You are on page 1of 158

WatchGuard Certified Training

Fireware XTM Advanced Networking


Fireware XTM and WatchGuard System Manager v11.6

Revised: August 2012


Updated for: Fireware XTM v11.6.1

Disclaimer
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.

Copyright and Patent Information


Copyright 2012 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, Firebox, Fireware, LiveSecurity, and spamBlocker are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more pending patent applications. All other trademarks and tradenames are the property of their respective owners. Printed in the United States.

TRAINING www.watchguard.com/training training@watchguard.com

SUPPORT www.watchguard.com/support support@watchguard.com U.S. and Canada +877.232.3531 All Other Countries +1.206.613.0456

ii

WatchGuard Fireware XTM Training

Table of Contents

Course Introduction ................................................................................................................ Training Overview .......................................................................................................... Necessary Equipment and Software ............................................................................ Classroom Network Configuration ................................................................................

1 1 1 2

Student XTM Device IP Addresses ............................................................................................... 2 Instructor XTM Device Network Configuration ............................................................................ 3 Configuration Changes for the Instructor XTM Device ............................................................... 5 (Optional) Set Up a Server to Host FTP and HTTP Downloads ................................................... 6

Traffic Management ................................................................................................................ 7 What You Will Learn ...................................................................................................... 7 Control Bandwidth Use with Traffic Management Actions ......................................... 7
About Outgoing Interface Bandwidth .......................................................................................... 8 About Traffic Management Actions ............................................................................................. 8

Control Traffic Priority with QoS .................................................................................... 8


About Interface QoS Settings ....................................................................................................... 8 About Policy QoS Settings ............................................................................................................ 8 About Traffic Priority ..................................................................................................................... 9

Exercise 1: Use a Traffic Management Action to Guarantee Bandwidth ................... 10


Enable Traffic Management and QoS ....................................................................................... 10 Define Outgoing Interface Bandwidth ....................................................................................... 10 Create a Traffic Management Action ....................................................................................... 11 Modify Policy Configuration ...................................................................................................... 12 Set Up Service Watch ................................................................................................................ 13 See the Results of the Configuration ....................................................................................... 13

Exercise 2: Use a Traffic Management Action to Limit Bandwidth ............................. 16


Re-Define Outgoing Interface Bandwidth ................................................................................. 16 Create a Traffic Management Action ........................................................................................ 16 Modify Policy Configuration ....................................................................................................... 17 See the Results of the Configuration ....................................................................................... 18

Exercise 3: Use QoS to Mark and Prioritize Traffic ...................................................... 21


Before You Begin ....................................................................................................................... Enable Prioritization by QoS Marking on Interfaces ................................................................ Prioritize Traffic by Policy .......................................................................................................... See the Results of the Configuration ....................................................................................... 21 21 22 23

What You Have Learned .............................................................................................. 24 Using VLANs in Fireware XTM .............................................................................................. 25 Introduction .................................................................................................................. 25
What You Will Learn ................................................................................................................... 25 Course Outline ........................................................................................................................... 25 What VLANs Can Do For You ..................................................................................................... 25

Terms and Concepts You Should Know ..................................................................... 26


iii

VLAN Requirements and Recommendations ............................................................ 27 Before You Begin ......................................................................................................... 28


Firewall Configuration ................................................................................................................ 28 Necessary Equipment and Services ......................................................................................... 28 Configuring the VLAN Switch .................................................................................................... 29

Exercise 1: Two VLANs on the Same XTM Device Interface ....................................... 30


When to Use this Configuration ................................................................................................ Network Topology ....................................................................................................................... Configure the XTM Device ......................................................................................................... Configure the Switch ................................................................................................................. Physically Connect all Devices .................................................................................................. Test the Configuration ............................................................................................................... 30 30 31 34 35 35

Exercise 2: One VLAN Bridged Across Two XTM Device Interfaces ............................ 36
When to Use this Configuration ................................................................................................ 36 Network Topology ....................................................................................................................... 37 Configure the XTM Device ......................................................................................................... 37 Configure the Switch ................................................................................................................. 40 Physically Connect all Devices ................................................................................................... 41 Test the Configuration ................................................................................................................ 41

