Sample Routing Configurations for Cloud-Managed Fireboxes

Applies To: Cloud-managed Fireboxes

This document applies to Fireboxes you manage in WatchGuard Cloud. For information that applies to Fireboxes managed in Fireware Web UI or WatchGuard System Manager, go to Sample BGP Routing Configuration File (FRR).

Overview

To use the dynamic routing protocol with a cloud-managed Firebox, you must type configuration commands into the Routes > Dynamic Routing tab. This topic includes sample configurations. To use these configurations as a starting point for your configuration, copy the text into a text editor application and edit the parameters to meet your business requirements.

Configure BGP for ECMP and Multi-Path Routing

This section explains how to configure the Border Gateway Protocol (BGP) to support Equal-Cost Multi-Path (ECMP) routing. With ECMP enabled, traffic is distributed across multiple paths that share the same routing cost. Because routers can use multiple BGP routes to the same destination simultaneously, this approach improves network performance, redundancy, and load balancing.

To participate in BGP with an ISP, you must have a public Autonomous System (AS) number. For internal BGP between private networks, use a private AS number. For more information, go to About Border Gateway Protocol (BGP). You can configure dynamic routing with BGP for both IPv4 and IPv6 networks.

To configure BGP for ECMP and multi-path routing, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. In the Networking section, click the Routes widget.
    The Routes page opens.

Screen shot of static routes.

  1. Select the Dynamic Routing tab.
  2. Enable the BGP dynamic routing protocol.
    The Routing Commands text box opens.
  3. In the Routing Commands window, paste the text from your routing daemon configuration file. To get started, your BGP configuration file only needs three commands. These commands initiate the BGP process, establish a peer relationship with your ISP, and define a route that directs network traffic to the Internet.
    Use the commands in this order:

router BGP

BGP autonomous system number supplied by your ISP.

no bgp ebgp-requires-policy

Advertisement of routes not present in the Interior Gateway Protocol (IGP).

no bgp network import-check

Advertisement of routes not present in the IGP.

maximum-paths

Number of paths BGP can install in the routing table.

neighbor

<IP address of neighboring BGP router> remote-as <BGP autonomous number>.

neighbor

<IP address of neighboring BGP router> activate.

network

Network IP address that you want to advertise a route to from the Internet.

The network and redistribute commands are under the address-family section.

To enable ECMP (Equal-Cost Multi-Path) across BGP routes that differ in AS-path but are otherwise equally preferred, use the command bgp bestpath as-path multipath-relax. This relaxes the default AS-path verification, allowing BGP to install multiple paths for the same prefix even when AS-paths are different, improving load balancing across multiple upstream peers.

For example:

! Start BGP.
router bgp 10001
! Disable eBGP policy requirement and permit advertisement of routes.
no bgp ebgp-requires-policy

no bgp network import-check
! Set the maximum path value.
maximum-paths 2
! Configure the first neighbor.
neighbor 198.51.100.253 remote-as 7224
neighbor 198.51.100.253 activate
neighbor 198.51.100.253 timers 10 30
! Configure the second neighbor.
neighbor 198.51.100.161 remote-as 7224
neighbor 198.51.100.161 activate
! Advertise the local network.
network 10.0.1.0/24
! Exit BGP mode.
exit

Screen shot of dynamic routing and enable a protocol with multicast.

  1. (Optional) To validate the configuration of a dynamic routing protocol, click Validate. For more information, go to Validate a Dynamic Routing Configuration .
  2. Click Save.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Configure BGP Failover that Uses Weight and AS Path Prepending

This section describes how to set up a BGP failover strategy that uses a combination of local preference (weight) and AS path prepending to influence route selection both within your network and across remote networks.

To participate in BGP with an ISP, you must have a public Autonomous System (AS) number. For internal BGP between private networks, use a private AS number. For more information, go to About Border Gateway Protocol (BGP). You can configure dynamic routing with BGP for both IPv4 and IPv6 networks.

To configure BGP for failover with weight and AS path prepending, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. In the Networking section, click the Routes widget.
    The Routes page opens.

Screen shot of static routes.

  1. Select the Dynamic Routing tab.
  2. Enable the BGP dynamic routing protocol.
    The Routing Commands text box opens.
  3. In the Routing Commands text box, paste the text from your routing daemon configuration file. To get started, your BGP configuration file only needs three commands. These commands initiate the BGP process, establish a peer relationship with your ISP, and define a route that directs network traffic to the Internet.
    Use the commands in this order:

router BGP

BGP autonomous system number supplied by your ISP.

no bgp ebgp-requires-policy

Advertisement of routes not present in the IGP.

no bgp network import-check

Advertisement of routes not present in the IGP.

neighbor

<IP address of neighboring BGP router> remote-as <BGP autonomous number>.

neighbor

<IP address of neighboring BGP router> activate.

network

Network IP address that you want to advertise a route to from the Internet.

The network and redistribute commands are under the address-family section.

route-map

<IP address of neighboring BGP router> activate.

set as-path prepend

Control route selection and advertisement.

For example:

! Start BGP.
router bgp 10001
! Disable eBGP policy requirement and permit advertisement of routes.
no bgp ebgp-requires-policy
no bgp network import-check
! Configure the first neighbor as the primary route path with the highest weight.
neighbor 198.51.100.253 remote-as 7224
neighbor 198.51.100.253 activate
neighbor 198.51.100.253 timers 10 30
neighbor 198.51.100.253 weight 2000
! Configure the second neighbor as the backup route path with a lower weight.
neighbor 198.51.99.161 remote-as 7224
neighbor 198.51.99.161 activate
neighbor 198.51.99.161 timers 10 30
neighbor 198.51.99.161 weight 1000
! Apply a route-map to increase the length of the AS path from prepending.
neighbor 198.51.99.161 route-map PREPEND out
! Advertise the local network.
network 10.0.1.0/24
! Prepend the AS path three additional times to the existing AS path.
route-map PREPEND permit 10
set as-path prepend 10001 10001 10001
! Exit BGP mode.
exit

Screen shot of dynamic routing and enable a protocol with prepend.

  1. (Optional) To validate the configuration of a dynamic routing protocol, click Validate. For more information, go to Validate a Dynamic Routing Configuration.
  2. Click Save.

For configuration changes to take effect on a cloud-managed Firebox, you must deploy the configuration update to the Firebox. For more information, go to Manage Device Configuration Deployment for Fireboxes.

Related Topics

About Dynamic Routing and Protocols for Cloud-Managed Fireboxes

Configure Dynamic Routing on a Cloud-Managed Firebox