You can configure your XTM device to use the IPSec branch office VPN tunnel for failover if another route (such as a private leased line) becomes unavailable.
For VPN failover to operate correctly, the configuration must meet these requirements:
To use this feature for automatic failover from a leased line, you must use dynamic routing.
With this configuration, Internet traffic is handled by the XTM device based on the regular firewall policies. This configuration does not create any limitations on the use of multi-WAN in your device configuration.
The general steps to configure failover from a leased line to a branch office VPN are:
For two examples with detailed configuration steps, see:
For an example configuration file, see:
When you enable dynamic routing, the XTM device automatically updates the routing table based on the status of the connection. If the connection to the leased line router fails, the XTM device dynamically removes that route from the routing table. You can see the routing table on the Status Report tab in Firebox System Manager.
The XTM device at each office site sends traffic to the other office over the trusted interface connected to the private leased line, if a dynamic route to that site is present. If a dynamic route is not present in the routing table, the XTM device at each site sends traffic over the encrypted IPSec BOVPN tunnel on the external interface. When the dynamic route over the leased line is restored, the devices automatically send traffic over the private leased line again.