Exercise 3: One VLAN Bridged Across Two XTM Device Interfaces (Alternate Configuration) .................................................................................................................. 42
When to Use This Configuration ............................................................................................... 42 Network Topology ....................................................................................................................... 42 Configure the XTM Device ......................................................................................................... 43 Configure the Switches ............................................................................................................. 46 Physically Connect All Devices ................................................................................................... 47

Exercise 4: Two VLANs as External Interfaces on the Same XTM Device .................. 48
When to Use this Configuration ................................................................................................ Network Topology ....................................................................................................................... Configure the XTM Device ......................................................................................................... Configure the Switch ................................................................................................................. Physically Connect All Devices .................................................................................................. Test the Configuration ............................................................................................................... 48 48 49 52 52 52

Using VLANs in XTM Device Policies ........................................................................... 53


Apply Firewall Policies to Intra-VLAN Traffic ............................................................................. 53 Aliases ........................................................................................................................................ 53

Frequently Asked Questions ....................................................................................... What You Have Learned .............................................................................................. Fireware XTM Multi-WAN Methods ...................................................................................... Introduction ..................................................................................................................

55 55 57 57

What You Will Learn ................................................................................................................... 57 Exercises .................................................................................................................................... 57 What Multi-WAN Can Do For You .............................................................................................. 57

Terms and Concepts You Should Know ...................................................................... 58


Outgoing Traffic and Multi-WAN ................................................................................................ Incoming Traffic ......................................................................................................................... IPSec VPN Traffic ....................................................................................................................... Equal-Cost Multi-Path Routing (ECMP) ..................................................................................... Sticky Connections .................................................................................................................... Load Balancing Interface Group (LBIG) ................................................................................... Policy-Based Routing ................................................................................................................. Link Monitor Settings .................................................................................................................
iv

58 58 58 58 59 59 60 60

WatchGuard Fireware XTM Training

Failover/Failback ........................................................................................................................ 61

The Round-Robin Multi-WAN Method ......................................................................... 62


When to Use It ............................................................................................................................ How It Works .............................................................................................................................. Calculate weights for Round-robin ........................................................................................... How to Configure It .................................................................................................................... When an External Interface Fails .............................................................................................. When to Use It ............................................................................................................................ How it Works .............................................................................................................................. How to Configure It .................................................................................................................... When an External Interface Fails .............................................................................................. When to Use It ............................................................................................................................ How it Works .............................................................................................................................. How to Configure It .................................................................................................................... When an External Interface Fails .............................................................................................. When to Use It ............................................................................................................................ How it Works .............................................................................................................................. How to Configure It .................................................................................................................... When an External Interface Fails .............................................................................................. Necessary Equipment and Services ........................................................................................ Management Computer Configuration .................................................................................... Firewall Configuration ................................................................................................................ Bandwidth Available at Each External Interface ..................................................................... Physically Connecting your Devices .......................................................................................... 62 62 63 64 65 66 66 66 66 67 67 67 67 68 68 68 68 69 69 70 70 70

The Failover Multi-WAN Method ................................................................................. 66

The Interface Overflow Multi-WAN Method ................................................................ 67

The Routing Table Multi-WAN Method ....................................................................... 68

Before You Begin ......................................................................................................... 69

Exercise 1: Demonstrate the Interface Overflow Multi-WAN Method and Sticky Connections ..................................................................................................................... 71
When to Use the Interface Overflow Method ............................................................................ 71 Network Topology ........................................................................................................................ 71 Configure the XTM Device ......................................................................................................... 72 Demonstrate It ........................................................................................................................... 77

Exercise 2: Demonstrate the Failover Multi-WAN Method and Policy-Based Routing .... 81
When to Use the Failover Method .............................................................................................. 81 Network Topology ........................................................................................................................ 81 Configure the XTM Device ......................................................................................................... 82 Demonstrate It ........................................................................................................................... 86

Frequently Asked Questions ....................................................................................... 88 Appendix ...................................................................................................................... 89


How Fireware XTM Makes Multi-WAN Routing Decisions For Outbound Traffic ................... 89 Multi-WAN Routing Decision Flow Chart .................................................................................. 90

What You Have Learned .............................................................................................. 92 Routing .................................................................................................................................. 93 Introduction .................................................................................................................. 93


What You Will Learn ................................................................................................................... 93

Terms and Concepts You Should Know ..................................................................... 94


Route .......................................................................................................................................... 94 Router ......................................................................................................................................... 94 Routing Table ............................................................................................................................. 94
v

