2:8

1:2

1:1

3:8

1:2

1:1

4:8

1:2

1:1

5:8

1:2

1:1

5:8

2:2

1:1

6:8

2:2

1:1

7:8

2:2

1:1

8:8

2:2

1:1

Use ECMP
when all
interfaces have
full traffic load

Figure 2: This table shows which external interface is used for a new outgoing connection based on {traffic
load : weight} ratio

This example is simplified. The actual situation is more complex. Each new connection does not cause
equal traffic load. Many connections close very quickly, causing load to drop quickly. The load on each
interface is constantly changing.

Calculate Weights for Round-robin


You can only use whole numbers for the interface weights; no fractions or decimals are allowed. To
ensure optimal load-balancing, you might need to perform a calculation to know which whole-number
weight to assign for each interface. Use a common multiplier so that the ratios of bandwidth at each
external connection is resolved to whole numbers.

Multi-WAN Methods

95

Example
You have three Internet connections. One ISP gives you 6 Mbps, another ISP gives you 1.5 Mbps, and a
third ISP gives you 768 Kbps. Convert the proportion to whole numbers:
First convert the 768 Kbps to Mbps so that you use the same unit of measurement for all three lines.
This is approximately .75 Mbps. Your three lines are rated at 6, 1.5, and .75 Mbps.
Multiply each value by 100 to remove the decimals. Proportionally, these are equivalent: {6 : 1.5 :
.75} is the same ratio as {600 : 150 : 75}.
Find the greatest common divisor of the three numbers. In this case, 75 is the largest number that
evenly divides all three numbers 600, 150, and 75.
Divide each of the numbers by the greatest common divisor.
The results are 8, 2, and 1. This gives the whole-number weights used for the example.

How to Configure It
1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.

2. Select the Multi-WAN tab.


3. From the Multi-WAN Configuration drop-down list, select Round-robin.

Figure 3: Select the Round-robin method for multi-WAN

4. Click Configure, as shown in Figure 2 to set the relative weights for the external interfaces.
The Multi-WAN Round-robin Configuration dialog box appears.

Figure 4: Multi-WAN Round-robin Configuration dialog box

5. In the Include column, select the check boxes next to the interfaces you want to include in the
Round-robin configuration. By default, all external interfaces are included. If you have more than
two external interfaces you might reserve one external interface for a special purpose.

96

WatchGuard Fireware Training

The Round-Robin Multi-WAN Method

For example, you might want to use an external interface only for routing traffic to an application
service provider, for only VPN traffic. To exclude an external interface from the round-robin, clear
the check box next to that interface in Figure 4. You must include at least two interfaces.

6. To change the weight of one of the interfaces, select the interface and click Configure in Figure 3.
The Round-robin Weight dialog box appears:.

Figure 5: Set the weight for the interface you selected

7. In the Round-robin Weight text box shown in Figure 5, type or select a number to use for this
interfaces weight.
8. Click OK.
Figure 6 shows two external interfaces with Round-robin weights set to 3 and 2:

Figure 6: Two interfaces set to relative weights 3 and 2.

When an External Interface Fails


The failed external interface is removed from the Round-robin group. Fireware XTM continues to use
the relative weights of the remaining interfaces to make routing decisions.

Multi-WAN Methods

97

The Failover Multi-WAN Method


When to Use It
Use the Failover method:
When you want to use one external interface for all traffic, and you have another ISP that you can
use if the primary line goes down.
If you want to reserve a WAN2 interface for special traffic, and use WAN1 for all other traffic. If the
primary WAN1 connection goes down, all traffic can use WAN2 for the emergency outage.
Sticky connection settings cannot be used with the Failover method.

How It Works
The Firebox or XTM device sends all traffic through the external interface at the top of the list in the
Multi-WAN Failover Configuration dialog box. If that interface is not active, the Firebox or XTM device
checks the next external interface in the list. The first active interface in the list is the gateway for all
outgoing traffic.
If the Firebox or XTM device senses an Ethernet link failure, failover happens immediately. When you
use the default link probe settings, an external interface can take from 45 seconds to one minute to
change state from active to not active, or from not active to active. The default probe options are:
Send a probe every 15 seconds
Deactivate the interface after three probes in a row fail
Reactivate the interface after three successful probes in a row
If an external interface that was previously down becomes active again, and it is higher in your list than
the currently active external interface, the Firebox or XTM device immediately starts to send all new
connections out the active external interface that is now highest in the list.
You control how the Firebox or XTM device handles any existing connections that currently use the
interface that is now lower in your list. Such a connection can immediately be disconnected and routed
over the new active interface, or it can use the current interface until the connection is finished.

How to Configure It
Select the Multi-WAN tab on the Network Configuration dialog box to configure this method. You
then use additional dialog boxes to select the interfaces you want to participate in the failover and
establish a failover sequence for them. For more details on configuring this method, see Exercise 2.

When an External Interface Fails


The failed interface is removed from the failover group. The next available interface in the Failover list
assumes the highest precedence. Client connections time out and are reestablished with the new
route.

98

WatchGuard Fireware Training

The Interface Overflow Multi-WAN Method

The Interface Overflow Multi-WAN Method


When to Use It
Use the Interface Overflow method when you want to restrict the maximum bandwidth that each
external interface uses. When the bandwidth threshold is reached for an external interface, new
connections use the next external interface in your list. You must have a Fireware XTM license with a
Pro upgrade to use this multi-WAN method.

How It Works
When you use the Interface Overflow method, you select the order you want the Firebox or XTM device
to send traffic through external interfaces and configure each interface with a bandwidth threshold
value. The Firebox or XTM device starts to send traffic through the first external interface in the
Interface Overflow Configuration list. When the traffic through that interface reaches the bandwidth
threshold you set for that interface, the Firebox or XTM device starts to send new connections through
the next interface in the list.
This multi-WAN method allows the amount of traffic sent over each external interface to be restricted
to a specified bandwidth limit.
To determine traffic volume through an interface, the Firebox or XTM device examines the amount of
sent (TX) and received (RX) packets and uses the higher number. When you configure the interface
bandwidth threshold for each interface, you must consider the needs of your network for this interface
and set the threshold value based on these needs. For example, if your ISP is asymmetric and you set
your bandwidth threshold based on a large TX rate, interface overflow will not be triggered by a high
RX rate.
When all external interfaces reach their threshold, the Firebox or XTM device uses the ECMP algorithms
to find the best path.

How to Configure It
Select the Multi-WAN tab on the Network Configuration dialog box to configure this method. You
then use an additional dialog box to configure the bandwidth threshold for each interface. For more
details on configuring this method, see Exercise 1.

When an External Interface Fails


The failed interface is removed from the interface overflow group. Traffic goes out through the other
external interfaces in the group, according to the interface overflow threshold assigned to each.

Multi-WAN Methods

99

The Routing Table Multi-WAN Method


When to Use It
Use the Routing Table method when you want a quick and easy way to evenly distribute outgoing
traffic among multiple external interfaces.
This method is the quickest way to take advantage of load balancing more than one route to the
Internet. Because the ECMP algorithm manages all connection decisions, no additional configuration is
necessary after it is enabled. This multi-WAN method is based on connections, not bandwidth or load.
Routes configured statically or learned from dynamic routing are used before the ECMP algorithm.

How It Works
If you have multiple active external interfaces, multiple default routes to the external network are
available with the same cost (one hop). With the Routing Table method, Fireware XTM puts all the
active external interfaces into one ECMP group. It uses the ECMP algorithm to decide which next-hop
(path) to use to send each packet. This algorithm does not consider current byte count through the
external interfaces.
When you select the Routing Table method for your multi-WAN configuration, the Firebox or XTM
device first looks at policy-based routing actions in your policies, the routes in its internal route table,
and the sticky connection table to see if it should send a packet through a specific external interface. If
the Firebox or XTM device does not find a specified route, it selects a route based on the ECMP
(equal-cost multi-path) algorithm specified in http://www.ietf.org/rfc/rfc2992.txt.

How to Configure It
There is only one setting:

1. From Policy Manager, select Network > Configuration.


The Network Configuration dialog box appears.

2. Select the Multi-WAN tab.


3. From the Multi-WAN Configuration drop-down list, select Routing Table.

Figure 7: Select the Routing Table method for multi-WAN

When an External Interface Fails


The failed interface is removed from the ECMP group. ECMP continues to make routing decisions based
on the external interfaces that remain active.

100

WatchGuard Fireware Training

Before You Begin

Before You Begin


Necessary Equipment and Services
Before you start the exercises, make sure you have these items:
Management computer
(See the subsequent section for configuration details.)
Ethernet cables
- One crossover Ethernet cable to connect your computer to the trusted interface on your
student Firebox or XTM device.
- Two Ethernet cables to connect two external interfaces from your Firebox or XTM device to
the central classroom Firebox or XTM device (or to a hub that connects all student Firebox or
XTM devices to the central Firebox or XTM device).
WSM version 11.9 software and Fireware XTM v11.9 software
Your instructor provides this software, or you can download it from the WatchGuard web site when
you log in with a valid WatchGuard account.
Firebox or XTM device
Feature key
Your instructor will provide a feature key to enable the features the Firebox or XTM device must
have for these exercises. The feature key must include Fireware XTM Pro. You use the feature key
near the end of the Quick Setup Wizard when you configure the device.
FTP Server
Your instructor will provide you access to an FTP server for use in these exercises.

For some 5 Series


models (505, 510, 520,
530), you can
purchase the Fireware
XTM Pro upgrade for
your device.

Management Computer Configuration


Before you begin these exercises, make sure your management computer is configured correctly.
Install WSM management software and the Fireware XTM operating system. You do not have to
install the server components, just the WSM client software.
Connect the management computer directly to the trusted interface 1 on the Firebox or XTM
device.
Make sure your management computer has an IP address in the same subnet as the trusted
interface with the correct subnet mask. Use the Firebox or XTM device trusted interface IP address
as the default gateway of the computer.

Multi-WAN Methods

101

Firewall Configuration
If your Firebox or XTM device is not yet configured, run the Quick Setup Wizard and select mixed
routing mode. Mixed routing mode has these defaults:
In the exercises, your
external interface and
trusted interface IP
addresses are
determined by your
student number.
Replace the X in the
exercises with your
student number.

The external Interface 0 is configured and enabled with a static IP address.


Your instructor will tell you what IP address to assign to the external interface.
The trusted Interface 1 is configured and enabled with IP address 10.0.1.1/24.
Your instructor will give you an IP address to use for the trusted interface and for your management
computer. Your trusted interface IP address should be 10.0.X.1/24
None of the other interfaces are configured (they are all set to Disabled).
The configuration file you open in Policy Manager includes five policies: FTP, Ping, DNS,
WatchGuard, and Outgoing.

Bandwidth Available at Each External Interface


In general, this training module does not discuss traffic management. However, you should know the
available upstream and downstream caps that your ISP puts on your Internet connection for each
external interface. You must know these values to:
Make accurate threshold limits for the Interface Overflow method.
If you set threshold limits too low, you might not use the full available bandwidth before traffic
flows over to another external interface.
If you set threshold limits too high, the other external interfaces might never be used (traffic from
an external interface might never flow over to another interface because the threshold is never
reached).
Correctly set the relative weights for the Round-robin method.
You can more effectively balance the outgoing traffic between external interfaces when you know
how much bandwidth each ISP allocates.

Physically Connecting your Devices


Because these exercises are designed for a classroom environment, the external interfaces of all
student Firebox or XTM devices should be connected to two network segments. All the student Firebox
or XTM devices should be connected to the instructor Firebox or XTM device.

102

WatchGuard Fireware Training

Before You Begin

Exercise 1:

Demonstrate the Interface Overflow Multi-WAN


Method and Sticky Connections

When to Use the Interface Overflow Method


The Interface Overflow method lets you use one WAN for outgoing connections until the bandwidth
for that interface goes above a threshold that you set. Then outgoing connections use another external
interface. When the bandwidth use through the first interface falls below the threshold, new
connections use that interface again.

Network Topology
This exercise shows how to configure the Firebox or XTM device to use two Internet connections using
the Interface Overflow method.
Figure 8 shows how your equipment is connected.

Figure 8: Network topology for Exercise 1. Each student Firebox or XTM device has two external interfaces.

Multi-WAN Methods

103

Configure the Device


Configure the Main External Interface
1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.
2. Double-click Interface 0 to configure it. Configure the IPv4 tab as shown.

Figure 9: Interface 0 configuration

3. Type a name for the interface in the Interface Name (Alias) text box.
For this example we type Main-Internet for Interface 0.

4. (Optional) Type an interface description if desired.


We use Primary WAN.

5. From the Interface Type drop-down list, select External.


6. Select Use Static IP.
7. In the IP Address text box, type 203.0.113.X/24.
Replace the X in the IP address with the student number your instructor gives you.
In Figure 3, we show the configuration for Student 10. For example, if you are Student 30, the IP
address you type is 203.0.113.30/24

8. In the Default Gateway text box, type 203.0.113.1


9. Click OK to return to the main Network Configuration dialog box.

104

WatchGuard Fireware Training

Before You Begin

Configure the Second WAN Interface


1. Double-click Interface 3 to configure it. Configure the IPv4 tab as shown.

Figure 10: Interface 3 configuration

2. From the Interface Type drop-down list, select External.


3. (Optional) Type a name for the interface in the Interface Name (Alias) text box.
For this example we call Interface 3 Secondary-Internet.

4. (Optional) Type an interface description.


For this example, type Backup WAN.

5. Select Use Static IP.


6. In the IP Address text box, type 192.51.100.X/24.
Replace the X in the IP address with the student number your instructor gives you.
In Figure 10 we show the configuration for Student 10. For example, if you are Student 40, the IP
address you type is 192.51.100.40/24.
7. In the Default Gateway text box, type 192.51.100.1.
8. Click OK to return to the main Network Configuration dialog box.
9. Check your work. The Interfaces tab should look like this:

Figure 11: The Interfaces tab with two external interfaces configured

Multi-WAN Methods

105

Configure the Multi-WAN Method


1. Select the Multi-WAN tab.
2. From the Multi-WAN Configuration drop-down list, select Interface Overflow.
3. Click Configure.
The Multi-WAN Interface Overflow Configuration dialog box appears.

Figure 12: Interface Overflow Configuration dialog box

4. Select interface 0 (Main-Internet) and click Configure to configure its threshold.


Note that the window
in Figure 13 keeps
values only in
increments of 100
Kbps. For example, if
you type 256 Kbps
here, Policy Manager
changes it to 200
Kbps.

The Interface Overflow Threshold dialog box appears.

5. From the right drop-down list, select Kbps.


In the text box, set the threshold for this interface to 200 Kbps..

