You can configure your Firebox to create redundant connections to the external network. This is a helpful option if you must have a constant Internet connection. With the multi-WAN feature, you can configure multiple external interfaces, each on a different subnet. This allows you to connect your Firebox to more than one Internet Service Provider (ISP). When you configure a second interface, the multi-WAN feature is automatically enabled.
Multi-WAN Requirements and Conditions
You must have a second Internet connection and more than one external interface to use most multi-WAN configuration options.
Conditions and requirements for multi-WAN use include:
- If you have a policy configured with an individual external interface alias in its configuration, you must change the configuration to use the alias Any-External, or another alias you configure for external interfaces. If you do not do this, some connections could be denied by your firewall policies.
- Multi-WAN settings do not apply to incoming connections. When you configure a policy for inbound connections, you can ignore all multi-WAN settings.
- Map your company’s Fully Qualified Domain Name to the external interface IP address of the lowest order. If you add a multi-WAN Firebox to your Management Server configuration, you must use the lowest-ordered external interface to identify it when you add the device.
- To use multi-WAN, you must use mixed routing mode for your network configuration. This feature does not operate in drop-in or bridge mode network configurations.
- To use the Interface Overflow method, you must have Fireware XTM with a Pro upgrade. You must also have a Fireware XTM Pro license if you use the Round-robin method and configure different weights for the Firebox external interfaces.
- To use multi-WAN options except modem failover on an XTM 2 Series device, you must have Fireware XTM with a Pro upgrade.
- Multi-WAN options other than modem failover are not supported on Firebox T10 devices.
You can use one of four multi-WAN configuration options to manage your network connections.
For more information on each option, see About Multi-WAN Methods.
When you enable multi-WAN the Firebox monitors the status of each external interface. Make sure that you define a link monitor host for each interface. We recommend that you configure two link targets for each interface.
For more information, see Configure a Link Monitor Host.
Multi-WAN and Participating Interfaces
In the multi-WAN configuration you can select which external interfaces participate in multi-WAN. You must select at least two interfaces to participate in multi-WAN. If all interfaces selected in the multi-WAN configuration are down, the Firebox routes outbound connections through the non-participating external interface that has the lowest routing metric.
Multi-WAN and Policy-Based Routing
After you configure multiple external interfaces, you can create policies that send outgoing connections to a specific external interface. The policy-based routing settings in a policy override the settings in the multi-WAN configuration for connections that the policy applies to.
Multi-WAN and DNS
Make sure that your DNS server can be reached through every WAN. Otherwise, you must modify your DNS policies such that:
- The From list includes Firebox.
- The Use policy-based routing check box is selected.
If only one WAN can reach the DNS server, select that interface in the adjacent drop-down list.
If more than one WAN can reach the DNS server, select any one of them, select Failover, select Configure, and select all the interfaces that can reach the DNS server. The order does not matter.
You must have Fireware XTM with a Pro upgrade to use policy-based routing.
Multi-WAN and FireCluster
You can use multi-WAN failover with the FireCluster feature, but they are configured separately. Multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond. FireCluster failover takes precedence over multi-WAN failover.