Routing Protocol ......................................................................................................................... 94 Convergence Time ..................................................................................................................... 95

Decide Which Type of Routing to Use ......................................................................... 96


Static vs. Dynamic Routing ....................................................................................................... 96 Supported Dynamic Routing Protocols .................................................................................... 96

Dynamic Routing Policies ............................................................................................ 97 Network Link Types ...................................................................................................... 97


A Common Cause of Routing Inconsistency .......................................................................... 100

Failover from a Dynamic Route to a Branch Office VPN ......................................... 101 Monitoring Tools ........................................................................................................ 102
The Status Report .................................................................................................................... 102 Diagnostic Logging .................................................................................................................. 103

Exercise 1: Configure Static Routing Over a Point-to-Point Link ............................... 104


Add a Static Route to the Site A Device ................................................................................. Add a Static Route to the Site B Device ................................................................................. Review the Routing Tables ...................................................................................................... Test the Static Route ................................................................................................................ The Downside to Using Only Static Routes ............................................................................ Network Topology ..................................................................................................................... Remove the Static Routes ....................................................................................................... Configure Dynamic Routing with OSPF .................................................................................. Review the Routing Table ........................................................................................................ Add a New Network at Site B .................................................................................................. Network Topology ..................................................................................................................... Before You Begin ..................................................................................................................... Configure the Peer Interfaces ................................................................................................. Configure Static Routes Between the Trusted Networks at Each Site ................................. Test the Static Route ................................................................................................................ Before You Begin ..................................................................................................................... Configure Static Routes Between the Peer Interfaces .......................................................... Configure Dynamic Routing with BGP .................................................................................... Review the Routing Table ........................................................................................................ Test the Static Route ................................................................................................................ 105 106 107 107 108 109 109 110 111 112 114 114 115 115 117 118 119 122 123 123

Exercise 2: Configure Dynamic Routing over a Point-to-Point Link .......................... 109

Exercise 3: Configure Static Routing Over a Multi-Hop Link ..................................... 114

Exercise 4: Dynamic Routing Over a Multi-Hop Link ................................................. 118

What You Have Learned ............................................................................................ 124 FireCluster ........................................................................................................................... 125 Introduction ................................................................................................................ 125
What You Will Learn ................................................................................................................. 125

About FireCluster ....................................................................................................... 125 Terms and Concepts You Should Know .................................................................... 126
Cluster Member ....................................................................................................................... Active/Active Cluster ................................................................................................................ Active/Passive Cluster ............................................................................................................. Load Balance Methods ........................................................................................................... Cluster ID .................................................................................................................................. Cluster Interface ...................................................................................................................... Cluster Interface IP Address .................................................................................................... Management Interface ............................................................................................................ 126 126 126 126 127 127 127 128

About Failover ............................................................................................................ 128


Causes of FireCluster Failover ................................................................................................. 128
vi WatchGuard Fireware XTM Training

What Happens During a Failover ............................................................................................ 129

Monitoring Tools ........................................................................................................ 129


Firebox System Manager ......................................................................................................... 129 Diagnostic Logging .................................................................................................................. 130

FireCluster Requirements ......................................................................................... 131


Hardware Requirements ......................................................................................................... License Requirements ............................................................................................................. Network Configuration Requirements .................................................................................... Switch and Router Requirements ........................................................................................... FireCluster Pre-Configuration Checklist ................................................................................. Configure the External Interface to Use a Static IP Address ................................................ Configure the Trusted Interface .............................................................................................. Disable Unused Network Interfaces ....................................................................................... Decide Which Interfaces and Interface Address to Use ....................................................... Connect the Cables ................................................................................................................. Run the FireCluster Setup Wizard ........................................................................................... Discover the Second Cluster Member .................................................................................... 131 131 131 131 133 134 135 136 137 137 138 145

Exercise 1: Set Up an Active/Passive Cluster ............................................................ 134

Exercise 2: Monitor Cluster Status ............................................................................. 147


Monitor the Cluster .................................................................................................................. 147 Monitor a Cluster Member ...................................................................................................... 148

Exercise 3: Test FireCluster Failover .......................................................................... 149


Force a Failover from Firebox System Manager .................................................................... Trigger a Failover Due to Link Status ...................................................................................... Use the Backup Cluster Interface ........................................................................................... Trigger a Failover Due to Power Failure .................................................................................. Test Failover with Network Traffic ........................................................................................... 149 149 149 150 150