Figure 13: Configure the interface overflow threshold for the primary WAN

106

WatchGuard Fireware Training

Before You Begin

6. Click OK.

Figure 14: The Interface Overflow Configuration dialog box should look like this

7. Make sure that interface 0 is at the top of the list. If it is not, select the Main-Internet (0) interface
and click Move Up to move it to the top of the list.
You do not need to configure anything on the Link Monitor tab or the Advanced tab for this exercise.

Enable Logging of Allowed Packets For the FTP and Outgoing Policies
By default, the Firebox or XTM device sends log messages only for denied packets. To see what
interface the Firebox or XTM device uses to send outgoing connections, enable the logging of allowed
packets for the FTP and Outgoing policies.

1. Edit the FTP policy.


2. Select the Properties tab and click Logging.

This example is not


meant to show a
real-world Internet
connection. We set
this to a low value to
demonstrate the
Interface Overflow
method. Remember
also that Fireware
XTM does not use the
overflow threshold
value as a cap to
throttle available
bandwidth. The
threshold is only a
trigger to start
sending new
connections out a
different external
interface. Throughput
can exceed the
overflow threshold
you set for an external
interface, but
Fireware XTM does
not send new
outgoing connections
through the interface
until current
throughput for the
interface goes below
the overflow
threshold.

Figure 15: Click Logging on the Properties tab of the policy

Multi-WAN Methods

107

3. Select the Send Log Message check box to enable logging of allowed packets that the Firebox or
XTM device sends through this policy, and then click OK.

Figure 16: Enable logging of allowed packets for this policy

4. Click OK.
5. Repeat Steps 14 to enable logging of allowed packets for the Outgoing policy.
6. Note that the Action column shows an icon for policies that have logging enabled. Position the
mouse over the action column to see a description of what each icon represents.

Figure 17: The Action column shows which policies have logging enabled

7. Save this configuration to the Firebox or XTM device.

Demonstrate It
How the Demonstration Works
First you browse several web sites and see the connections go out the Main-Internet interface.
You start an FTP download of a large file to use up the allotted 200 Kbps on the Main-Internet
interface, Interface 0.
When the throughput for the Main-Internet interface reaches the Interface Overflow threshold,
you observe that new outgoing connections use the Secondary-Internet interface, Interface 3.
You see some connections continue to use the Main-Internet interface even though the Interface
Overflow threshold is reached for that interface, because the connections are sticky.

108

WatchGuard Fireware Training

Before You Begin

Note
Important! When the FTP download starts, you must visit a new web site quickly to see the Firebox
or XTM device change the interface it uses for outgoing connections. If you wait too long and the
FTP transfer finishes, the rate of traffic through the main external interface falls below the threshold
and the interface becomes available for new connections again.
Before you begin, think of some sites you can use that you have not been to before, so you can
quickly demonstrate the Interface Overflow behavior when the FTP transfer starts.

Verify that Outgoing HTTP Connections Use the Correct Interface


To make sure that your outgoing HTTP connections use the correct interface, you connect to Firebox
System Manager and then browse the Internet.

1. Connect to Firebox System Manager and select the Traffic Monitor tab.

Figure 18: The Traffic Monitor tab of Firebox System Manager

2. Use your web browser to visit several web sites and see if your connections use the correct
interface.
3. Watch Traffic Monitor to see log messages that show outgoing connections that use the
Main-Internet interface. You see messages like this in Traffic Monitor:
2014-06-05 14:20:18 Allow 10.0.10.2 74.125.20.106 https/tcp 60352 443
1-Trusted 0-Main-Internet Allowed 52 127 (Outgoing-00) proc_id="firewall"
rc="100" msg_id="3000-0148" src_ip_nat="203.0.113.10" tcp_info="offset 8 S
299279867 win 32" Traffic

Multi-WAN Methods

Do not start any file


downloads in Step 2.
A large file download
can trigger the
Interface Overflow
threshold before you
are ready to observe
it. The FTP transfer in
the next section will
trigger the interface
overflow.

109

Start the FTP Transfer to Trigger the Interface Overflow


Use Internet Explorer or an FTP client to connect to the FTP server. The subsequent steps show how to
use Internet Explorer 9.0 as an FTP client.

1. If the instructor has configured a local FTP server, in the Internet Explorer address bar, type
ftp://192.51.100.2.
If a local FTP server is not available, the instructor will provide instructions to connect to an FTP server on the
Internet.

The FTP server should allow anonymous access (it is not necessary to give a user name and
password). If this is the case, you see a large file listed.
If anonymous FTP access is not allowed, your instructor will give you credentials to log in.

Figure 19: Internet Explorer as an FTP client

2. Press Alt, then select View > Open FTP site in File Explorer.
The FTP site opens in Windows Explorer.

3. Drag the file to the Desktop icon at the left to copy the file to your desktop.

Figure 20: Drag the file to the Desktop icon on the left.

The download starts


New connections that
match an entry in the
sticky connections
table use the same
external interface for
the sticky timeout
period. This is true
even if current
throughput for the
interface is over the
Interface Overflow
threshold.

Browse to Sites and See Which Interface is Used

When the throughput


for the Main-Internet
connection exceeds
the Interface
Overflow threshold,
new connections use
the SecondaryInternet interface.

4. Go to a web site you have not visited before.

1. Browse to a web site you visited less than three minutes ago.
2. Select the Traffic Monitor tab of Firebox System Manager.
3. Find the log message for the connection to this site. Look for a log message with the interface
0-Main-Internet in the message:
2014-06-05 15:24:58 Allow 10.0.10.2 74.125.20.105 https/tcp 51821 443
1-Trusted 0-Main-Internet Allowed 52 127 (Outgoing-00) proc_id="firewall"
rc="100" msg_id="3000-0148" src_ip_nat="203.0.113.10" tcp_info="offset 8 S
2805116118 win 32" Traffic

This connection uses the primary external interface Main-Internet, even though bandwidth on
this interface reached the threshold. This is because it matches an entry in the Sticky Connections
table.

5. On the Traffic Monitor tab, find the log message for this new connection. The log message will use
the interface 3-Secondary-Internet.
2014-06-05 16:02:17 Allow 10.0.10.2 173.194.33.172 https/tcp 52386 443
1-Trusted 3-Secondary-Internet Allowed 52 127 (Outgoing-00)
proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="192.51.100.10"
tcp_info="offset 8 S 1892614575 win 32" Traffic

This connection switched to the Secondary-Internet interface, because the Main-Internet interface
reached the Interface Overflow threshold.

110

WatchGuard Fireware Training

Before You Begin

6. After the FTP transfer finishes, go back to the web site you visited in Step 3 (if it was less than three
minutes ago) and press Ctrl-F5 on your keyboard to force all content on the page to reload.
This is the site you visited that went through the Secondary-Internet connection, shown in the log message in
Step 5.

7. On the Traffic Monitor tab, find the log messages for this connection.
Verify that it still uses the Secondary-Internet interface.
It still uses the Secondary-Internet interface because it matches an entry in the sticky connections table.

8. Go to a web site you have not visited in the last three minutes.
9. On the Traffic Monitor tab, find the log messages for this connection.
Verify that new connections now use the Main-Internet interface.
New connections start to use the Main-Internet interface because the throughput for that interface is below
the Interface Overflow threshold.

Multi-WAN Methods

111

Exercise 2:

Demonstrate the Failover Multi-WAN Method and


Policy-Based Routing

This exercise demonstrates what happens when an external interface that uses the Failover Multi-WAN
method fails.

When to Use the Failover Method


Failover gives stability to your organizations outgoing connections. Use the Failover method when you
have more than one Internet connection that you can use. If the primary line goes down, connections
flow through the backup line.

Network Topology
The physical setup is the same as for Exercise 1. Figure 21 shows how your equipment is connected.

Figure 21: The network topology for Exercise 2 is the same as for Exercise 1.

112

WatchGuard Fireware Training

Before You Begin

Configure the Device


Configure the External Interfaces
The configuration of the main and secondary external interfaces is the same as for Exercise 1. If you
have completed Exercise 1, proceed to the next section.
If you have not completed Exercise 1, you must do so before you can proceed. In the section Configure
the Device, on page 104, complete Steps 117 of Exercise 1.

Configure the Multi-WAN Method


1. In the Network Configuration dialog box, select the Multi-WAN tab.
2. From the Multi-WAN Configuration drop-down list, select Failover.

Figure 22: Select the Failover Multi-WAN method

3. Click Configure.
The Multi-WAN Failover Configuration dialog box appears.

Figure 23: The Multi-WAN Failover Configuration dialog box

4. Make sure that interface 0 is at the top of the Interface list.


If it is not, select Main-Internet (0) and click Move Up to move it to the top of the list.
5. Click OK.

Multi-WAN Methods

113

Configure Link Monitor Target For the Main-Internet Interface

It is not necessary to
configure a link
monitor target for the
Secondary-Internet
connection. When
you do not configure
link monitor targets
for an external
interface, the Firebox
or XTM device
monitors the health of
the interface by
sending ICMP
requests to the
interfaces default
gateway.
In a real-world
installation, you
would normally select
sites for the link
monitor targets,
based on a record of
superior uptime.

1. On the Link Monitor tab, in the External Interfaces list, select Main-Internet and configure
monitor targets for this external interface.
2. Set the ping target:
a. Select the Ping check box.
b. From the Ping drop-down list, select IP Address.
c. In the Ping text box, type the IP address of the instructors FTP server: 192.51.100.2.

Figure 24: Ping target for monitoring the Main-Internet interface

3. Click OK.

Enable Logging of Allowed Packets For Policies


If you previously completed Exercise 1, you enabled logging of allowed packets for the Outgoing and
FTP policies. Now we will use the same procedure to enable logging of allowed packets for the Ping
and Outgoing policies.

1. Right-click or double-click the Ping policy and select Modify Policy to edit it.
The Edit Policy Properties dialog box appears.

2. Select the Properties tab and click Logging.


The Logging and Notification dialog box appears.

3. Select the Send log message check box to enable logging of allowed packets that the Firebox or
XTM device sends through this policy.
4. Click OK.
The Logging and Notification dialog box closes and the Edit Policy Properties dialog box appears.

5. Click OK.
The Edit Policy Properties dialog box closes and Policy Manager appears.

6. Repeat these steps to enable logging of allowed packets in the Outgoing policy.
7. Click OK.

114

WatchGuard Fireware Training

Before You Begin

Enable Policy-based Routing For the Ping Policy


1. Edit the Ping policy.
2. On the Policy tab, select the Use policy-based routing check box.
3. From the Use policy-based routing drop-down list, select Main-Internet.
4. Do not select the Failover check box.

Do not enable failover


in Step 4. This lets you
see what happens
when the
policy-routing
interface is not
available.

Figure 25: Enable policy-based routing for the Ping policy

5. Click OK.

Multi-WAN Methods

115

Enable Policy-Based Routing For the Outgoing Policy


1. Double-click the Outgoing policy to edit it.
2. On the Policy tab, select the Use policy-based routing check box.
3. From the Use policy-based routing drop-down list, select Main-Internet.
4. Select the Failover check box.

Figure 26: Enable policy-based routing for the Outgoing policy

5. Click OK.
6. Save this configuration to the Firebox or XTM device.

116

WatchGuard Fireware Training

Before You Begin

Demonstrate It
How the Demonstration Works
First, you browse to several web sites using HTTP and HTTPS, and see the connections that go out
the Main-Internet interface.
Ping some external IP addresses to see the Firebox or XTM device send the echo requests through
the Main-Internet interface with the policy-based routing you enabled for the Ping policy.
Your instructor will cause your Firebox or XTM device Main-Internet interface to fail by causing
pings to the link monitor target to fail.
After the failover event, browse some web sites again to see the connections go out the
Secondary-Internet interface.
Your pings to external locations will fail, because you did not enable failover for the Ping policys
policy-based routing.

Verify Outgoing Connections Use the Correct Interface


To make sure that your outgoing connections use the correct interface, connect to Firebox System
Manager and then browse the Internet.

1. Open WSM and connect to your Firebox or XTM device.


2. Select the Firebox or XTM device and click

Firebox System Manager appears.

3. Select the Traffic Monitor tab to begin monitoring traffic.


4. Use your browser to connect to some web sites. Visit several sites with HTTP and HTTPS addresses.
5. Watch Traffic Monitor to see log messages that show the outgoing connections using the
Main-Internet interface. Log messages like this appear in Traffic Monitor:
2014-06-05 16:43:14 Allow 10.0.10.2 74.125.20.95 https/tcp 62129 443
1-Trusted 0-Main-Internet Allowed 52 127 (Outgoing-00) proc_id="firewall"
rc="100" msg_id="3000-0148" src_ip_nat="203.0.113.10" tcp_info="offset 8 S
4279110375 win 32" Traffic

6. Ping some sites external to the Firebox or XTM device. Log messages show that the echo requests
go out the Main-Internet interface. Log messages like this appear:
2014-06-06 11:33:23 Allow 10.0.10.2 8.8.8.8 icmp
1-Trusted
0-Main-Internet Allowed 60 127 (Ping-00) proc_id="firewall" rc="100"
msg_id="3000-0148" src_ip_nat="203.0.113.10" Traffic

The instructor causes ICMP requests to your link monitor target to fail.
A log message like this appears in Traffic Monitor:
2014-06-06 11:26:59 link-mon [Link Monitor] No response received on
Main-Internet from Ping host 203.0.113.2 id="4900-0002" Event

After three probes fail, the Firebox or XTM device sees that the Main-Internet interface is not
available to send traffic. Log messages like this appear:
2014-06-06 11:27:14 link-mon [Link Monitor] Main-Internet has failed due to
probing to the target host failed id="4900-0003" Event

Remember that the


number of failed
probes is
configurable. Three is
the default.

2014-06-06 11:27:14 networkd [eth0 (Main-Internet)] Interface is


deactivated due to link-monitor failure. id="3100-000D" Event

7. Browse to more web sites. Outgoing connections now use the Secondary-Internet interface.
Log messages like this appear in Traffic Monitor:
2014-06-06 11:28:15 Allow 10.0.10.2 54.186.205.46 http/tcp 59310 80
1-Trusted 3-Secondary-Internet Allowed 52 127 (Outgoing-00)
proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="192.51.100.10"
tcp_info="offset 8 S 4135728258 win 32" Traffic

Multi-WAN Methods

117

8. Send pings again to the external network. The Firebox or XTM device drops the packets. Log
messages like this appear in Traffic Monitor:
2014-06-06 11:37:22 Deny 10.0.10.2 5.5.5.5 icmp
1-Trusted Firebox all
gateways in policy routing are down, drop this packet 60 128 (Ping-00)
proc_id="firewall" rc="101" msg_id="3000-0148" Traffic

This message appears when failover is not enabled for the Ping policys policy-based routing. If you
enable failover for policy-based routing in Figure 25, the ping is allowed through the other
interface.

