Configure a Branch Office VPN for Failover from a Leased Line

You can configure your XTM device to use the IPSec branch office VPN tunnel for failover if another route (such as a private leased line) becomes unavailable.


For VPN failover to operate correctly, the configuration must meet these requirements:

To use this feature for automatic failover from a leased line, you must use dynamic routing.

With this configuration, Internet traffic is handled by the XTM device based on the regular firewall policies. This configuration does not create any limitations on the use of multi-WAN in your device configuration.

Configuration Overview

The general steps to configure failover from a leased line to a branch office VPN are:

  1. Configure dynamic routing and add the associated RIP, OSPF, or BGP policy at each site to create the route over the leased line.
    For more information, see About Dynamic Routing.
  2. Configure the branch office VPN to connect the two sites.
  3. Configure Global VPN settings to enable the failover feature at each site.
    On the VPN Settings page, select the Enable the use of non-default (static or dynamic) routes to determine if IPSec is used check box.

For two examples with detailed configuration steps, see:

For an example configuration file, see:

How Failover to the Branch Office VPN Operates

When you enable dynamic routing, the XTM device automatically updates the routing table based on the status of the connection. If the connection to the leased line router fails, the XTM device dynamically removes that route from the routing table. You can see the routing table on the Status Report tab in Firebox System Manager.

The XTM device at each office site sends traffic to the other office over the trusted interface connected to the private leased line, if a dynamic route to that site is present. If a dynamic route is not present in the routing table, the XTM device at each site sends traffic over the encrypted IPSec BOVPN tunnel on the external interface. When the dynamic route over the leased line is restored, the devices automatically send traffic over the private leased line again.

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base