What You Have Learned ............................................................................................ 150

vii

viii

WatchGuard Fireware XTM Training

Firewall XTM Training

Course Introduction
Advanced Networking
This training is for: Devices Device OS versions Management software versions

WatchGuard XTM 2 Series / XTM 3 Series / XTM 5 Series / XTM 8 Series / XTM 1050 / XTM 2050 Fireware XTM v11.6.1 and Fireware XTM v11.6 .1with a Pro upgrade WatchGuard System Manager v11.6.1

Training Overview
The WatchGuard Fireware XTM Advanced Networking Guide covers these topics: Traffic Management and QoS VLAN Multi-WAN Routing FireCluster
About Side Notes Side notes are extra information that is not necessary to understand the training. They might be configuration or troubleshooting tips, or extra technical information.

This course assumes that you have completed the Fireware XTM Basics course and that you know how to set up and configure basic networking features. This Course Introduction describes the software, hardware, and network environment required to complete the exercises in this training courseware.

Necessary Equipment and Software


Because this course includes advanced networking exercises, the training environment must include the following network equipment. If you do not have all of this equipment, you will not be able to complete all of the exercises in this course. One WatchGuard XTM 5 Series or higher device for each student One WatchGuard XTM device configured by the instructor as the default gateway Fireware XTM v11.6.1 or higher with a Pro upgrade installed on each XTM device One Windows computer per student, with WatchGuard System Manager v11.6.1 or later installed Three network hubs or switches, each with enough interfaces for the instructor and all of the student XTM devices to connect. - One switch is the primary external network for the student devices - One switch is the secondary external network (WAN2) for the student devices in the Multi-WAN exercises - One switch is used for the multi-hop link in the Routing exercises Two VLAN switches per student, for VLAN exercises FTP Server (optional for some exercises)

Classroom Network Configuration


The exercises in this course are designed using RFC 5737 documentation IP addresses to represent public network IP addresses. The exercises in this training assume the following classroom network configuration:

Figure 1: Training network configuration

Student XTM Device IP Addresses


Students may be assigned a number (10,20,30,etc.) to identify the last IP address octet for their external addresses, or their third octet for internal addresses in relation to their devices. This allows for similar configuration among devices and prevents IP address conflicts and subnet overlap. The student devices are configured with these addresses, where X is the student number: Eth0 External (WAN1) 203.0.113.X/24, Default Gateway 203.0.113.1 Eth1 Trusted 10.0.X.1/24 Eth2 Optional 172.16.X.1/24 Eth3 External or VLAN Configuration varies by exercise

WatchGuard Fireware XTM Training

Classroom Network Configuration

The student number is also used in the FireCluster exercises as the cluster ID. We recommend that you assign student numbers in increments of at least 10, so the cluster ID does not create a virtual MAC address conflict between multiple FireClusters. In the exercises, your external interface and trusted interface IP addresses are determined by your student number. Replace the X in the exercises with your student number.

Instructor XTM Device Network Configuration


Several interfaces on the instructor XTM device must be configured to support the exercises in this course. The instructor XTM device acts as the default gateway for the primary student external network, 203.0.113.0/24. For the Multi-WAN exercises that require a second external network, we use 192.51.100.1/24. The instructor device acts as the default gateway for both of these networks. The instructor XTM device is configured with these addresses: Eth0 (External) Use appropriate addressing for a training environment with an Internet connection. Eth1 (Trusted) 203.0.113.1/24 The default gateway for the primary external interface on student devices. Eth2 (VLAN) Send and receive untagged traffic for VLAN10. Also used as the default gateway for the secondary external interface on student devices when a second WAN interface is configured. Eth3 (VLAN) Send and receive tagged traffic for VLAN10 and VLAN20. Used when students configure a VLAN with an external interface. Eth4 (Trusted) 172.16.10.1/30 as the primary IP address, and 172.16.X.1/30 as secondary addresses for the optional networks on each student device. Used to simulate a multi-hop link for some dynamic routing exercises.
You must also configure a DNS server, in the Network > Configuration > WINS/DNS tab, to allow DNS to operate from the training environment.