Exercise 3:

Demonstrate Load Balancing with the Round Robin


Multi-WAN Method

This exercise shows how to configure the Round Robin load multi-wan method for load balancing of
traffic through two external interfaces, and see the results in FSM and the Fireware XTM Web UI.

Configure the Device


Configure the External Interfaces
The configuration of the main and secondary external interfaces is the same as for Exercise 1. If you
have completed Exercise 1, proceed to the next section.
If you have not completed Exercise 1, you must do so before you can proceed. In the section Configure
the Device, on page 104, complete Steps 117 of Exercise 1.

Configure the Multi-WAN Method


1. In the Network Configuration dialog box, select the Multi-WAN tab.
2. From the Multi-WAN Configuration drop-down list, select Round Robin.

3. Save the configuration to the Firebox or XTM device.

118

WatchGuard Fireware Training

Before You Begin

Demonstrate It
To generate traffic for multiple connections, browse to several web sites and start some videos.
In Firebox System Manager, look at the log messages in the Traffic Monitor tab to see which
interfaces the outgoing traffic uses.
Connect to the Fireware XTM Web UI, and use the FireWatch dashboard to see information about
outbound connections for each interface.

Multi-WAN Methods

119

Frequently Asked Questions


Fireware Pro is
included with most
device models. For
some 5 Series models
(505, 510, 520, 530),
you can purchase the
Fireware XTM Pro
upgrade for your
device.

Which Multi-WAN features require a Fireware XTM license with a Pro upgrade?
There are two licensing options for the OS on the Firebox or XTM device: Fireware XTM and
Fireware XTM with a Pro upgrade. A standard Fireware XTM license does not include some
multi-WAN functions. A Fireware XTM license with a Pro upgrade gives all the multi-WAN functions
that the OS offers.
XTM 2 Series devices must have Fireware XTM with a Pro upgrade to use any of the multi-WAN
methods except modem failover.
For all other XTM models, certain multi-WAN functions are available only if you have a Pro upgrade
to the Fireware XTM license:
- Policy-based routing
- The Interface Overflow multi-WAN method
- Weighted Round-robin
Note
You can use the Round-robin multi-WAN method, but you cannot assign weights to the interfaces if
you do not have a Fireware XTM license with a Pro upgrade. If you have a Fireware XTM license, all
external interfaces that participate in the Round-robin have equal weight of 1.

If all external interfaces have a Round-robin weight of 1, what is the difference between the
Round-robin method and the Routing Table method?
Round-robin distributes outgoing connections based on bandwidth. Thus, if you set the weight for
each external interface to 1 in Round-robin mode, the algorithm attempts to equalize the amount
of bits per second sent through each interface.
Compare this to the Routing Table method. The Routing Table uses ECMP to distribute outgoing
connections based on the number of connections. The Routing Table method attempts to equalize
the number of connections going out each interface. It does not consider the amount of
bandwidth sent through each interface.

120

WatchGuard Fireware Training

Appendix

Appendix
How Fireware XTM Makes Multi-WAN Routing Decisions For Outbound Traffic
When a computer behind the Firebox or XTM device on a trusted or optional network attempts to send
traffic to the external network, the Firebox or XTM device must make three main decisions:
Whether the traffic is allowed out
Whether an external interface is available to send the traffic
Through which external interface to send the traffic
To make these decisions, the Firebox or XTM device considers these questions:

1. Does the packet match the From and To lists in a policy?


- If No drop the packet and send a log message with the reason Unhandled Internal Packet.
- If Yes continue.
2. What is the disposition of the policy?
- If Deny drop the packet and send a log message (if logging is enabled for the policy) with
the policy name as the reason.
- If Block same as Deny, and put the source on the Firebox or XTM device Auto-blocked Sites
list.
- If Allow continue.
3. Does the policy use policy-based routing?
- If Yes send the traffic through the indicated external interface
If Failover is enabled for policy-based routing, the first interface in the list that is active is
selected. If none of the policy-based routing interfaces for this policy are available, the packet
is dropped and a log message with the reason all gateways are down is sent, this packet
(internal policy) is dropped.
- If No continue.
4. Check the Firebox or XTM device kernel routing table. Is there a specific route (a route that is not a
default route) that matches the traffics source and destination?
- If Yes use the gateway for that route.
- If No continue.
5. How many default routes are in the kernel routing table?
- If Zero (the kernel routing table has no default route) drop the packet; all external
interfaces are down.
- If Exactly One default route in the routing table use the gateway interface for this default
route to send the packet out.
- If there is more than one default route in the routing table continue.
6. Does the traffic match an entry in the sticky connections hash table?
- If Yes send the traffic using the sticky interface.
- If No continue.

Multi-WAN Methods

121

Load-balancing
interface groups
pertain only to the
Round-robin, Failover,
and Interface
Overflow multi-WAN
methods. A
load-balancing
interface group
includes all the
interfaces you specify
to participate in the
Round-robin, Failover,
or Interface Overflow
configuration.

122

7. Do the interface aliases in the policys To list contain all the members of a load balancing interface
group?
- If Yes use the specified multi-WAN routing method: weighted Round-robin, Failover, or
Interface Overflow.
- If No use the Equal Cost Multi-Path (ECMP) routing method to send the packet.
The following flow chart diagram is split on two pages. It shows how the Firebox or XTM device decides
which interface to use to send an outgoing connection.
The notes that follow the diagram correspond to the numbered Earth icons

in the diagram.

Multi-WAN Routing Decision Flow Chart

WatchGuard Fireware Training

Appendix

Diagram Notes
1. A specific route is a route that is not a default route. A default route has destination 0.0.0.0.
2. You can see the Firebox or XTM device Kernel IP routing table on the Status Report tab of Firebox
System Manager.
3. You can see which external interfaces are up with Firebox or XTM device System Manager. View the
Status Report tab of Firebox System Manager for current interface status.
4. The [source IP address / destination IP address] pair of each outgoing connection is combined to
make a unique hash value. The hash value for an outgoing connection is put in the sticky
connections hash table, and the table entry is associated with the external interface used to send
the outgoing traffic.

Multi-WAN Methods

123

If the [source IP / destination IP] hash of an outgoing connection matches an entry in the hash
table, the external interface associated with that entry in the table is used for that connection.
A timer counts down for each entry in the table. The time for a table entry starts with the value
specified in your configuration for sticky connections. When a new outgoing connection matches
an entry in the hash table, the time for that table entry is reset to the full time for sticky connections
and the timer starts again. When the timer for an entry in the hash table reaches zero, the entry is
purged from the table.

5. A load balancing interface group is the group of interfaces you include when you click
Configure at the top of the Multi-WAN tab in Policy Manager. You can exclude any external
interface from participating in the multi-WAN method that you use.
Load balancing interface groups apply only to the Round-robin, Failover, and Interface Overflow
methods. The Routing Table method does not use the load balancing interface group because the
ECMP (equal-cost multi-path) routing algorithm manages all routing decisions.

What You Have Learned


In this module, you learned:
How Fireware XTM manages outgoing traffic with each of these multi-WAN modes of operation:
- Round-robin
- Failover
- Interface Overflow
- Routing Table
How to monitor the status of your external connections
How sticky connections influence routing decisions
How to use policy-based routing

124

WatchGuard Fireware Training

Fireware Training

Routing
Configure Static and Dynamic Routing
Introduction
You can use static and dynamic routing to ensure connectivity between networks that connect to your
Firebox or XTM device. Static routing is the use of manually configured non-changing routes in a
Firebox or XTM device or routers routing table. Dynamic routing allows your device and connected
network routers to share information about network accessibility and to dynamically update their local
routing tables based on changes to the network topology.

What You Will Learn


This course explains the concepts related to static and dynamic routing, and describes when and how
to use each routing method. In this course, you will learn how to:

Select the best routing protocol to use


Configure static routing over a point-to-point link and a multi-hop link
Configure OSPF for dynamic routing over a point-to-point link
Configure BGP for dynamic routing over a multi-hop link
Use the Status Report and Diagnostic Log Levels to monitor and troubleshoot routing

The step-by-step exercises in this course show you how to configure IPv4 static and dynamic routing
between Fireware XTM devices.

125

Terms and Concepts You Should Know


To understand static and dynamic routing, you should be familiar with these terms and concepts:

Route
A route is the sequence of devices that network traffic must go through to get from its source to its
destination. A packet can go through many network points with routers before it reaches its
destination. Routes can be static or dynamic.
Static route A manually configured route to a specific network or host.
Dynamic route A route automatically learned and updated by a router, based on
communication with adjacent network routers.

Router
The device on a network that uses a routing table to find the next network point through which to send
the network traffic toward its destination.

Routing Table
A router, or a network device such as a Fireware XTM device, stores information about static and
dynamic routes in a routing table. The device looks in the routing table to find a route to send each
received packet toward its destination.
With a Firebox or XTM device, you can see the device routing table in Firebox System Manager, on the
Status Report tab. Routes in the routing table on the device include:

Routes to networks for all enabled device interfaces


Routes to networks for all enabled BOVPN virtual interfaces
Static network routes or host routes you add to your device configuration
Routes the device learns from dynamic routing processes that are enabled on the device

Route Metric
Each route in the routing table has an associated metric, which is a number that indicates the cost
associated with the route. A lower metric for a route indicates a lower cost, and higher priority for the
route. If the routing table includes more than one route to the same destination, the Firebox or XTM
device uses the route that has the lower metric. For a static route, to control the priority of each route,
you manually set the metric. If you use dynamic routing, the dynamic routing protocol automatically
sets the metric for each route based on characteristics such as the link speed, hop count, or time delay.

Routing Protocol
Dynamic routing protocols enable routers to communicate with each other and share information
about the status of network accessibility. All dynamic routing protocols perform these tasks:
Send information about network accessibility to other routers
Receive information about network accessibility from other routers
Determine the best routes based on the known accessibility information and save the best routes
in the local routing table
React to and advertise network topology changes

126

WatchGuard Fireware Training

Terms and Concepts You Should Know

Exterior Vs. Interior Routing Protocols


One way to classify routing protocols is based on whether they are best used to communicate routing
information between devices within a single organization or whether they are best used to
communicate routing information between two separate organizations.
Interior An interior protocol is most often used to communicate routing information between
networks managed by the same or closely related organizations. Interior protocols include RIP and
OSPF. Interior protocols cannot scale to very large networks, but they are easy to manage and have
low overhead. OSPF is most often used for routing between interior networks because it is more
scalable and has a shorter convergence time than RIP.
Exterior An exterior protocol is most often used to communicate routing information between
networks at different sites or sites managed by independent organizations. Independent
organizations can use an exterior protocol, such as BGP, to communicate routing information to
other externally managed sites. Exterior protocols are most often used only for multi-hop links
between networks.

Distance-Vector Vs. Link State Protocols


Another way to categorize routing protocols is based on the type of information they exchange about
routes, and how routers use this information to update their routing tables.
Distance-vector In a distance-vector protocol, each router sends information about all network
destinations it knows how to reach. For each destination, it sends a metric that indicates how far
away the destination is (the distance), and the next hop (the vector) toward that destination. The
distance metric can be the number of hops, or it can be based on other information about the
route toward a destination. BGP and RIP are both distance-vector protocols.
Link state In a link state protocol, each router sends a list of all the network links it directly
connects to, and the functional status of each link (the link state). Changes to link state are
immediately communicated to other routers on the network. Each router can then construct its
own view of the network topology based on the status of the links, and uses that to populate the
routing table with the best path to any destination. OSPF is a link state protocol.

Convergence Time
Convergence time refers to the time it takes for connected routers to establish consistent and
correct routing tables after a network topology change. Convergence time is shorter for the BGP
and OSPF protocols than it is for the RIP dynamic routing protocol.

Routing

127

Decide Which Type of Routing to Use


Static vs. Dynamic Routing
When you configure a network, the simplest solution is usually best. It is good practice to use dynamic
routing only if static routing is not a practical solution. For a small network, or for a network that does
not change much, static routing is often a simpler and better solution. That said, for large or growing
networks, dynamic routing can provide these advantages:
Simplify the management of network routes as your network topology changes. When your
network changes, you only need to update the configuration on one device instead of several.
Increase the redundancy and fault-tolerance of your network. Dynamic routing can allow your
Firebox or XTM device to automatically fail over to a secondary VPN network connection if the
primary route between two sites is unavailable.

Supported Dynamic Routing Protocols


Firebox or XTM devices support three IPv4 dynamic routing protocols. Which protocol to use depends
on the size of your network and the type of network link you need to send data through.
Routing Information Protocol (RIP v1 and RIP v2)
RIP is a distance-vector routing protocol that uses hop count as the only metric to decide the best
route. It can be used for point-to-point network links, but is usually recommended only if OSPF is
not an option. RIP is the only supported dynamic routing protocol if your Firebox or XTM device
does not have Fireware XTM with a Pro upgrade.
Open Shortest Path First (OSPF)
OSPF is a link state routing protocol and is commonly used for point-to-point links between interior
networks. OSPF is more scalable and has a faster convergence time than RIP, so OSPF is usually the
recommended interior protocol.
Border Gateway Protocol (BGP v4)
BGP is an exterior distance-vector protocol that uses many decision factors (not just hop count) to
decide the best route. BGP is commonly used for exterior multi-hop links. This is because we do not
want to base routing on the link state since we cannot monitor the state of multiple links. BGP is
used for any inter-domain dynamic routing between TCP/IP networks, and is the protocol used by
ISPs for routing across the Internet.
Fireware XTM v11.9 added support for these IPv6 dynamic routing protocols:
RIPng (next generation) An extension of the RIP protocol for IPv6 dynamic routing
OSPFv3 An extension of the OSPF protocol for IPv6 dynamic routing
BGP In Fireware XTM v11.9 and higher BGP also supports IPv6 dynamic routing
Note
The exercises in this course focus on IPV4 dynamic routing, but the concepts are the same for IPv6.

