Configure the XTM device

Configure the External Interfaces

The configuration of the main and secondary external interfaces is the same as for Exercise 1. If you have completed Exercise 1, proceed to the next section.

If you have not completed Exercise 1, you must do so before you can proceed.

In the section “3. Configure the XTM Device,” on page 18, complete Steps 1–17 of Exercise 1.

Configure the Multi-WAN Method

1. In the Network Configuration dialog box, select the Multi-WAN tab.

2. From the Multi-WAN Configuration drop-down list, select Failover.

Figure 26: Select the Failover Multi-WAN method 3. Click Configure.

The Multi-WAN Failover Configuration dialog box appears.

Figure 27: The Multi-WAN Failover Configuration dialog box

Configure Link Monitor Target For the Main-internet Interface

It is not necessary to configure a link monitor target for the Secondary-Internet connection.

When you do not configure link monitor targets for an external interface, the XTM device monitors the health of the interface by sending ICMP requests to the interface’s default gateway.

In a real-world installation, you would normally select public sites for the link monitor targets, based on a record of superior uptime.

1. On the Link Monitor tab, in the External Interfaces list, select Main-Internet and configure monitor targets for this external interface.

2. Set the ping target:

- Select the Ping check box.

- From the Ping drop-down list, select IP Address.

- In the Ping text box, type the IP address of the instructor’s FTP server:

50.50.50.2.

Figure 28: Ping target for monitoring the Main-Internet interface

3. Click OK.

Enable Logging of Allowed Packets For Policies

If you previously completed Exercise 1, you enabled logging of allowed packets for the Outgoing and FTP policies. Now we will use the same procedure to enable logging of allowed packets for the Ping and Outgoing policies.

1. Right-click or double-click the Ping policy and select Modify Policy to edit it.

The Edit Policy Properties dialog box appears.

2. Select the Properties tab and click Logging.

The Logging and Notification dialog box appears.

3. Select the Send log message check box to enable logging of allowed packets that the XTM device sends through this policy.

4. Click OK.

The Logging and Notification dialog box closes and the Edit Policy Properties dialog box appears.

5. Click OK.

The Edit Policy Properties dialog box closes and Policy Manager appears.

6. Right-click or double-click the Outgoing policy and select Modify Policy to edit it.

The Edit Policy Properties dialog box appears.

7. Select the Properties tab and click Logging.

The Logging and Notification dialog box appears.

8. Select the Send log message check box to enable logging of allowed packets that the XTM device sends through this policy.

9. Click OK.

The Logging and Notification dialog box closes and the Edit Policy Properties dialog box appears.

Exercises

10. Click OK.

You can also switch views using the View menu. Select View and then select Large Icons or Details.

11. Make sure Policy Manager uses the Details view.

If Policy Manager has large icons, right-click anywhere in the main Policy Manager window and select Details View.

Figure 29: Switch to Details View

12. Note that the Action column shows a Log icon for each policy that has logging enabled.

Figure 30: The Action column shows which policies have logging enabled 13. Click and save this configuration to the XTM device.

Or, select File > Save > To Firebox.

Enable Policy-based Routing For the Ping Policy 1. Double-click the Ping policy to edit it.

2. On the Policy tab, select the Use policy-based routing check box and configure as shown.

Figure 31: Enable policy-based routing for the Ping policy

3. From the Use policy-based routing drop-down list, select Main-Internet.

Do not enable failover in Step 4. This lets you see what happens when the policy-routing interface is not available.

4. Do not select the Failover check box.

5. Click OK.

6. Click and save this configuration to the XTM device.

Or, select File > Save > To Firebox.

Exercises

Enable Policy-based Routing For the Outgoing Policy 1. Double-click the Outgoing policy to edit it.

2. On the Policy tab, select the Use policy-based routing check box and configure as shown.

Figure 32: Enable policy-based routing for the Outgoing policy

3. From the Use policy-based routing drop-down list, select Main-Internet.

Do not enable failover in Step 4. This lets you see what happens when the policy-routing interface is not available.

4. Select the Failover check box.

5. Click OK.

Click and save this configuration to the XTM device.

Or, select File > Save > To Firebox.

4. Demonstrate It

How the Demonstration Works

• First, you browse to several web sites using HTTP and HTTPS, and see the connections that go out the Main-Internet interface.

• Ping some external IP addresses to see the XTM device send the echo requests through the Main-Internet interface with the policy-based routing you enabled for the Ping policy.

• Your instructor will cause your XTM device Main-Internet interface to fail by causing pings to the link monitor target to fail.

• After the failover event, browse some web sites again to see the connections go out the Secondary-Internet interface.

• Your pings to external locations will fail, because you did not enable failover for the Ping policy’s policy-based routing.

Verify Outgoing Connections Use the Correct Interface

To make sure that your outgoing connections use the correct interface, connect to Firebox System Manager and then browse the Internet.

1. Open WSM and connect to your XTM device.

2. Select the XTM device and click . Firebox System Manager appears.

3. Select the Traffic Monitor tab to begin monitoring traffic.

4. Use your browser to connect to some web sites. Visit several sites with HTTP and HTTPS addresses.

5. Watch Traffic Monitor to see log messages that show the outgoing connections using the Main-Internet interface.

Log messages like this appear in Traffic Monitor:

The rt=”MWAN” message indicates that Fireware XTM decided which external interface to use based only on the Multi-WAN method in use.

Allow 10.0.10.2 206.253.208.100 http/tcp 2892 443 1-Trusted 0-Main-Internet allowed, mss not exceeding 1460, idle timeout=43205 sec 48 128 (Outgoing-00) rt="MWAN"

src_ip_nat="100.100.100.10" src_port_nat="10119"

6. Ping some sites external to the XTM device. Log messages show that the echo requests go out the Secondary-Internet interface.

Log messages like this appear:

The “PRO” in the log message for Step 6 stands for Policy Routing Object. It signifies that the connection matches a policy that uses policy-based routing.

Allow 10.0.10.2 64.233.167.99 icmp-Echo 1-Trusted 0-Main-Internet allowed 60 128 (Ping-00) rt="PRO"

src_ip_nat="100.100.100.10"

The instructor causes ICMP requests to your link monitor target to fail.

A log message like this appears in Traffic Monitor:

monitord No response from WAN Ping Target 100.0.254.2 on eth0

Remember that the number of failed probes is configurable. Three is the default.

After three probes fail, the XTM device sees that the Main-Internet interface is not available to send traffic.

A log message like this appears:

Target Probing on gateway 100.100.100.1 (gateway on eth0) failed

Exercises

7. Browse to more web sites. Outgoing connections now use the Secondary-Internet interface.

Log messages like this appear in Traffic Monitor:

Allow 10.0.10.2 206.253.208.100 http/tcp 2892 443 1-Trusted 3-Secondary-Internet allowed, mss not exceeding 1460, idle timeout=43205 sec 48 128 (Outgoing-00) rt="MWAN"

src_ip_nat="50.50.50.10" src_port_nat="10119"

8. Send pings again to the external network. The XTM device drops the packets.

Log messages like this appear in Traffic Monitor:

This message appears when failover is not enabled for the Ping policy’s policy-based routing. If you enable failover for policy-based routing in Figure 31, the ping is allowed through the other interface.

Deny 10.0.10.2 64.233.167.99 icmp-Echo 1-Trusted

0-Secondary-Internet all gateways in policy routing are down, drop this packet 60 128 (internal policy)