Figure 2: Instructor XTM device network interfaces configuration

Course Introduction

The instructor device must have 2 VLANs configured: VLAN10 Trusted 198.51.100.1/24, ID:10 Untagged eth2, tagged eth3 VLAN20 Trusted 192.0.2.1/24, ID:20 Tagged eth3

Figure 3: Instructor XTM device VLAN configuration

The instructor device must have addresses defined on eth4 for the optional networks for all student devices. These are used for the multi-hop dynamic routing exercises. Primary (for the Optional network of student 10) 172.16.10.1/30 for s Secondary (for the Optional network of students 20 and higher) 172.16.X.1/30

Figure 4: Secondary IP addresses for Eth4 on the instructor device, for a total of 8 students

WatchGuard Fireware XTM Training

Classroom Network Configuration

Configuration Changes for the Instructor XTM Device


To make the training network functional for these exercises, the instructor must make three more configuration changes to the instructor XTM device.

1. Create an Any policy to allow traffic between the trusted interfaces.

Figure 5: Any policy configuration for the instructor XTM device

2. To enable access to the Internet, update the settings in Network > NAT > Dynamic NAT to add a dynamic entry for Any-Trusted - Any-External. Or, you can add dynamic NAT rules from RFC 5737 addresses to Any-External (for example, add a dynamic NAT rule for 203.0.113.0/24 Any-External)

Figure 6: NAT configuration for the instructor XTM device

Course Introduction

3. To configure the instructor XTM device to simulate a multi-hop link for the routing exercises, you must add static routes to route traffic to the trusted network on each student device. The next hop for each is the IP address of the optional interface on each student device.
The gateway corresponds to the primary and secondary networks defined for Eth4 on the instructor device.

Figure 7: Static route configuration for the instructor XTM device for a class with 8 students.

(Optional) Set Up a Server to Host FTP and HTTP Downloads


Several of the exercises in this courseware require that the students download a file from an FTP server or browse to a web site to observe the results of a configuration change. If your training environment does not have Internet access, you can use the subsequent steps to help you build an FTP server and a Web server on an existing Windows 2003 Server on your network, that students can use for the exercises.

1. Connect the servers network card to the same hub or switch that connects the device external interface to the Internet router. Usually, you would connect your device directly to the LAN interface of your Internet router. For this exercise, you must use a hub or switch to connect the Windows 2003 Server to the external network of the device. 2. Set up the FTP server. For more information, see this Microsoft article: http://support.microsoft.com/kb/323384. 3. Create a 350 MB text file named 350mbfile.txt and save it in the ftproot folder. The default location for this folder is c:\inetpub\ftproot. To create a file in Windows, at the Command Prompt, type the fsutil command:
fsutil file createnew c:\inetpub\ftproot\350mbfile.txt 358400000

4. Set up the web server on your Windows 2003 Server. For more information, see this Microsoft article: http://support.microsoft.com/kb/324742 5. Copy the 350mbfile.txt file from the C:\inetpub\ftproot to the C:\inetpub\wwwroot directory.

WatchGuard Fireware XTM Training

Fireware XTM Training

Traffic Management
Traffic Shaping and Prioritization
What You Will Learn
Many organizations have mission-critical, real-time network applications that must take priority over other traffic. You can use bandwidth restrictions and reservations, together with prioritization, to make sure critical applications have the bandwidth they need. In this module, you learn how to: Create Traffic Management actions to guarantee or restrict bandwidth Prioritize traffic by QoS marking or policy Use Service Watch to see your changes at work All exercises in this course module were designed for a controlled environment using a LAN network. Real-world tests introduce volatility and latency associated with the Internet. Tests run in such an environment can produce unexpected results.

Control Bandwidth Use with Traffic Management Actions


Although the XTM device has no control over the rate at which packets arrive at a given interface, you can use traffic management settings to: Guarantee bandwidth A traffic management action with reserved bandwidth works with the Outgoing Interface Bandwidth to prevent other traffic from consuming the bandwidth allocated to policies using this action when needed, and to keep it available for other traffic when not needed. Limit bandwidth Some network traffic is not negatively affected by restricted bandwidth or short delays. A traffic management action that restricts bandwidth for these connections can prevent line saturation, and can keep bandwidth available for other applications. Maximum bandwidth limits can also help regulate total volume of data transfer over time to help your organization keep WAN usage within monthly quotas. Traffic Management in Fireware XTM uses the configuration settings Outgoing Interface Bandwidth, and Traffic Management actions. To use these features, you must understand how each setting works and how they can be used together.