128

WatchGuard Fireware Training

Decide Which Type of Routing to Use

eBGP and iBGP


Connections between two BGP peers can be external (eBGP) or internal (iBGP). Which type of
connection it is depends on the autonomous system (AS) number assigned to each of the peers. The AS
number indicates whether the peers are part of networks managed by the same or different
organizations. If two BGP peers are part of the same autonomous system, they both use the same AS
number, and the BGP connection between them is an iBGP session. If two BGP peers have different AS
numbers, the BGP connection between them is an eBGP session.
When you connect your network to two different ISPs, it is called multihoming. Multihoming provides
redundancy and network optimization. You can use eBGP to make sure that the Firebox or XTM device
routes outbound traffic to the ISP that can provide the best path to the destination.
When you use eBGP to exchange BGP routes with an upstream ISP peer, the eBGP peer might send you
these different types of routes:
Default route the 0.0.0.0/0 route. The ISP can send you a default route if they use the BGP
command default-information originate. The default router your ISP sends you does not
affect the Firebox or XTM device, because when you configure an external interface, you must
specify a gateway IP address, which is the default route for that interface.
Customer routes the collection of all static and dynamic routes to other customers who are
subscribed to the same ISP.
Default and customer routes the combined list of default route and customer routes
Full routes the list of all customer routes and all other dynamic routes learned from the ISPs
upstream (higher tier) ISP and peer ISPs that are part of a local Internet exchange point network.
You can use the access-list and route-maps BGP commands to filter BGP route updates that come from
an eBGP peer.
For the exercises in this training, we only configure iBGP, but it is important to know that eBGP can
result in a very large routing table that you must manage.

Routing

An Internet exchange
point (IX or IXP) is
neutral location
located between
some Tier 2 and below
ISPs that allows the
ISPs to directly
exchange Internet
traffic between their
networks without the
need to route through
a Tier 1 ISP.

129

Dynamic Routing Policies


When you enable a dynamic routing protocol, Policy Manager automatically creates the necessary
policy to allow the traffic, if an existing policy to allow the traffic does not exist. The automatically
added policies for each protocol are:
DR-RIP-Allow
This is the automatically created dynamic routing policy for RIP. The DR-RIP-Any policy is configured
to allow RIP multicasts to the reserved multicast address for RIP v2.
If you use RIP v1, you must configure the RIP policy to allow RIP broadcasts from the network
broadcast IP address to the Firebox or XTM device. For example, if your external interface IP address
is 203.0.113.2/24, you must configure the RIP policy to allow traffic from the broadcast address
203.0.113.255 to the Firebox or XTM device.
DR-RIPng-Allow
This is the automatically created dynamic routing policy for RIPng. The DR-RIPng-Allow policy is
configured to allow RIPng multicasts to the reserved multicast address for RIPng, FF02::9.
DR-OSPF-Allow
This is the automatically created dynamic routing policy for OSPF. The DR-OSPF-Any policy is
configured to allow OSPF multicasts to the reserved multicast addresses for OSPF.
DR-OSPFv3-Allow
This is the automatically created dynamic routing policy for OSPFv3. The DR-OSPFv3-Allow policy is
configured to allow OSPF multicasts to the reserved multicast addresses for OSPFv3, FF02::5 and
FF02::6
DR-BGP-Allow
This is the automatically created dynamic routing policy for BGP.
You can edit these policies to add authentication or restrict the policy to listen on only the correct
interfaces.
If you remove or disable these dynamic routing policies, or if you remove the necessary multicast IP
addresses from the To section of the RIP or OSPF policies, dynamic routing cannot function.

130

WatchGuard Fireware Training

Network Link Types

Network Link Types


When you enable dynamic routing on the Firebox or XTM device, it is important that the Firebox or
XTM device is the single ingress and egress point for traffic from the local networks. You can use
dynamic routing to route traffic between sites, or between different devices at the same site.
When you implement dynamic routing, it is important to consider the type of link you have between
the devices. Before you can enable dynamic routing between two devices, you must make sure the
peer interfaces on the two Firebox or XTM devices can communicate with each other.

Point-to-Point Link
In a point-to-point link connection, interfaces on the XTMdevices connect directly to each other. The
peer interfaces are on the same subnet and can communicate directly. Typical examples of a
point-to-point link between two sites are fiber-to-Ethernet converters, layer 2 VLAN connections, a
fiber optic connection, or a leased line with serial-to-Ethernet converters at each end.

Figure 1: Point-to-point link between two devices at different locations

Routing

131

This diagram is
intended to represent
a section of a larger
network topology
that would include
the connections to
other departments
and to the Internet.

A point-to-point link could also be a direct link between devices at the same location, such as devices
that connect to networks for different departments.

Figure 2: Point-to-point link between two devices at the same location

Multi-Hop Link
In a multi-hop link connection, the XTMdevices do not connect to the same network. The device at
each site connects to a local router or other networking device. Those routers between the Firebox or
XTM devices connect to each other. A typical example of this type of connection is a leased line
terminated on routers at each site. Or, the connection between the routers could be over an MPLS
network.

Figure 3: Example of a Multi-hop link between two Firebox or XTM devices

If the two Firebox or XTM devices are connected with a multi-hop link, the peer interfaces route
through one or more intermediate routers. If the connection is a multi-hop link, you must configure
static routes to enable the peer interfaces to communicate before you can enable dynamic routing
between the two devices.

132

WatchGuard Fireware Training

Network Link Types

A Common Cause of Routing Inconsistency


One common cause of network routing inconsistency is a network topology that does not provide a
single path for traffic between networks. A topology with more than one ingress or egress point can
create asymmetric routes between the two sites. This can occur, for example, if a peer router that
connects to another site does not connect to the Firebox or XTM device, but instead connects to a
switch on an internal network.

Figure 4: A common cause of routing inconsistency

In this topology, there is not a single ingress and egress point at each site. This could create asymmetric
routes between the two sites. Connections between the two sites can fail regardless of whether TCP
SYN checking is enabled, because the firewall at each site might see only one side of the TCP
handshake.
Asymmetric routing can occur in this topology because:

1. Packets sent from a computer at Site A to a computer at Site B are routed through the default
gateway at Site A (the Site A XTM device). The packets are then routed over the peer link to the
computer at Site B. These packets do not go through the Site B XTM device.
2. The returned packets from the computer at Site B are routed through the default gateway at Site B
(the Site B XTM device). The packets are then routed over the peer link to the computer at Site A.
These packets do not go through the Site A XTM device.
With this network topology, the XTM device cannot control network failover to a branch office VPN, as
described in the next section. Even if you do not use dynamic routing or configure failover to a VPN,
this network configuration can cause routing problems and should be avoided.

Routing

133

Routing and Branch Office VPNs


You can use a branch office VPN (BOVPN) to make a secure connection between networks at different
locations. There are two methods you can use to can configure a BOVPN tunnel. The method you use
determines how the Firebox or XTM devices decides whether to route traffic through the BOVPN
tunnel.
Branch office VPN
configuration is
covered in detail in
another course.

BOVPN Gateway and BOVPN Tunnels


You can configure a BOVPN gateway and add one or more BOVPN tunnels that use that gateway.
When you use this configuration method, the Firebox or XTM device always routes a packet through
the BOVPN tunnel if the source and destination of the packet match a configured BOVPN tunnel.
BOVPN Virtual Interface
You can configure a branch office VPN as a BOVPN virtual interface. BOVPN virtual interface routes
appear in the routing table, and the decision about whether to send traffic through the VPN tunnel
or through another interface is affected by static and dynamic routes, and by policy-based routing.
This provides more flexibility in how you can configure routing through the tunnel.
When you have configured a BOVPN virtual interface, you can add an IPv4 or IPv6 BOVPN virtual
interface route, which is a static route through the BOVPN virtual interface.

If you enable the


global VPN setting to
remove VPN routes,
you must either
enable policy-based
routing for the BOVPN
virtual interface or, in
the BOVPN virtual
interface settings,
select the Start
Phase1 tunnel when
it is inactive option.

Figure 5: The Add Route dialog box for a BOVPN virtual interface route

Route metrics are the same for a BOVPN virtual interface route as for routes through any other
interface. You can set the metric for a static BOVPN virtual interface route to make it a higher or
lower metric than other routes, to control which is the preferred route.
The global VPN setting controls whether VPN routes are removed if a BOVPN virtual interface is
down.

Figure 6: The VPN setting to remove VPN routes when the tunnel is down

134

WatchGuard Fireware Training

Routing and Branch Office VPNs

BOVPN Virtual Interface Routing Scenarios


Because you can specify a BOVPN virtual interface as the interface you use for the static, dynamic, and
policy-based routing definitions, a BOVPN virtual interface provides a lot of flexible configuration
options. Some examples of the routing scenarios you can configure with a BOVPN virtual interface
include:
Metric-based VPN Failover and Failback
For two sites that are connected with an MPLS link, you can configure the Firebox or XTM device to
automatically failover and failback to a secondary BOVPN virtual interface connection over an IP
network. To do this, you configure the external interface for the primary connection between the
two sites over the MPLS network. Then, configure a BOVPN virtual interface for the secondary link
between the two sites. Add a BOVPN virtual interface static route, and set a high metric (such as
200) for the route, so it is only used if the primary connection is not available. You could also
configure metric-based VPN failover between a primary and secondary BOVPN virtual interface.
BOVPN Virtual Interface with Policy-Based Routing
If two sites are connected by two VPN tunnels, and you want to send certain types of traffic through
a specific tunnel, you can enable policy-based routing to redirect traffic handled by the policy to a
specific tunnel. This encrypts the packets and sends them through the tunnel. This can be useful if
you have tunnels with different cost or latency, and you want to send only latency-sensitive traffic,
such as VoIP traffic, through the tunnel with the lowest latency.

You cannot configure


policy-based routing
to enable failover
from a BOVPN virtual
interface to another
interface.

BOVPN Virtual Interface with Dynamic Routing


You can configure dynamic routing over a BOVPN virtual interface so that the two sites can
dynamically exchange route information about multiple local networks through a secure VPN
tunnel. This avoid the need to manually add and maintain configured routes between all the private
networks at each site. To do this, you configure a BOVPN virtual interface, and configure virtual IP
addresses for the VPN endpoints. Enable and configure dynamic routing between the two sites, and
use the virtual IP addresses as the peer network IP addresses.
- For OSPF, use the network command, and the peer virtual IP address with a /32 netmask.
For example: network <peer_virtual_ip>/32 area 0.0.0.0
- For BGP, use the neighbor command, and the peer virtual IP address
For example: neighbor <peer_virtual_ip> remote-as 65535
You can use dynamic routing commands to configure which local networks each device propagates
routes for. To specify route priority for OSPF dynamic routes you can use the Interface Cost. The lower
the Interface Cost, the more preferred the route is. To specify route priority for BGP dynamic routes, you
can use the Local Preference. The higher the Local Preference, the more preferred the route is.

Routing

135

Failover from a Dynamic Route to a VPN that is not a BOVPN Virtual Interface
When you use dynamic routing to establish the routes between networks behind two Firebox or XTM
devices, you can optionally configure automatic failover to a VPN connection if a route between the
networks is not present in the routing table. When you use dynamic routing, the failover happens
automatically, when the route between two devices is removed from the routing table.
To configure network failover to a branch office VPN you must:

1. Configure dynamic routing between the two sites over the primary connection.
2. Configure a branch office VPN tunnel between the two sites over another Firebox or XTM device
interface.
3. Enable the global VPN setting Enable the use of non-default (static or dynamic) routes to
determine if IPSec is used.
This setting enables the automatic failover to the VPN based on changes to the routing table.

Figure 7: Select the check box to enable the use of non-default routes

When you use dynamic routing, if the primary network link fails, the route is automatically removed
from the routing table. When the route is removed, if this global VPN setting is enabled, the Firebox or
XTM device automatically uses the VPN tunnel to routes packets between the two networks. When the
primary routing problem is resolved, the dynamic routing protocol adds the route back to the table,
and the Firebox or XTM device automatically begins to use that route instead of the VPN tunnel for
traffic between the two networks.

Figure 8: Branch Office VPN as a failover for a connection between two devices

136

WatchGuard Fireware Training

Monitoring Tools

Note
For a complete description of this VPN failover configuration, with sample configuration files, see the
Branch Office VPN Failover from a Private Network Link example on the WatchGuard Configuration
Examples page at http://www.watchguard.com/help/configuration-examples/index.asp.

If you do not use dynamic routing, you can still use this VPN failover setting, but the failover to the VPN
is not automatic. You must manually remove the static routes on both devices if the static route has a
problem.

Monitoring Tools
The Status Report
The Status Report in Firebox System Manager is an important tool you can use to understand the
current state of routes and routing protocols on your Firebox or XTM device. To see the Status Report,
connect to the device and open Firebox System Manager. Then select the Status Report tab.
Look for these sections to find routing status information:
Routes
The Routes section of the status report shows a list of all destination hosts and networks that your
Firebox or XTM device can send traffic to. The Routes section can include four route tables.
- Route table: main shows all IPv4 and IPv6 static routes
- Route Table: default shows information about the default route
- Route Table: ethx.out shows active routes for an external interface, ethx, where x is the
interface number
- Route Table: any.out shows active routes for all external interfaces with multi-path default
routes, when multi-WAN is configured
- Route Table: zebra shows dynamic routes received from a peer, if dynamic routing is
enabled

The format of the


routing tables is
different for Fireware
XTM version prior to
v11.5.3.

Dynamic Routing
The Dynamic Routing section has additional information about the status of the dynamic routing
process that runs on the Firebox or XTM device. This section shows these types of status
information:
- ENABLED the dynamic routing protocol is enabled in the configuration
- RUNNING the dynamic routing process is running
- STOP the dynamic routing process is stopped
- LICENSED the dynamic routing protocol is licensed
- CFGSYNC reserved for future use
Under the Dynamic Routing section are these sections with information about the status of each
dynamic routing protocol:
-

Routing

RIP RIP routes and status


OSPF OSPF routes and status
BGP BGP routes and status
RIPng RIPng routes and status
OSPFv3 OSPFv3 routes and status

137

Diagnostic Logging
If you need to troubleshoot issues with dynamic routing, it can be useful to change the diagnostic log
level for dynamic routing. By default, the dynamic routing diagnostic log level is set to Error. You can
increase the level to see more detailed dynamic routing information in the log files.

1. In Policy Manager, select Setup > Logging.


2. Click Diagnostic Log Level.
3. From the Networking category, select Dynamic Routing.

Figure 9: Dynamic Routing diagnostic log level.

4. Move the slider to set the diagnostic log level.

Debug Logging
Fireware XTM
supports the dynamic
routing commands
for the Quagga
routing suite. For a list
of commands for the
supported dynamic
routing protocols, see
the Quagga
documentation at
http://
www.quagga.net/
docs/.

The RIP, OSPF, and BGP protocols all include commands to enable debug logging. If you enable debug
logging in your dynamic routing configuration, that debug information is available in the /tmp/debug/
quagga.log file, which is included in the support snapshot file, support.tgz. The support snapshot file
contains a snapshot of your device configuration and other information that can help you or
WatchGuard technical support troubleshoot issues with your device.
To save the support snapshot:

1. In the Firebox System Manager Status Report tab, click Support.


2. Choose a location to save the support.tgz file.
3. Click Retrieve.
4. Extract the contents of support.tgz to a folder on your computer.
The dynamic routing debug log file is in /tmp/debug/quagga.log.
If you have enabled debug logging in the dynamic routing configuration and you also want the debug
log messages to appear in the Firebox or XTM device log file, you must also set the diagnostic logging
level for Dynamic routing to the highest level, Debug.

