Contents

Related Topics

Configure a Link Monitor Host

You can choose the method and frequency you want the Firebox to use to find the status of each WAN interface. If you do not configure a link monitor host, the Firebox pings the interface default gateway, usually the ISP (Internet Service Provider) modem or router, to find the interface status.

A ping to the default gateway is not a reliable test of Internet connectivity. If the ISP equipment just beyond the modem cannot connect to the Internet, but the default gateway still responds to a ping, the Firebox does not detect the interface as failedbecause the gateway is the only test of connectivity. In some multi-WAN modes, this can cause a lot of traffic loss, because the Firebox continues to send packets through a dead interface that shows available because the connected modem or router responds to a ping.

Recommendations

WatchGuard recommends that you configure at least one link monitor host for each external interface. Select targets that have a record of high uptime, such as servers hosted by your ISP. If there is a remote site that is critical to your business operations, such as a credit card processing site or business partner, it might be worthwhile to ask the administrator at that site if there is a device that you can use as a monitoring target to verify connectivity to their site.

Identify a good ping link monitor target

  • To find a good link monitor target, you can run a tracert task to an external IP address to locate a ping target beyond the modem or router, on the ISP network, preferably two to three hops out. The DNS servers provided by your ISP might work well for this.
  • Ping an IP address, not a domain name. A ping to a domain name requires DNS, and can cause a false indication of interface failure if there is a problem with the DNS server.
  • Specify a different link monitor host for each external interface. If you specify the same IP address or domain name for all external interfaces, a failure of that remote host causes all of your external interfaces to fail.

Select a TCP link monitor target carefully

  • Do not specify a TCP link monitor target unless the company that hosts the target agrees. If you specify TCP to monitor a link to a remote host, the company that manages the remote host might block traffic from the Firebox because it considers the idle TCP connections a possible scan or attack.

If you specify a domain name for a ping or TCP link monitor target, and the external interface is configured with a static IP address, you must configure a DNS server. The DNS server resolves the domain name of your link monitor target. You do not have to configure a DNS server if the external interfaces are configured for DHCP or PPPoE. For more information, see Add WINS and DNS Server Addresses.

About the Route Table Update Interval

If a link monitor host does not respond, it can take from 40–60 seconds for the Firebox to update the route table. When the same link monitor host starts to respond again, it can take from 1–60 seconds for your Firebox to update the route table.

The update process is much faster when your Firebox detects a physical disconnect of the Ethernet port. When this happens, the Firebox updates the route table immediately. When your Firebox detects the Ethernet connection is established again, it updates the route table within 20 seconds.

Define a Link Monitor Host

See Also

Read the Firebox Route Tables

Give Us Feedback     Get Support     All Product Documentation     Technical Search