About Link Monitor

To monitor the status of interfaces on your Firebox, you can enable Link Monitor. When you configure Link Monitor for an interface, you specify one or more Link Monitor targets, which are remote hosts beyond your network perimeter. The Firebox sends traffic through the interface to a Link Monitor target to verify connectivity. If Link Monitor target does not respond, the Firebox considers the interface to be inactive.

The interface status is used by multi-WAN and SD-WAN on the Firebox:

  • For multi-WAN in failover mode, if the primary interface is inactive, traffic fails over to a different interface.
  • For all other multi-WAN modes, if the primary interface is inactive, that interface is no longer available as a multi-WAN interface.
  • In an SD-WAN configuration with more than one interface, if the preferred interface is inactive, traffic fails over to a different interface.

In Fireware v12.2.1 or lower, Link Monitor settings appear in the multi-WAN configuration, and you must enable multi-WAN to configure Link Monitor targets. You can configure up to two Link Monitor targets for an interface. To configure Link Monitor targets in Fireware v12.2.1 or lower, see Configure Link Monitor in Fireware v12.1 to v12.2.1 and Configure Modem Failover and Link Monitor in Fireware v12.0.2 or lower in the WatchGuard Knowledge Base.

Supported Interfaces

You can add these types of interfaces to Link Monitor:

External interfaces

In Fireware v12.4 or higher, to monitor an external interface, you must manually add it to Link Monitor. When you add an external interface to Link Monitor, the target is the default gateway, which is the next hop after the Firebox. For meaningful operational data, we recommend that you replace the default gateway target with a different Link Monitor target that is farther upstream. For information about how to choose a Link Monitor target, see Recommendations for Targets.

To configure metric-based SD-WAN routing for external interfaces, you must configure Link Monitor targets for those interfaces.

If your Firebox has only one external interface, you can add the interface to Link Monitor in Fireware v12.3 or higher (Web UI) or Fireware v12.4 or higher (Policy Manager and Web UI). In Fireware v12.2.1 or lower, you cannot enable Link Monitor for only one interface.

If an external interface is a member of a FireCluster configuration, a multi-WAN failover caused by a failed connection to a Link Monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond.

External interfaces include modems.

Internal interfaces (Fireware v12.4 or higher)

An internal interface is a Trusted, Optional, or Custom interface. To monitor an internal interface, you must manually add it to Link Monitor.

When you add an internal interface to Link Monitor, you must add either a next hop IP address or a custom target before you can use the interface in an SD-WAN action. We recommend that you specify a next hop IP address. The next hop IP address tells the Firebox how to route Link Monitor traffic and SD-WAN traffic for the interface. If you do not specify a next hop IP address, the Firebox routing table is used to route traffic.

If you add a next hop IP address, a ping target to the next hop IP address is automatically added. You can keep this target or add a custom ping, TCP, or DNS target to a different host.

If you add an internal interface to Link Monitor, but you do not specify a next hop IP address or custom target, you cannot add the interface to an SD-WAN action.

BOVPN virtual interfaces (Fireware v12.4 or higher)

To add a BOVPN virtual interface to Link Monitor, you must first configure a virtual peer IP address in the BOVPN virtual interface settings. You must specify a peer IP address, not a netmask. Next, you must manually add the interface to Link Monitor.

When you add a BOVPN virtual interface to Link Monitor, the Firebox automatically adds a ping target to the IP address of the peer. You cannot edit or remove this target.

Supported Targets

Link Monitor supports these types of targets:

  • Ping — Pings an IP address or domain name
  • TCP — Sends TCP probes to an IP address or domain name, and a port number
  • DNS — Queries the IP address of a DNS server for the specified domain name (Fireware v12.3 or higher)

In Fireware v12.3 or higher, you can configure up to three Link Monitor targets for an interface. Targets can be the same type or a combination of types. For example, you can configure three ping targets for an interface. Or, you can configure a ping target, a TCP target, and a DNS target for an interface.

Recommendations for Targets

To make sure traffic fails over to a different interface when network issues occur, we recommend that you:

  • Configure at least two Link Monitor targets for each external interface.
  • Select an effective Link Monitor target. In most cases, we recommend that you select a Link Monitor target other than the default gateway.
  • Select targets that have a record of high uptime, such as servers hosted by your ISP.
  • Specify a different Link Monitor host for each external interface.

If you enable Link Monitor for an interface but do not configure a custom link monitor target, the Firebox pings the interface default gateway to find the interface status. The default gateway is usually the Internet Service Provider (ISP) modem or router. The default gateway is not a reliable target for these reasons:

  • If ISP equipment just beyond the modem cannot connect to the Internet, but the default gateway still responds to a ping, the Firebox does not detect the interface as inactive. This occurs because the gateway is the only test of connectivity. In some multi-WAN modes, this can cause traffic loss because the Firebox continues to send packets through an inactive interface that appears active because the connected modem or router responds to a ping.
  • Some ISP equipment might be configured to not respond to a ping.

Recommendations for ping targets

  • To find a good Link Monitor target, you can run the traceroute command (tracert in Windows) to an external IP address. We recommend a ping target on the ISP network that is two or three hops beyond the modem or router. The DNS servers provided by your ISP might work well.
  • If a remote site is critical to your business operations, such as a credit card processing site or business partner, ask the site administrator if you can monitor a device at the site to verify connectivity.
  • Ping an IP address, not a domain name. A ping to a domain name requires DNS. A DNS server issue can cause a false indication of interface failure.
  • Specify a different Link Monitor host for each external interface. If you specify the same IP address or domain name for all external interfaces, a failure of that remote host causes all of your external interfaces to fail.