138

WatchGuard Fireware Training

Monitoring Tools

Exercise 1:

Configure Static Routing Over a Point-to-Point Link

You can use static routing to route traffic between any two networks, as long as the networks are
connected by one or more Firebox or XTM devices or routers. To configure static routing, you must add
static routes to all Firebox or XTM devices and routers that route traffic between the two networks.
This exercise shows how to configure static routing between two devices that are connected by a
point-to point link. In a point-to-point link connection, the XTMdevices connect directly to the same
network.
For this exercise, we assume the point-to-point link in the training environment looks like this:

Figure 10: Point-to-point link between two Firebox or XTM devices

These exercises require that you configure two Firebox or XTM devices with different IP addresses. For
the instructions in these exercises, we assume each device is configured by a different student. The
student numbers in the IP addresses are represented as A and B. The diagrams and configuration
settings shown in these exercises assume that:
Site A is configured by student A, who is assigned student number 10
Site B is configured by Student B, who is assigned student number 20
When you configure the network settings, use the student numbers your instructor gives you.
In the training environment, the external interface of all devices connect to the 203.0.113.0/24
network. So there is already a point-to-point link between the devices, over the external interfaces. To
route traffic between the private networks at each site, all you need to do is add a static route on each
Firebox or XTM device.

Routing

139

For example, for student 10 and student 20, the network interface configuration for the two sites looks
like this:

Figure 11: Network interface configuration for student 10

Figure 12: Network interface configuration for student 20

Add a Static Route to the Site A Device


1. Open the configuration for the Site A XTM device in Policy Manager.
2. Select Network > Routes.
The Setup Routes dialog box appears.

3. Click Add.
The Add Route dialog box appears.

Figure 13: The Add Route dialog box

140

WatchGuard Fireware Training

Monitoring Tools

4. From the Destination Type drop-down list, select Network IPv4.


5. In the Route To text box, type the IP address of the Site B trusted network.
The Site B trusted network is 10.0.B.0/24
6. In the Gateway text box, type the IP address of the Site B external interface.

Fireware XTM also


supports IPv6 static
routes.

The Gateway (next hop) is 203.0.113.B.

Replace the B in the IP address with the student number your instructor gives to the student who
manages the Site B device.

7. Save the configuration to the Site A device.

Add a Static Route to the Site B Device


1. Open the configuration for the Site B XTM device in Policy Manager.
2. Select Network > Routes.
The Setup Routes dialog box appears.

3. Click Add.
The Add Route dialog box appears.

Figure 14: The Add Route dialog box configured for a route to the student 10 XTM device

4. From the Destination Type drop-down list, select Network IPv4.


5. In the Route To text box, type the IP address of the Site A trusted network.
The Site A trusted network is 10.0.A.0/24.
6. In the Gateway text box, type the IP address of the Site A external interface.
The Gateway (next hop) is 203.0.113.A.
Replace the A in the IP address with the student number your instructor gives to the student who
manages the Site A device.
7. Save the configuration to the Site B device.

Routing

141

Review the Routing Tables


1. Connect to the Site A XTM device with Firebox System Manager.
2. Select the Status Report tab.
3. Scroll down to the Routes section. Or press Ctrl+F and type Routes to find this section.
The route you added appears in the Routes list.

Figure 15: The Routes section of the Status Report

The static route you add appears in the routing table only if the routing table contains a route to
the specified gateway. For the static route we added in this exercise, the gateway specified in the
static route can be reached through the 203.0.113.0/24 network on the eth0 interface. So the
interface for the static route is also eth0.

4. Use the same steps to verify that the static route appears in the routing table for the Site B XTM
device.

142

WatchGuard Fireware Training

Monitoring Tools

Test the Static Route


To test the static route, you can ping a device or interface on the remote network.
Because this exercise uses the external interface as the point-to-point link, you must update the ping
policy to allow the ping between networks for testing. The default Ping policy does not allow ping
traffic in through the external interface.
To enable ping traffic for testing:

1. In Policy Manager, double-click the Ping policy to edit it.


2. Add Any-External to the From section of the policy.
3. Save the configuration to the device.
4. Repeat these steps to enable ping traffic on the other device.
Now that ping traffic is allowed from the external network, you can use the ping command to test the
static routes between these two sites. To do this, open the Windows command prompt on the
management computer connected to the Site A network and issue a ping command to the IP address
of a device on the private network on the Site B device. Or, you can use Firebox System Manager to
issue a ping.
To issue a ping from Firebox System Manager for the Site A device:

1. Select the Traffic Monitor tab.


2. Right-click anywhere on the tab.
A context menu appears.

3. From the context menu, select Diagnostic Tasks.


The Diagnostic Tasks dialog box appears.

Figure 16: Diagnostic tasks ping example

4. In the Address text box, type the IP address of a device on the Site B private network.
The address can be the address of the Site B XTM device trusted interface, or it can be a connected computer.

5. Click Run Task.


The results of the ping appear in the Results text box.

6. Repeat these steps to test the static route from Site B to the Site A private network.
Routing

143

The Disadvantage of Using Only Static Routes


You can use static routes to set up routing between all of your networks. But if you use only static
routes, you must manually update the static routes on all devices each time a network is added or
changed. As the network complexity and the number of subnets at each site grows, the level of effort
to update and maintain the static routes increases.
As you see in the next exercise, dynamic routing provides a way to reduce the administrative effort
required to update network routes when there are additions or changes to the network topology.
It is important to understand static routing before you implement dynamic routing. When you
implement dynamic routing between sites, you often must first define static routes to enable the
communication between the peer interfaces of the two devices.

144

WatchGuard Fireware Training

Monitoring Tools

Exercise 2:

Configure Dynamic Routing over a Point-to-Point Link

You can use dynamic routing to simplify the management of configuration updates to your network as
the topology at each site changes. In this exercise you configure static routing between two XTM
devices connected over a point-to-point link. This exercise also demonstrates how dynamic routing
automatically adds new routes to one device after you change the network configuration on the other
device.

Network Topology
For this exercise, we will configure dynamic routing over the point-to-point network we configured in
Exercise 1.

Figure 17: Point-to-point link between two sites

To establish dynamic routing between two Firebox or XTM devices, each device must be able to reach
the interface on the other Firebox or XTM device you want to peer it with. For a point-to-point link, the
external interfaces on both devices are on the same subnet so there is nothing we need to do to allow
the two devices to communicate.

Remove the Static Routes


First, remove the static routes you added in Exercise 1.
From Policy Manager for the Site A XTM device:

1. Select Network > Routes.


2. Select the existing static route.
3. Click Remove.
4. Repeat these steps to remove the static route from the Site B XTM device.

Routing

145

Configure Dynamic Routing with OSPF


1. Open Policy Manager for the Site A XTM device.
2. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.

3. Select the Enable Dynamic Routing check box.


4. Select the OSPF tab.
5. Select the Enable OSPF check box.
If you do not specify
the OSPF router-id,
OSPF sets the
router-id based on the
IP addresses of the
device interfaces. We
recommend that you
always specify the
router-id to avoid the
possibility of
duplicate router-ids
for devices that have
similar interface IP
addresses.
On both devices, all
interfaces except eth0
are passive. Even
though OSPF
announces the
network on interface
1, the device does not
need to send OSPF
multicasts on eth1, so
eth1 is a passive
interface.

6. Type the Site A dynamic routing configuration in the text box.


The OSPF commands used in this exercise are:
-

router ospf Enables the OSPF protocol


ospf router-id Specifies the IP address of the Site A interface that routes to Site B
network Defines each network that OSPF sends information about
passive-interface default Configures interfaces to not participate in OSPF by default
no passive-interface Defines interfaces that participate in OSPF

If the Site A device is managed by student 10, the OSPF configuration for Site A looks like this:
router ospf
ospf router-id 203.0.113.10
network 203.0.113.0/24 area 0.0.0.0
network 10.0.10.0/24 area 0.0.0.0
passive-interface default
no passive-interface eth0

7. Click Yes to automatically add the required dynamic routing policy.


Policy Manager adds the DR-OSPF-Allow policy to allow the OSPF multicasts to the reserved multicast IP
addresses for OSPF.

Note
If you remove or disable the DR-OSPF-Allow policy, or if you remove the multicast IP addresses from
the To section of the policy, dynamic routing cannot function.

8. Save the configuration to the Site A device.


Policy Manager automatically verifies the syntax in your dynamic routing configuration before it saves the
configuration to the device. If an error is found, Policy Manager displays information about the error, and does
not save the configuration.

9. Repeat the same steps to enable OSPF on the Site B XTM device.
If the Site B device is managed by student 20, the OSPF configuration for Site B look like this:
router ospf
ospf router-id 203.0.113.20
network 203.0.113.0/24 area 0.0.0.0
network 10.0.20.0/24 area 0.0.0.0
passive-interface default
no passive-interface eth0

10. Save the configuration to the Site B device.

146

WatchGuard Fireware Training

Monitoring Tools

If Student 10 manages the Site A device, and Student 20 manages the Site B device, the finished
dynamic routing configuration for these two sites looks like this:

Figure 18: OSPF dynamic routing configurations for Site A (left) and Site B (right)

Review the Routing Table


Now, you can review the routing table for each device to see the routing table entries added by the
dynamic routing process.

1. Connect to the Site A XTM device with Firebox System Manager.


2. Select the Status Report tab.
3. Scroll down to the OSPF section. Or press Ctrl+F and type OSPF to find this section.
The OSPF network routing table shows the dynamic routes added by OSPF.:

Figure 19: The OSPF network routing table at Site A includes a route to the trusted network at Site B

Routing

147

4. Scroll to the Routes section. Or press Ctrl+F and type Routes find this section.
The dynamic routes appear in the zebra route table in the Routes section of the status report.

Figure 20: The zebra route table shows the dynamic route added

Add a New Network at Site B


Now we can add another trusted network at Site B and see how OSPF propagates the changes to Site A.
First, configure a new network interface at Site B:

1. Open Policy Manager for the Site B XTM device.


2. Select Network > Configuration.
3. Select interface 4. Click Configure.
4. From the Interface Type drop-down list, select Trusted.
5. In the IP Address text box, type 192.168.B.1/24. Click OK.
Replace the B in the IP address with the student number your instructor gives to the student who
manages the Site B device. For example, if your student number is 20, type 192.168.20.1/24.
Next, update the OSPF dynamic routing configuration at Site B:

1. Select Network > Dynamic Routing.


2. Click the OSPF tab.
3. Add a network statement for the new network:
network 192.168.B.0/24 area 0.0.0.0
Replace the B in the IP address with the student number your instructor gives to the student who
manages the Site B device. For example, if your student number is 20, type;
network 192.168.20.0/24 area 0.0.0.0

4. Save the configuration to the device at Site B.

148

WatchGuard Fireware Training

Monitoring Tools

5. In the FSM status report for Site A, review the OSPF network routing table.

Figure 21: The OSPF network routing table

The OSPF network routing table at Site A automatically includes a route to the new trusted network at
Site B.
This exercise demonstrates how dynamic routing can make it easier to accommodate changes to your
network topology. When you add to or change a local network connected to one device, you do not
need to manually add routes to the new networks at all the other devices. Dynamic routing takes care
of that automatically.

Routing

149

Exercise 3:

Configure Static Routing Over a Multi-Hop Link

Next, lets look at how to configure static routes between these two sites if they are connected with a
multi-hop link. In a multi-hop link connection, the XTMdevices do not connect to the same network,
but instead each connects to a router or other device that routes traffic between the two devices. For
this exercise, an interface on the instructor Firebox or XTM device is configured with secondary
addresses to emulate a multi-hop link.

Network Topology
To configure the Firebox or XTM device for this exercise, you must connect interface 2 to a switch that
connects to the instructor Firebox or XTM device.

Figure 22: Multi-hop link training network topology, with IP addresses for student 10 and student 20

Before You Begin


Before you begin this exercise:
Remove any static routes added in a prior exercise.
Disable any dynamic routing protocols enabled in a prior exercise.
Make sure the device is configured with these interface settings:
Site A XTM device configuration
- Eth0 (External) is 203.0.113.A/24
- Eth1 is a trusted interface, with the IP address 10.0.A.1/24.
- Eth3 and Eth4 are disabled.
Replace the A in the IP addresses with the student number for the Site A device.
Site B XTM device configuration
- Eth0 (External) is 203.0.113.B/24.
- Eth1 is a trusted interface, with the IP address 10.0.B.1/24.
- Eth3 and Eth4 are disabled.
Replace the B in the IP addresses with the student number for the Site B device.
150

WatchGuard Fireware Training

Monitoring Tools

Configure the Peer Interfaces


Configure interface 2 on each device as the peer interface to use for dynamic routing over the
multi-hop link.

Configure the Peer Interface at Site A


1. Open the configuration for the Site A XTM device in Policy Manager.
2. Select Network > Configuration.
3. Select interface 2. Click Configure.
4. From the Interface Type drop-down list, select Optional.
5. In the IP Address text box, type 172.16.A.2/30. Click OK.
Replace the A in the IP addresses with the student number for the Site A device.

You can use either a


trusted or optional
interface as the peer
interface.

Configure the Peer Interface at Site B


1. Open the configuration for the Site B XTM device in Policy Manager.
2. Select Network > Configuration.
3. Select interface 2. Click Configure.
4. From the Interface Type drop-down list, select Optional.
5. In the IP Address text box, type 172.16.B.2/30. Click OK.
Replace the B in the IP addresses with the student number for the Site B device.

Configure Static Routes Between the Trusted Networks at Each Site


When you configure routing over a multi-hop link, you must look at your network topology to
determine all the devices that route traffic between these two networks. You can then determine the
static routes you must add to allow the two Firebox or XTM devices to communicate. For this network,
we must add a static route to each of the devices. And the instructor must add static routes to the
device in the middle, that connects to both networks.

Add a Static Route to the Site A Device


1. Open the configuration for the Site A XTM device in Policy Manager.
2. Select Network > Routes.
The Setup Routes dialog box appears.

3. Click Add.
The Add Route dialog box appears.

Figure 23: The Add Route dialog box with the route to the XTM device of student 20

Routing

151

4. From the Destination Type drop-down list, select Network IPv4.


5. In the Route To text box, type 10.0.B.0/24, the IP address of the Site B trusted network.
For example, if the Site B device is managed by Student 20, use 10.0.20.0/24.

