You can configure your Firebox to create redundant connections to the external network. This option is helpful if you must have a constant Internet connection. With the multi-WAN feature, you can configure multiple external interfaces, each on a different subnet. This allows you to connect your Firebox to more than one Internet Service Provider (ISP). When you configure two or more external interfaces, the multi-WAN feature is automatically enabled.
By default, multi-WAN is not enabled for modems. Multi-WAN does not impact BOVPNs or inbound traffic.
Multi-WAN Requirements and Conditions
You must have a second Internet connection and more than one external interface to use most multi-WAN configuration options.
Conditions and requirements for multi-WAN use include:
- If you have a policy configured with an individual external interface alias in its configuration, you must change the configuration to use the alias Any-External, or another alias you configure for external interfaces. If you do not do this, some connections could be denied by your firewall policies.
- Multi-WAN settings do not apply to incoming connections. When you configure a policy for inbound connections, you can ignore all multi-WAN settings.
- Map the Fully Qualified Domain Name used by your company to the external interface IP address of the lowest order. If you add a multi-WAN Firebox to your Management Server configuration, you must use the lowest-ordered external interface to identify it when you add the device.
- To use multi-WAN, you must use mixed routing mode for your network configuration. This feature does not operate in drop-in or bridge mode network configurations.
To use the Interface Overflow method, you must have Fireware XTM with a Pro upgrade. You must also have a Fireware XTM Pro license if you use the Round-Robin method and configure different weights for the Firebox external interfaces.
- XTM 2 Series devices without the Pro upgrade and Firebox T10 devices cannot use any multi-WAN methods.
- All other Firebox T-series devices with Fireware v12.3 or higher can use multi-WAN.
- All other Fireboxes without the Pro upgrade cannot use the weighted Round-Robin or Interface Overflow multi-WAN methods.
You can use one of four multi-WAN configuration options to manage your network connections. For more information on each option, see About Multi-WAN Methods.
When you enable multi-WAN, the Firebox monitors the status of each external interface. Make sure that you define a link monitor host for each interface. We recommend that you configure two link targets for each interface.
For more information, see About Link Monitor.
Multi-WAN is not supported on the Firebox T10 or on XTM 2 Series devices without the Pro upgrade. Multi-WAN is supported on all other T-series devices with Fireware v12.3 or higher. Although multi-WAN is not supported in certain cases, modem failover is supported for the Firebox T10 and T15. This is true even after an upgrade to Fireware v12.1 or higher, which converts modems to external interfaces. For more information, see Configure Modem Failover.
Multi-WAN and Participating Interfaces
In the multi-WAN configuration you can select which external interfaces participate in multi-WAN. You must select at least two interfaces to participate in multi-WAN. If all interfaces selected in the multi-WAN configuration are down, the Firebox routes outbound connections through the non-participating external interface that has the lowest routing metric.
Multi-WAN and SD-WAN
After you configure multiple external interfaces, you can create policies that send outgoing connections to a specific external interface. The SD-WAN routing settings in a policy override the settings in the multi-WAN configuration for connections that the policy applies to.
For information about SD-WAN, see About SD-WAN.
In Fireware v12.3 or higher, SD-WAN replaces policy-based routing. In Fireware v12.2.1 or earlier, to route traffic to a different external interface, you must use policy-based routing. When you upgrade to Fireware v12.3 or higher, policy-based routing without failover is converted to an SD-WAN action with a single interface. Policy-based routing with failover is converted to an SD-WAN action with multiple interfaces. In Policy Manager, the policy-based routing setting is still available for backwards compatibility with older Fireware OS versions. For more information about policy-based routing, see Configure Policy-Based Routing in Fireware v12.2.1 or lower in the WatchGuard Knowledge Base.
Multi-WAN and DNS
Make sure that your DNS server can be reached through every WAN. Otherwise, you must modify your DNS policies such that:
- The From list includes Firebox.
- An SD-WAN action is selected that includes a WAN interface that can reach the DNS server.
If only one WAN can reach the DNS server
Select an SD-WAN action that includes that WAN interface.
In the Web UI, select the SD-WAN tab, and then select an SD-WAN action. In Policy Manager, select Route Outbound Traffic Using > SD-WAN Based Routing.
If more than one WAN can reach the DNS server
You can select an SD-WAN action that includes all WAN interfaces that can reach the DNS server.
In the SD-WAN action, the first interface in the list is the primary interface. The primary interface is preferred if it is up and has metrics that do not exceed the values you specified in the SD-WAN action. You can move interfaces up or down in the list to change the primary interface.
For more information about SD-WAN configuration, see Configure SD-WAN.
You must have Fireware with a Pro upgrade to use SD-WAN in Fireware v12.3 or higher or to use policy-based routing in Fireware v12.2.1 or lower.
Multi-WAN and FireCluster
You can use multi-WAN failover with the FireCluster feature, but they are configured separately. Multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond. FireCluster failover takes precedence over multi-WAN failover.