Recommendations for TCP targets

  • Do not specify a TCP Link Monitor target unless the company that hosts the target agrees. If you specify TCP to monitor a link to a remote host, the company that manages the remote host might block traffic from the Firebox. This can occur if the company considers the idle TCP connections as a possible scan or attack.

If you specify a domain name for a ping or TCP Link Monitor target, and the external interface is configured with a static IP address, you must configure a DNS server. The DNS server resolves the domain name of your Link Monitor target. You do not have to configure a DNS server if the external interfaces are configured for DHCP or PPPoE. For more information, see Configure Network DNS and WINS Servers.

Recommendations for DNS Targets

  • Some DNS servers and ISP equipment block pings that continue for extended durations. To avoid this issue, you can configure a DNS target instead of a ping target.

Probe Interval Settings

When you add Link Monitor targets, you must specify how often the Firebox attempts to probe the targets. The Firebox uses the result of these probe attempts to determine whether the interface is active or inactive. If you select to measure loss, latency, and jitter, the Firebox uses the probe results to calculate those metrics.

In Link Monitor, you configure these settings for each interface:

  • Probe Interval — Number of seconds between each ping, TCP, or DNS probe attempt. The default value is 5.
  • Deactivate After — Number of consecutive unsuccessful probes required to consider an interface inactive. The default value is 3.
  • Reactivate After — Number of consecutive successful probes required to consider an interface active. The default value is 3.

These settings apply to all Link Monitor targets you configure for an interface. For example, if you configure a ping target and a TCP target and specify a probe interval of 5 seconds, both targets use a probe interval of 5 seconds.

In certain cases, the Firebox disregards the Probe Interval, Deactivate After, and Reactivate After settings:

  • Physical link disconnection or reconnection — If the interface cable is unplugged, for example, the Firebox immediately considers the interface inactive. If the cable is plugged in again, the Firebox considers the interface active after one successful probe.
  • Link Monitor configuration change — If you change the IP address of a Link Monitor target, for example, the Firebox immediately probes the target and updates the interface status as active or inactive.

In Fireware v12.2 or lower, for a physical link disconnection or reconnection, or for a Link Monitor configuration change, the Firebox updates the interface status only after the specified number of successful or unsuccessful probes have occurred.

Route Table Updates for External Interfaces

For external interfaces, the Firebox updates its route table if the interface availability changes. Only route metrics for external interfaces are updated. Route metrics for internal interfaces (Trusted, Optional, and Custom) and BOVPN virtual interfaces are not updated.

For example, for a logical link failure, if the Link Monitor target does not respond after the specified number of consecutive unsuccessful probes, the Firebox:

  • Considers the interface inactive.
  • Updates the route metric in the route table to 100 for that interface.
  • Continues to send Link Monitor probes to the target.

If the same target begins to respond again, the Firebox:

  • Considers the interface active after the specified number of consecutive successful probes.
  • Updates route metrics in the route table to the original metric.

If the Firebox detects a physical interface disconnection, the update process is much faster:

  • The Firebox immediately considers the interface as inactive.
  • The Firebox updates route metrics in the route table immediately.
  • If the Firebox detects the Ethernet connection is established again, the Firebox immediately considers the interface active and updates the route table.

For an external interface that does not participate in multi-WAN, the original metric is 20. For an external interface that participates in multi-WAN, the original metric depends on the multi-WAN configuration.

Multi-WAN Method Original Metric
Routing Table

5

Round Robin 5
Interface Overflow 5
Failover

10

Failover (secondary external interface) 11

For each additional secondary external interface, increase the metric value by 1. For example, if you have three secondary external interfaces, the metrics are 11, 12, and 13.

For more information about the route table, see Read the Firebox Route Tables.

Multi-WAN and SD-WAN Interfaces Without Link Monitor

If you do not add multi-WAN and SD-WAN interfaces to Link Monitor, the Firebox cannot detect logical link failures for those interfaces. Without Link Monitor targets, failover occurs only after a physical disconnection, or if a valid IP address is not assigned to the interface (if the interface is dynamic). This can lead to a network outage in certain cases.

For example, if you disconnect the cable for the preferred external interface, connections fail over to another external interface. This occurs because the Firebox detected a physical disconnection.

However, if the preferred interface becomes unavailable because of issues outside of your network, failover does not occur because the Firebox has not detected a logical link failure. The Firebox requires Link Monitor targets to detect logical link failures. In this case, a network outage can occur because the Firebox continues to send traffic to an interface for which there is no WAN availability.

FireCluster

If you have an Active/Active FireCluster, both cluster members send Link Monitor probes.

If you have an Active/Passive FireCluster, only the master cluster member sends Link Monitor probes. If failover occurs, the former cluster master no longer sends Link Monitor probes. The new cluster master sends Link Monitor probes instead.

If an external interface is a member of a FireCluster configuration, a multi-WAN failover caused by a failed connection to a Link Monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond.

See Also

Configure Link Monitor

About SD-WAN

About Multi-WAN