6. In the Gateway text box, type 172.16.A.1, the IP address of the instructor Firebox or XTM device
that connects to the optional network on this device.
For example, if your student number is 10, type 172.16.10.1

7. Save the configuration to the device.

Add a Static Route to the Site B Device


1. Open the configuration for the Site B XTM device in Policy Manager.
2.Select Network > Routes.
The Setup Routes dialog box appears.

3. Click Add.
The Add Route dialog box appears.

Figure 24: The Add Route dialog box with the route to the Firebox or XTM device of student 10

4. From the Destination Type drop-down list, select Network IPv4.


5. In the Route To text box, type 10.0.B.0/24, the IP address of the Site A trusted network.
For example, if the Site B device is managed by Student 10, use 10.0.10.0.

6. In the Gateway text box, type 172.16.A.1, the IP address of the instructor device that connects to
both networks.
For example, if your student number is 20, type 172.16.20.1

7. Save the configuration to the device.

152

WatchGuard Fireware Training

Monitoring Tools

Add Static Routes to Routers Between the Two Sites


If the Firebox or XTM devices at each site were connected to routers, you would need to add a static
route to the routers at each site. In the training network configuration, the instructor device has
multiple IP addresses assigned to one interface, so it acts as a router for both sites. To complete the
static route configuration, the instructor must add static routes to the instructor device. The
configuration for the static routes on the instructor device looks like this:

Figure 25: Static routes on the instructor device for all student trusted networks. The routes to the networks
for student 10 and student 20 are circled.

Test the Static Route


You can look in the routing table in Firebox System Manager Status Report tab to verify that the static
routes were added for each device.

Figure 26: Route table on the Student 10 device shows the static route to the Student 20 trusted network.

You can use the Ping command in the Windows command line to test the static route between the two
sites. For example, you can ping the address of the trusted interface of the device at Site B from the
management computer connected to Site A.

Routing

153

Exercise 4:

Dynamic Routing Over a Multi-Hop Link

In this exercise, we configure dynamic routing over a multi-hop link with the BGP routing protocol.

Network Topology
To configure the Firebox or XTM device for this exercise, you must connect interface 2 to a switch that
connects to the instructor device. The network topology for this exercise is exactly the same as for
Exercise 3.

Figure 27: Multi-hop link training network topology

Before You Begin


Make sure the two Firebox or XTM devices are configured with these interface settings. These are the
same settings that were required for the previous exercise.
Remove any static routes added in a prior exercise.
Disable any dynamic routing protocols enabled in a prior exercise
Make sure the device is configured with these interface settings:
Site A XTM device configuration
- Eth0 (External) is 203.0.113.A/24
- Eth1 is a trusted interface, with the IP address 10.0.A.1/24.
- Eth2 is an optional interface, with the IP address 172.16.A.2/30.
- Eth3 is disabled.
Replace the A in the IP addresses with the student number for the Site A device.
Site B XTM device configuration
- Eth0 (External) is 203.0.113.B/24.
- Eth1 is a trusted interface, with the IP address 10.0.B.1/24.
- Eth2 is an optional interface, with the IP address 172.16.B.2/30.
- Eth3 is disabled or disconnected.
Replace the B in the IP addresses with the student number for the Site B device.
154

WatchGuard Fireware Training

Monitoring Tools

Configure Static Routes Between the Peer Interfaces


To configure static routing over a multi-hop link, you must add static routes on each Firebox or XTM
device and on any network routing devices between them to correctly direct the traffic between the
two networks. The peer interfaces are the device interfaces that connect to the router between the
sites. To configure static routing over a multi-hop link, you must add static routes on each device and
on the routers between them to correctly direct the traffic between the two peer interfaces, 172.16.A.2
at Site A, and 172.16.B.2 at Site B.
The first thing you must do is look at your network topology to determine all the devices that route
traffic between these two interfaces. You can then determine what static routes must be added to
allow the two Firebox or XTM devices to communicate. For this network, we must add a static route to
each of the devices.
There is no need for the instructor to add static host routes to the device in the middle, since that
device already connects directly to the networks for the optional interfaces of both Firebox or XTM
devices.

Add a Static Route to the Site A XTM Device

The difference
between this and the
static routes added in
the prior exercise, is
that these are host
routes to the IP
address of the peer
interface, rather than
network routes to the
private network on
the peer device.

1. Open the configuration for the Site A XTM device in Policy Manager.
2. Select Network > Routes.
The Setup Routes dialog box appears.

3. Click Add.
The Add Route dialog box appears.

Figure 28: The Add Route dialog box with the route to the XTM device of student 20

4. From the Destination Type drop-down list, select Host IPv4.


5. In the Route To text box, type 172.16.B.2, the IP address of the Site B peer interface.
6. In the Gateway text box, type 172.16.A.1, the IP address of the instructor Firebox or XTM device
interface that connects to the peer interface on the Site A XTM device.
7. Save the configuration to the device.

Routing

155

Add a Static Route to the Site B XTM Device


1. Open the configuration for the Site B XTM device in Policy Manager.
2. Select Network > Routes.
The Setup Routes dialog box appears.

3. Click Add.
The Add Route dialog box appears.

Figure 29: The Add Route dialog box with the route to the XTM device of student 10

4. From the Destination Type drop-down list, select Host IPv4.


5. In the Route To text box, type 172.16.A.2, the IP address of the Site A peer interface.
6. In the Gateway text box, type 172.16.B.1, the IP address of the instructor Firebox or XTM device
interface that connects to the peer interface on the Site B XTM device.
7. Save the configuration to the device.

Add Static Routes to Routers Between the Two Sites


In the training network configuration, the Firebox or XTM device acts as a router between the two
networks. There is no need for the instructor to add static routes to the Firebox or XTM device in the
middle, since that device can already route traffic to the peer interfaces of both Firebox or XTM devices.
If the Firebox or XTM devices at each site connected to routers, you would need to add static routes on
those routers so that traffic can be routed between the peer interfaces of the Firebox or XTM devices at
each site.

156

WatchGuard Fireware Training

Monitoring Tools

Test the Static Route Between the Peer Interfaces


After you configure the static routes on the Firebox or XTM devices and routers, you can use the
Diagnostic Tasks in Firebox System Manager to test the static route between the peer interfaces,
External (203.0.113.A) at Site A, and external interface (192.51.100.B) at Site B.

1. In Firebox System Manager for the Site A device, click the Traffic Monitor tab.
2. Right-click anywhere on the tab to open the context menu.
3. Select Diagnostic Tasks from the context menu.

You cannot use the


ping command from
the Windows
command line to test
this static route, since
the static route is only
between the peer
interfaces.

4. Select the Advanced Options check box.

Figure 30: Diagnostics ping command, advanced options

5. In the Arguments text box, type:


-I<source interface IP address> <destination IP address to ping>

This starts an extended ping from the Firebox or XTM device. The -I option allows you to specify the
IP address of the interface to ping from. For this exercise, we use these addresses:
- Source address: 172.16.A.2
- Destination address: 172.16.B.2

When you enable


Advanced Options,
you can move the
mouse pointer over
the Arguments text
box to see a list of the
available arguments.

For example, to ping from the Student 10 peer interface to the Student 20 peer interface, type:
-I172.16.10.2 172.16.20.2

6. Click Run Task.


It can take more than a minute for the results to appear in the Results text box.

Repeat the above steps from the Firebox or XTM device at Site B to test routing to the peer interface at
Site A. At Site B, the arguments for the extended ping are reversed:
Source address: 172.16.B.2
Destination address: 172.16.A.2
After you verify that the peering interfaces can communicate, you are ready to set up dynamic routing
between the two networks.
Routing

157

Configure Dynamic Routing with BGP


1. Open Policy Manager for the Site A XTM device.
2. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.

3. Select the Enable Dynamic Routing check box.


4. Select the OSPF tab.
Clear the Enable OSPF check box to disable OSPF dynamic routing you enabled in Exercise 2.

5. Select the BGP tab.


Autonomous System
(AS) numbers identify
the network for BGP
routing. Use a private
AS number, in the
range 64512 to 65535,
for internal BGP
between private
networks. This avoids
the need to register
for a public AS
number.

6. Select the Enable BGP check box.


7. Type the Site A dynamic routing configuration in the text box. Basic BGP statements are:
- router Enables the BGP protocol and specifies the BGP AS number to use
- network Defines each local network that BGP sends information about
- neighbor Defines the IP address and AS number of the remote peer
If Student 10 manages the Site A XTM device and Student 20 manages the Site B XTM device, the
BGP configuration for Site A looks like this:
router bgp 65535
network 10.0.10.0/24
neighbor 172.16.20.2 remote-as 65535

8. Click Yes to automatically add the required dynamic routing policy.


Policy Manager adds the DR-BGP-Allow policy.

9. Save the configuration to the device.


Policy Manager automatically verifies the syntax in your dynamic routing configuration before it saves the
configuration to the device. If an error is found, Policy Manager displays information about the error, and does
not save the configuration.

10. Repeat the same steps to disable OSPF and enable BGP on the Site B XTM device.
If Student 10 manages the Site A XTM device and Student 20 manages the Site B XTM device, the
BGP configuration for Site B looks like this:
router bgp 65535
network 10.0.20.0/24
neighbor 172.16.10.2 remote-as 65535

11. Save the configuration to the device at Site B.

158

WatchGuard Fireware Training

What You Have Learned

Review the Routing Table


Now, review the routing table to verify that the expected routing table entries were added.

1. Connect to the Site A XTM device with Firebox System Manager.


2. Select the Status Report tab.
3. Scroll down to the BGP section.
The BGP network routing table shows the dynamic routes added by BGP.:

Figure 31: Dynamic routes in the BGP network routing table

4. Scroll to the Routes section.


- The static route to the peer interface at Site B appears in the main route table.
- The dynamic routes added by BGP appear in the zebra route table.
5. Repeat these steps to examine the routing table in the status report for the Site B XTM device.

Test the Static Route


You can use the Ping command in the Windows command line to test the static route between the two
sites. For example, you can ping the address of the management computer connected to the trusted
network at Site B from the management computer connected to the trusted network at Site A.

The zebra route table


shows the first 20
routes added by a
dynamic routing
protocol. The
complete list of
dynamic routes
appears in the Status
Report section for the
routing protocol that
added each route
(BGP, OSPF, or RIP).

What You Have Learned


In this module you learned the concepts related to static and dynamic routing, and when and how to
use each routing method. This includes how to:

Select the best routing protocol to use


Configure static routing over a point-to-point link and a multi-hop link
Configure OSPF for dynamic routing over a point-to-point link
Configure BGP for dynamic routing over a multi-hop link
Use the Status Report and Diagnostic Log Levels to monitor and troubleshoot routing

Routing

159

160

WatchGuard Fireware Training

Fireware Training

FireCluster
Redundancy and Load Sharing for Your Network
Introduction
What You Will Learn
With the Fireware XTM FireCluster feature, you can configure two Firebox or XTM devices as a cluster to
increase network performance and scalability. In this module, you learn how to:

Understand the clustering requirements for your Firebox or XTM device


Set up a FireCluster
See status for a FireCluster
Understand what happens when a FireCluster failover occurs

About FireCluster
A FireCluster is a pair of Firebox or XTM devices configured to provide network redundancy and
improved scalability. Both devices connect to routers or switches connected to each network. The
Firebox or XTM devices also connect directly to each other to exchange information necessary for the
operation of the cluster.

161

Figure 1: A FireCluster with a trusted and an optional network

To set up a FireCluster, you first configure one device with the network and policy configuration you
want to use for the cluster. You reset the second device to factory default settings. When you connect
the two devices to each other and enable FireCluster, the connected devices synchronize their
configuration and operate as a cluster.
When you configure Firebox or XTM devices as a FireCluster, there are some management limitations:
You cannot use Fireware XTM Web UI to configure a cluster for change the FireCluster settings.
You cannot use WSM with a Management Server to schedule an OS updated for a FireCluster
member.

Terms and Concepts You Should Know


Cluster Member
A device that is part of a FireCluster. A cluster member can take on one of two roles in the cluster.
Cluster master The device that updates and maintains all the connection and session
information for the cluster, and synchronizes that information with the backup master. In an active/
active cluster, the cluster master assigns connections and sessions to itself or to the backup master.
Backup master The device that monitors the cluster master, and automatically takes over the
role of cluster master in the event of a failover.

Active/Active Cluster
In an active/active cluster, both cluster members share the load of traffic that passes through the
cluster. An active/active cluster improves scalability because both devices share the load. If either
member of an active/active cluster fails, the other member takes on the entire load for the cluster. To
add both redundancy and load sharing to your network, select an active/active cluster.

Active/Passive Cluster
In an active/passive, also known as an active/standby cluster, only the cluster master handles network
traffic. The backup master actively monitors and synchronizes status with the cluster master. If the
cluster master fails, the backup master becomes cluster master, and takes over all the traffic for the
cluster. An active/passive cluster provides redundancy, but not increased scalability, because the traffic
load is handled by only one device at a time. To add redundancy, choose an active/passive cluster.

Load Balance Methods


An active/active FireCluster supports two load balance methods:
Least connection The cluster master assigns each new traffic flow to the cluster member that
has the lowest number of open connections.
Round-robin The cluster master assigns each new traffic flow alternately to the cluster master
and the backup master.

162

WatchGuard Fireware Training

Terms and Concepts You Should Know

Cluster ID
The cluster ID uniquely identifies your FireCluster. The default cluster ID is 1. If you enable more than
one FireCluster on the same network, it is important to assign each cluster a different cluster ID.
An active/passive FireCluster uses a virtual MAC address, calculated based on the Cluster ID and the
interface numbers. If you configure more than one active/passive FireCluster on the same subnet, it is
important to know how to set the Cluster ID to avoid a possible virtual MAC address conflict.
The virtual MAC addresses for interfaces on an active/passive FireCluster start with 00:00:5E:00:01. The
sixth octet of the MAC address is set to a value that is equal to the interface number plus the Cluster ID.

You can see the virtual


MAC address in
Firebox System
Manager, in the
details for each
interface.

For example, if you set the Cluster ID to 1, the virtual MAC addresses for the first three interfaces are:
Interface 0: 00:00:5E:00:01:01
Interface 1: 00:00:5E:00:01:02
Interface 2: 00:00:5E:00:01:03
If you add a second active/passive FireCluster to the same subnet, you must set the Cluster ID to a
number that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC
address conflict between interfaces on the two FireClusters.
It is also possible that the FireCluster virtual MAC addresses can conflict with HSRP and VRRP devices on
your network. Keep this in mind when you decide which Cluster ID to use.

