About Multi-WAN Methods
When you configure multiple external interfaces, you have several options to control which interface an outgoing packet uses.
XTM 2 Series devices without the Pro upgrade, and all Firebox T10 devices cannot use any of the multi-WAN methods except modem failover. All other Fireboxes without the Pro upgrade cannot use the weighted round robin or interface overflow multi-WAN methods.
If you use Dynamic Routing, you can use either the Routing Table or Round-Robin multi-WAN method. For information about how to select which method to use, see Multi-WAN Methods and Dynamic Routing.
When you configure multi-WAN with the Routing Table option, the Firebox looks at its internal route table to check for specific static or dynamic routing information for each connection. The route table includes static routes that you configure on the device. If you use dynamic routing, the route table includes dynamic routes.
To see whether a specific route exists for a packet’s destination, the Firebox examines its route table from the top to the bottom of the list of routes. The list is sorted by metric, from lowest to highest cost. You can see the list of routes in the route table on the Status tab of Firebox System Manager. The Routing Table option is selected by default.
If no specified route is found, the Firebox selects the route to use based on source and destination IP hash values of the packet, using the ECMP (Equal Cost Multipath Protocol) algorithm specified in RFC2992.
ECMP is an algorithm for routing packets to destinations when there are multiple next-hop paths of equal cost. The Routing Table multi-WAN method uses ECMP to evenly distribute outgoing traffic across multiple external interfaces based on source and destination IP addresses, and based on the number of connections that go through each external interface. The ECMP algorithm does not consider current traffic load.
For more information, see Configure the Routing Table Multi-WAN Method.
When you configure multi-WAN with the Round-Robin option, the Firebox looks at its internal route table to check for specific static or dynamic routing information for each connection. The route table includes static routes that you configure on the device. If you use dynamic routing, the route table includes dynamic routes.
To see whether a specific route exists for a packet’s destination, the Firebox examines its route table from the top to the bottom of the list of routes. The list is sorted by metric, from lowest to highest cost. You can see the list of routes in the route table on the Status tab of Firebox System Manager.
If no specified route is found, the Firebox distributes the traffic load among its external interfaces. The Firebox uses the average of sent (TX) and received (RX) traffic to balance the traffic load across all external interfaces you specify in your round-robin configuration.
If you have Fireware with a Pro upgrade, you can assign a weight to each interface used in your round-robin configuration. By default and for all Firebox users, each interface has a weight of 1. The weight refers to the proportion of load that the Firebox sends through an interface. If you have Fireware Pro and you assign a weight of 2 to an interface, you double the portion of traffic that will go through that interface compared to an interface with a weight of 1.
As an example, if you have three external interfaces with 6M, 1.5M, and .075M bandwidth and want to balance traffic across all three interfaces, you would use 8, 2, and 1 as the weights for the three interfaces. Your Firebox will try to distribute connections so that 8/11, 2/11, and 1/11 of the total traffic flows through each of the three interfaces.
For more information, see Configure the Round-Robin Multi-WAN Method.
When you use the Interface Overflow multi-WAN configuration method, you select the order you want the Firebox to send traffic through external interfaces and configure each interface with a bandwidth threshold value. The Firebox starts to send traffic through the first external interface in its Interface Overflow configuration list. When the traffic through that interface reaches the bandwidth threshold you have set for that interface, the Firebox starts to send traffic to the next external interface you have configured in your Interface Overflow configuration list.
This multi-WAN configuration method allows the amount of traffic sent over each WAN interface to be restricted to a specified bandwidth limit. To determine bandwidth, the Firebox examines the amount of sent (TX) and received (RX) packets and uses the higher number. When you configure the interface bandwidth threshold for each interface, you must consider the needs of your network for this interface and set the threshold value based on these needs. For example, if your ISP is asymmetrical and you set your bandwidth threshold based on a large TX rate, interface overflow will not be triggered by a high RX rate.
If all WAN interfaces have reached their bandwidth limit, the Firebox uses the ECMP (Equal Cost Multi-Path Protocol) routing algorithm to find the best path.
For more information, see Configure the Interface Overflow Multi-WAN Method.
When you use the failover method to route traffic through the Firebox external interfaces, you select one external interface to be the primary external interface. Other external interfaces are backup interfaces, and you set the order for the Firebox to use the backup interfaces. The Firebox monitors the primary external interface. If it goes down, the Firebox sends all traffic to the next external interface in its configuration. While the Firebox sends all traffic to the backup interface, it continues to monitor the primary external interface. When the primary interface is active again, the Firebox immediately starts to send all new connections through the primary external interface again.
You control the action for the Firebox to take for existing connections; these connections can failback immediately, or continue to use the backup interface until the connection is complete. Multi-WAN failover and FireCluster are configured separately. Multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond. FireCluster failover takes precedence over multi-WAN failover.
For more information, see Configure the Failover Multi-WAN Method.
On a Firebox T10, T30, T50, M200, M300, M400, M500, XTM 2 Series, 3 Series, or 5 Series device, you can connect an external modem to the USB port and use that connection for failover when all other external interfaces are inactive. For more information, see Configure Modem Failover.