About Outgoing Interface Bandwidth


Before you use traffic management features, you must give each interface a bandwidth limit, known as Outgoing Interface Bandwidth. This limit is applied to the traffic that is transmitted by that interface. For example, you could set the Outgoing Interface Bandwidth on the external interface when you upload files to a remote FTP server on the Internet. For downloads initiated from the trusted interface, you could set Outgoing Interface Bandwidth on the trusted interface. If you give an interface a bandwidth limit, Fireware XTM refuses packets that exceed the limit. Also, Policy Manager gives a warning if you go over these limits when you create or adjust Traffic Management actions. When you set Outgoing Interface Bandwidth on the external interface, you should set your LAN interface bandwidth based on the minimum link speed supported by your LAN infrastructure.
For the Outgoing Interface Bandwidth setting and other Traffic Management actions, make sure to set your speeds in kilobits or megabits per second (Kbps or Mbps) rather than kilobytes or megabytes per second (KBps or MBps).

About Traffic Management Actions


Fireware XTM uses a high performance, class-based queueing method known as Hierarchical Token Bucket to regulate bandwith. Traffic Management actions can enforce an absolute maximum bandwidth limit or guarantee a minimum bandwidth for traffic leaving each interface. All policies that use the same Traffic Management action share that actions bandwidth settings.

Control Traffic Priority with QoS


Although the XTM device has no control over the QoS marking of packets that arrive at a given interface, you can use QoS settings to: Manage QoS Marking by interface or policy Fireware XTM supports two types of QoS marking: IP Precedence (also known as Type of Service) and Differentiated Service Code Point (DSCP). You can use QoS Marking on a per-interface or per-policy basis. When you define QoS Marking for an interface, packets leaving that interface are marked. QoS Marking for a policy marks traffic that uses the policy and overrides any QoS Marking configured on an interface. Prioritize traffic based on QoS Marking Traffic prioritization using QoS Marking allows the firewall to operate as part of a network-wide QoS solution. Prioritization in Fireware XTM is equivalent to ToS levels 0 to 7, where 0 is routine priority (default) and 7 is the highest priority using strict priority queuing. Assign custom levels of priority to policies Custom prioritization by policy allows you to override the priority that would be given by QoS marking, without modifying the marking itself. This enables Fireware XTM to elevate or lower priority of traffic within a policy without impacting how the packet is prioritized on the rest of the network.

About Interface QoS Settings


On each interface, you can configure a QoS marking type: IP Precedence (ToS) or DSCP. You can then choose to Preserve the existing marking, Clear the existing marking, or Assign a new one. Remember that the QoS Marking behavior occurs for packets leaving the interfaces and does not apply to packets entering the interface. Interfaces set to Prioritize traffic based on QoS Marking will use the marking configuration for prioritization.

About Policy QoS Settings


Within each policy, you can override the per-interface QoS settings. In addition to QoS Marking options, you also have the ability to configure prioritization by a custom ToS value, giving a different priority to this policy than the QoS Marking without modifying the marking itself.

WatchGuard Fireware XTM Training

Control Traffic Priority with QoS

About Traffic Priority


The networking industry has many different algorithms to prioritize network traffic. Fireware XTM uses strict priority queuing to handle priority. Prioritization in Fireware XTM is equivalent to ToS levels 0 to 7, where 0 is routine priority (default) and 7 is the highest priority. When enabled, traffic prioritization always occurs, but there is nothing to prioritize until the XTM device interface has queued traffic. You can set traffic priority for each policy on the Advanced tabs QoS tab. Use this table as a guideline
when you assign priorities:

While DSCP can be configured for QoS marking, the ToS equivalent Class Selector value is used for prioritization. This gives the IP Precedence, DSCP, and Custom Value options equivalent 0-7 priorities. For more information on QoS, see the Fireware XTM WatchGuard System Manager Help.

Traffic Management

Exercise 1:

Use a Traffic Management Action to Guarantee Bandwidth

Some applications require a minimum bandwidth to operate smoothly and effectively. Real-time connections can be disrupted if other applications begin to transmit data. For example, a large FTP download could degrade or disrupt an HTTP session during bandwidth saturation, which could result in choppy video in a YouTube download. This exercise shows how to guarantee minimum bandwidth that is shared between more than one policy. When configured this way, all policies compete for the same bandwidth. Requirements for this exercise: One computer connected to the XTM device trusted interface. An HTTP and FTP server connected to the external interface with a switch, or Internet access. Each XTM device must be configured using the WAN1 and Trusted interface configuration described in the Course Introduction.