Cluster Interface
The cluster interface is an interface on each cluster member that is dedicated to communication
between the cluster members. The cluster interfaces of the cluster members must connect to each
other. You must define at least one cluster interface. You can optionally configure a second cluster
interface that is only used if communication over the primary cluster interface is interrupted.

Cluster Interface IP Address


Each pair of cluster interfaces must be assigned an IP address on the same subnet. To avoid conflict
with routeable IP addresses, we recommend you allocate a dedicated private subnet to each cluster
interface, or use link-local IP addresses for the cluster interfaces. Link-local IP addresses begin with
169.254. You might find it useful to define your cluster interface IP addresses like this:
169.254.<interface number>.<member number>/24

For example if interface 4 is a cluster interface, you could set the interface IP addresses to:
Member 1 169.254.4.1/24
Member 2 169.254.4.2/24
This link-local IP address convention is used in the exercises included in this module.
Note

RFC 3927 specifies


that a link-local
address must be in the
169.254.0.0/16
subnet. Because the
cluster interface
connection is an
isolated network, it is
not a problem to use
the /24 IP address.

Do not set the Primary or Backup cluster IP address to the default IP address of any interface on the
device. The default interface IP addresses are in the range 10.0.0.1 - 10.0.17.1.

FireCluster

163

Management Interface
You must select one of the active traffic interfaces as the interface for management IP address. Set this to
the interface your management computer is connected to. This is usually the trusted network. You
must also configure a management IP address for each cluster member. The address must be an unused
IP address on the network for the selected interface. You can also use a VLAN as the cluster
management interface.
If the interface you select as the interface for management IP address has IPv6 enabled, you can assign
an IPv6 management IP address for each cluster member.
Management software uses the Management IP address to connect to cluster members for upgrade,
failover, reboot, shutdown and other operations. You can also use the IPv4 or IPv6 management IP
address to connect to a specific cluster member with the management software.

About Failover
Failover occurs when one of the cluster members experiences a failure and the other cluster member
takes over the traffic that was assigned to the failed device. The cluster master is constantly monitored
by the backup master.

Causes of FireCluster Failover


Failover of a cluster member can be triggered by one of these events:
Lost heartbeat from the cluster master
The cluster master sends a heartbeat packet through the primary and backup cluster interfaces
once per second. If the backup master does not receive three consecutive heartbeats from the
cluster master, this triggers failover of the cluster master. The default threshold for lost heartbeats is
three. You can increase the lost heartbeat threshold that triggers a failover in the FireCluster
Advanced settings.
Software or hardware malfunction
If a software or hardware error is detected on a cluster member, that can trigger failover of that
device. This is based on comparing the cluster health indexes of each cluster member.
Monitored interface link down
The FireCluster monitors the link status of all active interfaces (all interfaces that are not set to status
Disabled). This is why it is important that you disable any interfaces that are not connected to a
switch or router.
Failover Master command
In Firebox System Manager, you can select Tools > Cluster > Failover Master to force the cluster
master to fail over.

164

WatchGuard Fireware Training

About Failover

The cluster health factors that can trigger a failover are collectively referred to as the Weighted Average
Index (WAI). The WAI takes into account the link status of monitored interfaces, and other factors that
indicate a software or hardware malfunction. If the WAI of the backup master is greater than the WAI of
the master, failover of the cluster master is triggered.
You can see the WAI in the Cluster Health section of the status report in Firebox System Manager.
Cluster Health
-------------Member Id = 80B0030CA6EE9
Member cluster Role = 3
System Health Index (SHI) = 100
Hardware Health Index (HHI) = 100 (disabled)
Monitored Ports Health Index (MPHI) = 100
Weighted Avg Index (WAI) = 100
Member Id = 80B0030EBCFAA
Member cluster Role = 2
System Health Index (SHI) = 100
Hardware Health Index (HHI) = 100 (disabled)
Monitored Ports Health Index (MPHI) = 100
Weighted Avg Index (WAI) = 100

For each cluster member, the Status Report shows these health index values:
System Health Index (SHI)
This number indicates the status of monitored processes on the device. If all monitored processes
are active, the SHI value is 100.
Hardware Health Index (HHI)
This number indicates the status of critical hardware components. If no hardware failures are
detected, the HHI value is 100. If a critical monitored hardware component fails, the HHI value is
zero. The HHI is based on the status of hardware components such as the CPU, fans, and power
supply.
If (disabled) appears adjacent to the HHI number in the Status Report, the HHI is not used in the
calculation of the WAI, and so is not a criteria for failover. This is the default setting.
Monitored Ports Health Index (MPHI)
This number indicates the link status of monitored ports. If all monitored ports are up, the SHI value
is 100. The status of wireless connections are not monitored as part of this index.
Weighted Average Index (WAI)
This number is used to compare the overall health of two cluster members, as a criteria for failover.
By default, the WAI for a cluster member is a weighted average of the SHI, and MPHI for that device,
but does not include the HHI.
If you enable the HHI to be used in the calculation of the WAI, the WAI is a weighted average of the
HHI, SHI, and MPHI. The one exception is that if the HHI of a device is zero, the WAI for that device is
also zero.
To enable the HHI to be used in the calculation of the WAI, select the Monitor hardware status as a
criteria for FireCluster failover check box in FireCluster Advanced settings.

FireCluster

165

What Happens During a Failover


When a failover of the cluster master occurs, the backup master becomes the cluster master. Then, the
original cluster master rejoins the cluster as the backup master. When a failover occurs, the cluster
maintains all packet filter connections, branch office VPN tunnels, and user sessions. This behavior is
the same for an active/active or an active/passive FireCluster.
In an active/active cluster, if the backup master fails, the cluster master maintains all packet filter
connections, branch office VPN tunnels, and user sessions. Proxy connections and Mobile VPN
connections can be interrupted, as described in the subsequent table. In an active/passive cluster, if the
backup master fails, there is no interruption of connections or sessions because no traffic is assigned to
the backup master.
Connection/Session Type

Impact of a Failover Event

Packet filter connections

Connections fail over to the other cluster member.

Branch office VPN


tunnels

Tunnels fail over to the other cluster member.

User sessions

Sessions fail over to the other cluster member.

Proxy connections

Connections assigned to the failed device (master or backup master)


must be restarted. Connections assigned to the other device are not
interrupted.

Mobile VPN with IPSec I

If the cluster master fails over, all sessions must be restarted.


If the backup master fails, only the sessions assigned to the backup
master must be restarted.
Sessions assigned to the cluster master are not interrupted.

Mobile VPN with SSL

If either device fails over, all sessions must be restarted

Mobile VPN with L2TP

All L2TP sessions are assigned to the cluster master, even for an
active/active cluster.
If the cluster master fails over, all sessions must be restarted.
If the backup master fails, L2TP sessions are not interrupted.

Mobile VPN with PPTP

All PPTP sessions are assigned to the cluster master, even for an
active/active cluster.
If the cluster master fails over, all sessions must be restarted.
If the backup master fails, PPTP sessions are not interrupted.

166

WatchGuard Fireware Training

Monitoring Tools

Monitoring Tools
Firebox System Manager and the Fireware XTM log files are useful tools to monitor the status and
operation of your FireCluster.

Firebox System Manager


On the Front Panel tab in Firebox System Manager, you can monitor the real-time status of your
FireCluster. If you connect to the cluster, you can see the status of the cluster as a whole. If you connect
to an individual cluster member, you can see more details about that specific device.
To connect to a cluster member:

1. Connect to a cluster member and open Firebox System Manager.


2. Select Tools > Cluster > Connect to Member.
The Status Report tab in Firebox System Manager is an important tool you can use to understand
more details about the current state of your XTM FireCluster.
To see the Status Report:

1. Connect to the cluster and open Firebox System Manager.


2. Select the Status Report tab.
When Firebox System Manager is in cluster view, the Status Report has a report section for each
member. When you connect to a specific cluster member, the status report shows information about
just that member.

FireCluster

167

Diagnostic Logging
If you need to troubleshoot issues with FireCluster, it can be useful to change the diagnostic log level
for FireCluster. By default, the FireCluster diagnostic log level is set to Error. You can increase the level
to see more detailed information in the log files.
To configure the diagnostic log level for FireCluster:

1. In Policy Manager, select Setup > Logging.


2. Click Diagnostic Log Level.
From the category list, expand FireCluster.

Figure 2: The FireCluster diagnostic log level

3. Select the FireCluster category to set the diagnostic log level for all the FireCluster components, or
select a sub-category to change the log level for the category of FireCluster operations that you
want to monitor more closely.
- Cluster Management Log messages for FireCluster configuration and management tasks
- Cluster Operation Log messages for all current FireCluster member roles and operations
- Cluster Event Monitoring Log messages for the process that monitors FireCluster
resources and takes the appropriate action for each event that occurs in the FireCluster
- Cluster Transport Log messages for FireCluster member communications channels
After you increase the diagnostic log level, you can see more detailed log messages in Traffic Monitor
and in your log files, if you have configured a Log Server.

168

WatchGuard Fireware Training

FireCluster Requirements

FireCluster Requirements
To use FireCluster, your Firebox or XTM devices and network configuration must meet these
requirements:

Hardware Requirements
Both Firebox or XTM devices in a FireCluster must be the same model. FireCluster is supported on most
Firebox or XTM device models.
FireCluster restrictions on XTM wireless devices (XTM 25-W, 26-W, and 33-W):
When you enable the external interface as a wireless interface, FireCluster is not supported.
When you enable wireless access points on an XTM wireless device, you can configure FireCluster
only as active/passive.
FireCluster is not supported on:
XTMv virtual devices on Hyper-V
XTM 21/22/23 or XTM 21-W/22-W/23-W models

License Requirements
Both devices in a FireCluster must use the same version of Fireware XTM with a Pro upgrade
Both devices must have an active LiveSecurity Service subscription.
For an active/active cluster, we recommend both devices have active licenses for the same set of
security services such as Gateway AV, Intrusion Prevention Service, and Application Control. For an
active/passive cluster, you need an active license for any security services on only one of the cluster
members, and that license is used by whichever device is active.

Network Configuration Requirements

You cannot configure the network in bridge mode for an active/active or active/passive cluster.
You cannot configure the network in drop-in mode for an active/active cluster.
You cannot configure an active/active FireCluster for a device that uses link aggregation.
For an active/active cluster, you must configure the external interface with a static IP address.
For an active/passive cluster, the external interface can have a static IP address, or use PPoE.
You can configure a wireless device in active/passive mode only
We recommend that you do not use the default IP address 10.0.1.1 for interface 1.

FireCluster

For an XTM 330, you


must have Fireware
XTM v11.5.2 or higher
to use FireCluster. For
an XTM 33, 25, or 26,
you must have
Fireware XTM v11.6.1
or higher. For XTMV
you must have
Fireware XTM v11.8.1
or higher

169

Switch and Router Requirements


Switch and router requirements depend on the type of FireCluster.
Active/Active or Active/Passive FireCluster
In any FireCluster, all active traffic interfaces must be connected to a separate switch or VLAN.
Active/Active FireCluster
For an active/active FireCluster, your configuration must also meet these requirements:

The default ARP


behavior is described
in RFC 1812, section
3.3.2.

To find the multicast


MAC addresses for the
FireCluster, select
FireCluster >
Configure.

All switches and routers in the broadcast domain must not block ARP requests if the response
contains a multicast MAC address.
- This is the default behavior for most layer 2 switches.
- For routers and layer 3 switches, the default behavior is to follow RFC 1812. If possible, disable
this behavior. If you are unable to block RFC 1812 support, you might need to configure static
MAC and static ARP entries on your routing device.
All switches in the broadcast domain must be configured to forward traffic to all ports connected
to FireCluster members when the destination MAC address is the multicast MAC address of the
FireCluster.
- For unmanaged layer 2 switches, this should be the default behavior.
- For managed switches, you could need to add static MAC and static ARP entries for the
FireCluster.
You could need to add the IP address and MAC address of each router or layer 3 switch in the
broadcast domain as a static ARP entry in the FireCluster configuration.
To add static ARP entries:

1. Find the IP address and MAC address of your layer 3 switch.


2. In Policy Manager, select Network > ARP Entries.

Figure 3: Static ARP Entries dialog box

3. Add one static ARP entry for each switch that connects directly to your FireCluster.

170

WatchGuard Fireware Training

FireCluster Requirements

FireCluster Pre-Configuration Checklist


When youre ready to set up a FireCluster, it can be helpful to run though this checklist to make sure
prerequisites have been met and you are ready to enable FireCluster:

Checklist item
_______

You have two identical Firebox or XTM devices with matching model numbers. These
cannot be XTM 21, 22, 23, 21-W, 22-W, or 23-W.

_______

Both devices have the same version of Fireware XTM OS installed.

_______

Both Firebox or XTM devices have a Fireware XTM Pro upgrade license.

_______

You have a crossover cable (red) to connect the cluster interfaces.

_______

You know the serial numbers for each Firebox or XTM device:
Member 1:__________________________________
Member 2: _________________________________

_______

You have saved the feature keys for both devices to a local file.

_______

You have one switch or router for each active traffic interface.

_______

You have decided which interfaces and IP addresses to use for this FireCluster. Record
these in the table below.

FireCluster interfaces and IP addresses:

Interface number

Member 1 IP Address

Member 2 IP Address

Primary Cluster
Interface
Backup Cluster
Interface
Management
Interface
Note
Do not assign IP addresses in the range 10.0.0.1 - 10.0.13.254 to the primary or backup cluster
interfaces. This address range includes Firebox or XTM device default interface IP addresses and
cannot be used for the cluster interfaces.

For the FireCluster Management IPaddress, select an unused IP address on the same subnet as the
address assigned to the management interface. For example, if you select the trusted interface as the
management interface, choose two unused IP addresses from your trusted subnet to use as the
FireCluster management IP addresses. If you choose the External interface as the Interface for
management IP address, choose two unused external IP addresses on the same subnet as the External
interface IPaddress that you can dedicate to FireCluster management functions.
Note
If you set the Management IP addresses of a FireCluster member to an IP address that is not on the
same subnet as the IP address of the FireCluster management interface, make sure your network
configuration includes routes to allow the management software to communicate with FireCluster
members, and to allow the FireCluster members to communicate with each other.

Now you are ready to set up the FireCluster as described in Exercise 1.

FireCluster

171

Exercise 1:

Set Up an Active/Passive Cluster

In this exercise you learn how to configure two Firebox or XTM devices as an active/passive FireCluster.
To complete this exercise, you must have:

Two supported Firebox or XTM devices of the same model number.


Fireware XTM v11.9 or higher installed on both devices.
Fireware XTM Pro enabled in the feature key for both devices.
Feature key for both devices saved locally in a file.
A switch or router for each enabled network interface.

