To use a redundant ISP link for backup purposes, ensure that the backup WAN interface has already been configured. Then select the WAN interface that should function as the primary link for this mode, and configure the WAN failure detection method on the WAN Mode screen to support auto-rollover.
When the VPN firewall is configured in auto-rollover mode, it uses the selected WAN failure detection method to detect the status of the primary link connection at regular intervals. For IPv4 interfaces, the VPN firewall detects link failure in one of the following ways:
• By sending DNS queries to a DNS server • By sending a ping request to an IP address
From the primary WAN interface, DNS queries or ping requests are sent to the specified IP address. If replies are not received, after a specified number of retries, the primary WAN interface is considered down and a rollover to the backup WAN interface occurs. When the primary WAN interface comes back up, another rollover occurs from the backup WAN interface back to the primary WAN interface. The WAN failure detection method that you select applies only to the primary WAN interface, that is, it monitors the primary link only.
Configure Auto-Rollover Mode for IPv4 Interfaces To configure auto-rollover mode:
1. Select Network Configuration > WAN Settings > WAN Mode. The WAN Mode screen displays:
2. In the Load Balancing Settings section of the screen, configure the following settings: a. Select the Primary WAN Mode radio button.
b. From the corresponding drop-down list on the right, select a WAN interface to function as the primary WAN interface. The other WAN interfaces become disabled. c. Select the Auto Rollover check box.
d. From the corresponding drop-down list on the right, select a WAN interface to function as the backup WAN interface.
Note: Ensure that the backup WAN interface is configured before enabling auto-rollover mode.
3. Click Apply to save your settings.
Configure the Failure Detection Method for IPv4 Interfaces To configure the failure detection method:
1. Select Network Configuration > WAN Settings > WAN Setup. In the upper right of the screen, the IPv4 radio button is selected by default. The WAN Setup screen displays the IPv4 settings (see Figure11 on page31).
2. Click the Edit table button in the Action column of the WAN interface that you selected as the primary WAN interface. The WAN IPv4 ISP Settings screen displays (see Figure12 on page32, which shows the WAN2 IPv4 ISP Settings screen as an example).
3. Click the Advanced option arrow in the upper right of the screen. The WAN Advanced Options screen displays for the WAN interface that you selected. (For an image of the entire screen, see Figure46 on page73).
4. Locate the Failure Detection Method section on the screen. Enter the settings as described in the following table.
Note: The default time to roll over after the primary WAN interface has failed is 2 minutes. The minimum test period is 30 seconds, and the minimum number of tests is 2.
5. Click Apply to save your settings.
You can configure the VPN firewall to generate a WAN status log and email this log to a specified address (see Configure Logging, Alerts, and Event Notifications on page362).
Configure Secondary WAN Addresses
You can set up a single WAN Ethernet port to be accessed through multiple IPv4 addresses by adding aliases to the port. An alias is a secondary WAN address. One advantage is, for example, that you can assign different virtual IP addresses to a web server and an FTP server, even though both servers use the same physical IP address. You can add several secondary IP addresses to a single WAN port.
Table 7. Failure detection method settings
Setting Description
Failure Detection Method
Select a failure detection method from the drop-down list:
• WAN DNS. DNS queries are sent to the DNS server that is configured in the Domain Name Server (DNS) Servers section of the WAN ISP screen (see Manually Configure an IPv4 Internet Connection on page34).
• Custom DNS. DNS queries are sent to a DNS server that you need to specify in the DNS Server fields.
• Ping. Pings are sent to a public IP address that you need to specify in the IP Address field.
Note: DNS queries or pings are sent through the WAN interface that is being monitored. The retry interval and number of failover attempts determine how quickly the VPN firewall switches from the primary link to the backup link if the primary link fails, or when the primary link comes back up, switches back from the backup link to the primary link.
DNS Server The IP address of the DNS server.
IP Address The IP address of the interface that should receive the ping request. The interface should not reject the ping request and should not consider ping traffic to be abusive. Retry Interval is The retry interval in seconds. The DNS query or ping is sent after every retry interval.
The default retry interval is 30 seconds.
Failover after The number of failover attempts. The primary WAN interface is considered down after the specified number of queries have failed to elicit a reply. The backup interface is brought up after this situation has occurred. The failover default is 4 failures.
After you have configured secondary WAN addresses, these addresses are displayed on the following firewall rule screens:
• In the WAN Destination IP Address drop-down lists of the following inbound firewall rule screens:
- Add LAN WAN Inbound Service screen - Add DMZ WAN Inbound Service screen
• In the NAT IP drop-down lists of the following outbound firewall rule screens: - Add LAN WAN Outbound Service screen
- Add DMZ WAN Outbound Service screen
For more information about firewall rules, see Overview of Rules to Block or Allow Specific Kinds of Traffic on page136).
Note: It is important that you ensure that any secondary WAN addresses are different from the primary WAN, LAN, and DMZ IP addresses that are already configured on the VPN firewall. However, primary and secondary WAN addresses can be in the same subnet. The following is an example of correctly configured IP addresses: Primary WAN1 IP address: 10.0.0.1 with subnet 255.0.0.0 Secondary WAN1 IP: 30.0.0.1 with subnet 255.0.0.0 Primary WAN2 IP address: 20.0.0.1 with subnet 255.0.0.0 Secondary WAN2 IP: 40.0.0.1 with subnet 255.0.0.0 DMZ IP address: 192.168.10.1 with subnet 255.255.255.0 Primary LAN IP address: 192.168.1.1 with subnet 255.255.255.0 Secondary LAN IP: 192.168.20.1 with subnet 255.255.255.0
To add a secondary WAN address to a WAN port:
1. Select Network Configuration > WAN Settings > WAN Setup. In the upper right of the screen, the IPv4 radio button is selected by default. The WAN Setup screen displays the IPv4 settings (see Figure11 on page31).
2. Click the Edit table button in the Action column of the WAN interface for which you want to add a secondary WAN address. The WAN IPv4 ISP Settings screen displays (see Figure12 on page32, which shows the WAN2 IPv4 ISP Settings screen as an example).
3. Click the Secondary Addresses option arrow in the upper right of the screen. The WAN Secondary Addresses screen displays for the WAN interface that you selected. (The following figure shows the WAN1 Secondary Addresses screen as an example and includes one entry in the List of Secondary WAN addresses table.)
Figure 25.
The List of Secondary WAN addresses table displays the secondary LAN IP addresses added for the selected WAN interface.
4. In the Add WAN Secondary Addresses section of the screen, enter the following settings: • IP Address. Enter the secondary address that you want to assign to the WAN port. • Subnet Mask. Enter the subnet mask for the secondary IP address.
5. Click the Add table button in the rightmost column to add the secondary IP address to the List of Secondary WAN addresses table.
6. (Optional) Repeat Step4 and Step5 for each secondary IP address that you want to add to the List of Secondary WAN addresses table.
To delete one or more secondary addresses:
1. In the List of Secondary WAN addresses table, select the check box to the left of the address that you want to delete, or click the Select All table button to select all addresses.
2. Click the Delete table button.