Configure Firebox Network Link Monitoring

Applies To: Cloud-managed Fireboxes

To monitor the status of network connectivity from a cloud-managed Firebox, we highly recommend that you enable link monitoring. In the Link Monitoring settings for a network, you configure link monitoring targets, which are remote hosts beyond your network perimeter. Link monitoring is not enabled by default.

When link monitoring is enabled, the Firebox sends traffic to a link monitor target to test network connectivity. The Firebox attempts to probe the target every 5 seconds and uses the results of these probe attempts to determine whether the interface is active or inactive. After three consecutive probe failures, the Firebox considers the interface inactive, and traffic fails over to a different interface. The Firebox continues to probe the target, and if the target responds again, after three consecutive successful probes, the Firebox considers the interface active.

Link monitoring is required for these SD-WAN features:

  • SD-WAN for internal or guest networks
  • SD-WAN measurement-based failover

Supported Targets

Link Monitor supports these types of targets:

  • Ping — Pings an IP address or domain name
  • TCP — Sends TCP probes to an IP address or domain name, and a port number
  • DNS — Queries the IP address of a DNS server for the specified domain name

Recommendations for External Link Monitoring

Link monitoring settings for external networks are different than for internal and guest networks. When you enable Link Monitoring for an external network, the default settings send a ping to the network gateway. To make sure traffic fails over to a different interface when network issues occur, we recommend that you:

  • Configure link monitoring to send traffic to an IP address beyond the default gateway.
  • Select a target that has a record of high uptime, such as a server hosted by your ISP.
  • Configure different link monitoring settings for each external network.

Some DNS servers and ISP equipment block pings that continue for an extended duration. To avoid this issue, configure a DNS target instead of a ping target.

To make sure that the Firebox does not block traffic from the link monitor target, we also recommend that you add a Blocked Sites Exception with the IP address of the link monitor target. For information about how to add exceptions, go to Add Exceptions in WatchGuard Cloud.

Configure Link Monitoring Settings

To configure link monitoring for a network, you must enable link monitoring and then configure the link monitoring settings. The configuration options for link monitoring depend on the network type (external, internal, or guest).

To enable link monitoring for a network, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. Click the Networks tile.
    The Networks configuration page opens.
  5. Click the tile for the external network you want to edit.
  6. In the network settings, select the Link Monitoring tab.

Screen shot of the Link Monitoring tab with Link Monitoring disabled

  1. Click the Enable Link Monitoring toggle.
  2. Configure the link monitoring settings for your external, internal, or guest network.
  3. To save configuration changes to the cloud, click Save.

For an external network, you can use the default settings, or configure custom settings.

Screen shot of the Link Monitoring settings for an external network

If you use the default link monitoring settings, the Firebox sends ping traffic to the network gateway. To monitor connectivity to any network beyond the gateway, you must configure custom link monitoring settings.

To use default link monitoring settings for an external network:

  1. Enable link monitoring.
  2. Select Use Default Link Monitoring Settings.
  3. Click Save.

To configure custom link monitoring settings for an external network:

  1. Enable link monitoring.
  2. Select Use Custom Link Monitoring Settings.

Screen shot of external network with Use Custom Link Monitoring Settings selected

  1. From the Type drop-down list, select Ping, TCP, or DNS. Tip!
  2. In the IP Address text box, type the IP address of the link monitoring target. For example, if you selected DNS, type the IP address of the DNS server.
  3. If you selected TCP, in the Port text box, type a port number.

Screen shot of external network configured with custom TCP link monitoring target

  1. If you selected DNS, in the Query Domain text box, type a domain name for the DNS server to resolve.

Screen shot of external network configured with custom DNS link monitoring target

  1. To save configuration changes to the cloud, click Save.

When you enable link monitoring for an internal or guest network, you can optionally specify the next hop. An SD-WAN action that includes this network uses the next hop address to route link monitor traffic. If next hop is not specified, the SD-WAN action uses standard routing for link monitor traffic.

To configure link monitoring for an internal or guest network:

  1. Enable link monitoring.
  2. (Optional) In the Next Hop text box, type the IP address of the next hop.

Screen shot of the Link Monitoring settings for an internal network

  1. From the Type drop-down list, select Ping, TCP, or DNS.
  2. In the IP Address text box, type the IP address of the link monitoring target. For example, if you selected DNS, type the IP address of the DNS server.
  3. If you selected TCP, in the Port text box, type a port number.

Screen shot of the Link Monitoring settings for an internal network, with TCP selected

  1. If you selected DNS, in the Query Domain text box, type a domain name for the DNS server to resolve.

Screen shot of Link Monitoring settings for an internal network, DNS selected

  1. To save configuration changes to the cloud, click Save.

Related Topics

About Firebox Networking Settings