In this exercise, we refer to the members of the FireCluster as Member 1 and Member 2, because that is
how the FireCluster Setup wizard refers to them. Member 1 is the first device you configure. Member 2
is the second device that you add when you enable FireCluster. For the first part of this exercise,
Member 2 must be powered off.

Configure the External Interface to Use a Static IP Address


1. Make sure that Member 2 is powered off.
2. In WatchGuard System Manager, connect to Member 1.
3. Open Policy Manager.
4. Select Network > Configuration.
The Network Configuration dialog box appears.

5. In the Interfaces tab, select External (Interface 0). Click Configure.


The Interface Settings dialog box appears.

Figure 4: Configure interface 0 as an external interface with a static IP address

6. Make sure that the Interface Type is set to External.


7. Select Use Static IP.
8. In the IP Address text box, type 203.0.113.X/24.
Replace the X in the IP address with the student number your instructor gives you.
For example, if you are Student 10, the IP address you type is 203.0.113.10/24

9. In the Default Gateway text box, type the IP address of the default gateway. Click OK.

172

WatchGuard Fireware Training

FireCluster Requirements

Configure the Trusted Interface


1. In the Interfaces tab, select Trusted (Interface 1). Click Configure.
The Interface Settings dialog box appears.

2. Make sure the Interface Type is set to Trusted.


3. In the IP Address text box, type 10.0.X.1/24.
Replace the X in the IP address with the student number your instructor gives you.
Note
It is important that you do not use the default IP address, 10.0.1.1, for interface 1, because that
would create a temporary IP address conflict with the second device before the cluster is formed.

4. In the DHCP Address Pool list, configure the address range 10.0.X.2 - 10.0.X.100.

We set the IP address


range here, so that we
can identify an
address outside of this
range to use for the
Management IP
address.

Figure 5: DHCP Server address pool configuration for student 10

5. Click OK.

FireCluster

173

Disable Unused Network Interfaces


In this exercise, we assume there is only one trusted network, connected to Interface 1. Before we can
enable FireCluster, we need to disable all the other unused interfaces. This is an important step,
because FireCluster monitors the link status of all enabled interfaces to determine whether to start
failover.

1. Select Network > Configuration.


The Network Configuration dialog box appears.

Figure 6: Interfaces configuration for student 10, with unused interfaces enabled

Because the external and trusted networks connect to interfaces 0 and 1, and there are no other
networks, all the other interfaces must be disabled.

2. If there are any unused interfaces enabled, select an unused interface and click Configure.

174

WatchGuard Fireware Training

FireCluster Requirements

3. From the Interface Type drop-down list, select Disabled. Click OK.
Repeat this for all the other unused interfaces.

Figure 7: Interfaces configuration for student 10, with unused interfaces disabled

4. Save the configuration to the Firebox or XTM device.


Because you have changed the trusted IP address, you must use the new address, 10.0.X.1 to reconnect
to the device in WatchGuard System Manager.

Decide Which Interfaces and Interface Address to Use


Next, you must decide which interfaces and IP addresses to use for FireCluster. For this exercise, use
these interfaces and addresses

Interface
number

Member 1 IP
Address

Member 2 IP
Address

Primary Cluster
Interface

169.254.6.1/24

169.254.6.2/24

Backup Cluster
Interface

169.254.5.1/24

169.254.5.2/24

Management Interface

10.0.X.101/24

10.0.X.102/24

Replace the X in the IP address with the student number your instructor gives you.

FireCluster

175

Connect the Cables


You are now ready to connect the cables.

Figure 8: Network configuration diagram for a FireCluster with two cluster interfaces

1. Make sure that Member 2 is powered off before you connect the cables.
2. Use a red cross-over cable to connect interface 6 on Member 1 to interface 6 on Member 2.
3. Use a red cross-over cable to connect interface 5 on Member 1 to interface 5 on Member 2.
4. Connect interface 0, the external interface of both devices, to a switch or router.
5. Connect interface 1, the trusted interface of both devices, to another switch or router.
6. Connect the management computer to the switch or router on the trusted network.

176

WatchGuard Fireware Training

FireCluster Requirements

Run the FireCluster Setup Wizard


1. Connect to Member 1 with WatchGuard System Manager at 10.0.X.1.
2. Start Policy Manager
3. Select FireCluster > Setup.
4. If Member 1 does not already have a feature key installed, the wizard prompts you to install it.
Click Yes to add the feature key.
The Firebox Feature Key dialog box appears.

5. In the Import Firebox Feature Key dialog box, click Import to import the feature key.
The Import Firebox Feature Key dialog box appears.

Figure 9: The Import Firebox Feature Key dialog box, after the feature key is imported

6. Copy the feature key for Member 1 from your local feature key file to the Import Firebox Feature
Key dialog box. Verify that the serial number in the feature key matches the serial number of the
Member 1 device.
7. Click OK.
The Firebox Feature Key dialog box appears, with the feature key added.

8. Click OK.
The FireCluster Setup Wizard welcome page appears.

9. Click Next to continue.


The first page of FireCluster global properties appears.

FireCluster

177

If you select Active/


Active cluster, you
must also select the
load balance method
on this page.

10. Select the cluster type.


For this exercise, select Active/Passive cluster.

Figure 10: Active/Passive cluster configuration for student 10

11. Set the Cluster ID to your student number.


If multiple FireClusters connect to the same network, each cluster must have a unique ID.

12. Click Next.


The FireCluster global properties page appears.

Figure 11: These global properties apply to both devices in the cluster

178

WatchGuard Fireware Training

FireCluster Requirements

13. Find the Member 1 Primary and Backup cluster interface and Management IP address interface
from the table at the start of this exercise.
- From the Primary drop-down list, select interface 6.
- From the Backup drop-down list, select interface 5.
- From the Interface for management IP address drop-down list, select interface 1.
Up to this point, the wizard has asked for global cluster configuration settings that apply to the
cluster as a whole. In the next set of steps you configure properties that are unique to each cluster
member.
14. Click Next.
The Feature key page appears.

Figure 12: The feature key for the first FireCluster member

FireCluster

179

15. For the first member, you have already imported the feature key. Verify that the serial number in
this feature key matches the serial number for the device you are connected to. Click Next.
The Name and serial number page appears.

Figure 13: The FireCluster serial number is copied from the feature key

The wizard automatically gets the serial number from the feature key. The default member name
for the first device is Member1. For this exercise, do not edit the Member Name.

16. Click Next.


The Cluster interface IP addresses configuration page appears.

Figure 14: The cluster interface and management IP address configuration for the Member1 device

180

WatchGuard Fireware Training

FireCluster Requirements

17. Type the cluster interface and management interface IP addresses for member 1 from the table at
the start of this exercise.
- For the Primary cluster interface IP address, type 169.254.6.1/24.
- For the Backup cluster interface IP address, type 169.254.5.1/24.
- For the IPv4 Management IP address, type 10.0.X.101/24.
Replace the X in the Management IP address with your student number.
18. Click Next.
The Add another cluster member page appears.

Figure 15: The wizard automatically asks if you want to configure another device

19. Select Yes to add another device. Click Next.


The Feature key page appears for the second device.

Figure 16: You must import the feature key for the second cluster member before you can continue

FireCluster

181

20. Click Import to add the feature key for the second cluster member.
The Import Firebox Feature Key dialog box appears.

21. Paste the feature key for the second device. Make sure the serial number matches. Click OK.
The feature key is added to the wizard.

22. Click Next.


The Name and serial number page appears.

Figure 17: The FireCluster serial number is pulled from the feature key

The wizard automatically gets the serial number from the feature key. The default member name
for the first device is Member2. For this exercise, do not edit the Member Name.

182

WatchGuard Fireware Training

FireCluster Requirements

23. Click Next.


The cluster IP addresses page appears for Member 2.

Figure 18: The cluster interface and management IP address configuration for the Member2 device

24. Type the cluster interface and management interface IP addresses for Member 2 from the table at
the start of this exercise.
- For the Primary cluster interface IP address, type 169.254.6.2/24.
- For the Backup cluster interface IP address, type 169.254.5.2/24.
- For the IPv4 Management IP address, type 10.0.X.102/24.
Replace the X in the management IP address with your student number.

FireCluster

183

25. Click Next.


The Summary page appears.

Figure 19: The wizard summarizes all of the settings you configured

26. Review your FireCluster settings carefully.


In the Global Properties, make sure the interfaces match the interfaces you have connected and
that you have set a unique FireCluster ID.
In the Member Properties, check these things:
-

The primary cluster IP addresses for both members are on the same subnet
The backup cluster IP addresses for both members are on the same subnet
The cluster IP addresses do not use addresses in the range 10.0.0.1 - 10.0.13.254.
The management IP addresses for both devices are on the trusted network.

27. Click Next.


The wizard completion page appears.

184

WatchGuard Fireware Training

FireCluster Requirements

28. Click Finish.


The FireCluster Configuration dialog box appears.

Figure 20: The FireCluster Configuration dialog box shows the settings you configured in the wizard

You can return to this dialog box at any time from Policy Manager. Select FireCluster > Configure.
From the FireCluster Configuration dialog box, you can enable or disable the FireCluster, or you
can review and change the configuration. There are three tabs:
- In the General tab you can see and configure the FireCluster global properties.
- In the Members tab you can see and configure the FireCluster member properties.
- In the Advanced tab you can see and configure FireCluster logging, notification, and
hardware monitoring settings.

29. Click OK to close the FireCluster configuration dialog box.


30. Select File > Save > To Firebox to save the configuration to the Firebox or XTM device.
The first device is now the cluster master. Now we can add the second device to the cluster.

FireCluster

185

Discover the Second Cluster Member


1. To start the device in safe mode, press and hold the down arrow button on the device front panel
while you power on the device. Release the button when you see the words Safe mode
starting on the LCD display.
In safe mode, the device starts with a default configuration.
2. In WatchGuard System Manager, connect to the cluster at 10.0.X.1, if you are not already
connected.
3. Click

to launch Firebox System Manager.

The cluster shows that one cluster member is the master, and the other member is inactive.

4. Select Tools > Cluster > Discover member.


5. Type the configuration passphrase.
6. Monitor the status of Member2 in Firebox System Manager.
The status appears in parentheses after the member name. It will change from (inactive) to (idle) to (backup
master).

Figure 21: An Active/Passive cluster is shown in Firebox System Manager as Active/Standby

You can see that this is an Active/Standby cluster, and that Member1 is the master.

186

WatchGuard Fireware Training

FireCluster Requirements

Exercise 2:

Monitor Cluster Status

In this exercise, you learn how to use Firebox System Manager to monitor the cluster and cluster
member status.

Monitor the Cluster


1. In WatchGuard System Manager, connect to the cluster, if you are not already connected.
2. Click

to launch Firebox System Manager (FSM).

Figure 22: Firebox System Manager Cluster View

Notice that the Firebox System Manager title bar says (Cluster View). This means that you are
monitoring the cluster, rather than a specific cluster member. When you are in cluster view, the
detail section of the Front Panel tab does not show system uptime, because it is not the same for
both cluster members. Instead, you can see the uptime in the tree under each member.

3. Expand the Cluster section of the tree below the device.


You can see the status and configuration information for each cluster member.

4. Select the Status Report tab to see more detailed cluster status.
When FSM is in cluster view, the Status Report has a report section for each member.

FireCluster

187

Monitor a Cluster Member


Sometimes you want to connect to a specific cluster member to see more information about its status.
This can be useful if you need to troubleshoot a FireCluster issue.

1. In Firebox System Manager, select Tools > Cluster > Connect to Member.

Figure 23: The Connect to member dialog box

2. Select a cluster member to connect to. Click OK.


Another Firebox System Manager window opens, to monitor the cluster member.

Figure 24: Firebox System Manager view of a single cluster member

3. Expand the sections of the tree in the Front Panel to see status information for this device.

188

WatchGuard Fireware Training

FireCluster Requirements

Exercise 3:

Test FireCluster Failover

In this exercise you trigger a failover, and learn what to expect to see while you monitor the cluster
during a failover.

Force a Failover from Firebox System Manager


One easy way to watch what happens during failover is to trigger a failover of the master from Firebox
System Manager.

1. Open Firebox System Manager to monitor the cluster.


2. Expand the cluster section of the tree in the Front Panel tab.
3. Select Tools > Cluster > Failover Master.

Figure 25: The Failover Master dialog box

4. Type the Configuration Passphrase.


5. Watch the status of the devices in Firebox System Manager.

Figure 26: Firebox System Manager cluster member status

The original cluster master fails over. The backup master becomes the master. The old cluster
master rejoins the cluster as the backup master.

Trigger a Failover Due to Link Status


Another way to trigger failover is to disconnect a network cable from the cluster master.

1. Disconnect the cable from interface 0 of the cluster master.


2. Monitor the cluster status in Firebox System Manager
Failover initiates and the other member becomes the cluster master.

Notice that the interface status for Eth0 does not show a problem in cluster view. But if you connect to
the backup master, you can see the interface is disconnected.

Use the Backup Cluster Interface


1. Disconnect the primary cluster interface cable from interface 6.
2. Monitor the cluster status in Firebox System Manager.
The cluster continues to operate, because the cluster members can communicate over the backup cluster
interface, interface 5.

FireCluster

189

Trigger a Failover Due to Power Failure


We recommend that you connect your clustered devices to different power circuits. If the power is lost
to one device, the cluster can fail over to the other device.

1. Power off the cluster master.


The backup master becomes the cluster master. The other member has the status (inactive).

2. Power on the cluster master.


The second device status changes to (backup master).

Test Failover with Network Traffic


If your classroom environment enables you to connect to a server or the Internet over the external
network, you can repeat any of the above failover exercises while you browse the web or download a
file from a server, and see how the traffic is not interrupted when a failover occurs.

Use Leave/Join in Firebox System Manager


In Firebox System Manager, you can also use the Leave and Join commands to remove or re-add a
configured device from the cluster. When a member leaves the cluster, it is still part of the cluster
configuration, but does not participate in the cluster. The other cluster member handles all traffic in the
cluster after the second member has left.
The Leave and Join commands are in Tools > Cluster menu in Firebox System Manager. You use these
commands as part of the procedure to restore a FireCluster backup image. See the WatchGuard System
Manager Help for more information.

What You Have Learned


In this module, you learned how to:

TRAINING
www.watchguard.com/training
training@watchguard.com

Understand the clustering requirements for your Firebox or XTM device


Set up a FireCluster
See status for a FireCluster
Understand what happens when a FireCluster failover occurs

COPYRIGHT 2014 WatchGuard Technologies, Inc. All rights reserved.


WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or
trademarks of WatchGuard Technologies, Inc. in the United States and/or other
countries.

Оценить