Enable Traffic Management and QoS


1. Select Setup > Global Settings.
The Global Settings dialog box appears.

2. Select the Enable all traffic management and QoS features check box. Click OK. You must complete this step before you can configure any Traffic Management settings.

Define Outgoing Interface Bandwidth


Because your computers on the trusted network download files from a server on the external network, you define Outgoing Interface Bandwidth on the device trusted interface. You do not need to define Outgoing Interface Bandwidth on the external interface for this exercise.

1. Select Network > Configuration


The Network Configuration dialog box appears.

2. In the Interfaces list, select Trusted (Interface 1). Click Configure.


The Interface Settings dialog box appears.

3. Select the Advanced tab.

10

WatchGuard Fireware XTM Training

Control Traffic Priority with QoS

4. Set the Outgoing Interface Bandwidth to 1500 Kbps. Click OK.

This setting will limit the Trusted interface to transmit at this rate.

5. Click OK to close the Network Configuration dialog box and return to Policy Manager.

Create a Traffic Management Action


1. Select Setup > Actions > Traffic Management.
The Traffic Management Actions dialog box appears.

2. To create a Traffic Management action, click Add.


The New Traffic Management Action Configuration dialog box appears.

3. In the Name text box, type Min500Kbps.


We will use this action to guarantee bandwidth for a group of policies.

4. Click Add.
An interface appears in the Bandwidth configuration for an outgoing traffic list...

5. From the Interface drop-down list, select Trusted.

Traffic Management

11

6. In the Minimum Guaranteed Bandwidth column, double-click the cell adjacent to Trusted and type 500. 7. Click OK. 8. Click Close to return to Policy Manager.

Modify Policy Configuration


1. Click . Or, select Edit > Add Policy.
The Add Policies dialog box appears.

2. Expand the Packet Filters folder and select HTTP. Click Add.
The New Policy Properties dialog box appears.

3. Select the Advanced tab. 4. From the Traffic Management drop-down list, select Min500Kbps.

5. Click OK to return to the Add Policies dialog box.


The Add Policies dialog box appears.

6. In the Packet Filters list, select DNS.


Make sure you do not select DNS-proxy in the Proxies list.

7. Click Add.
The New Policy Properties dialog box appears.

8. Select the Advanced tab. 9. From the Traffic Management drop-down list, select Min500Kbps. 10. Click OK to return to the Add Policies dialog box. Click Close. 11. Right click the Outgoing policy and select Disable Policy.

The HTTP and DNS policies now use the same Traffic Management action. The Outgoing policy is disabled.

12. Save the configuration to the XTM device.


12 WatchGuard Fireware XTM Training

Control Traffic Priority with QoS

Set Up Service Watch


1. Open WatchGuard System Manager and connect to your device. 2. Start Firebox System Manager, and select the Service Watch tab. 3. Right-click anywhere in the window and select Settings.
The Settings dialog box appears.

4. From the Chart Type drop-down list, select Bandwidth. 5. From the Graph Scale drop-down list, keep the default value setting, Auto-Scale. 6. In the Show list, select all policies not used in this exercise and click Remove. Keep only the DNS, FTP, and HTTP policies. 7. Click OK.
The Service Watch tab now shows data for only the DNS, FTP, and HTTP policies

See the Results of the Configuration


Both the DNS and the HTTP policy use the same Traffic Management action, Min500Kbps. When necessary, the policies that use this action will have a minimum of 500Kbps between them, otherwise this bandwidth will be available for other policies.

1. Close all programs. Results can vary if other applications on your computer have access to the network. 2. With your computer connected to the trusted interface, start an FTP session to download a large file. If you are unable to identify a sufficient public FTP resource, follow the previous steps to set up a server on your external interface. You can use either the command line, Internet Explorer, or an FTP client of your choice to make the connection.

Traffic Management

13

3. Select the Service Watch tab. The graph shows that the FTP transfer takes all of the available bandwidth. This should be approximately equal to the value you set for Outgoing Interface Bandwidth on the Trusted interface (1500 Kbps).

4. On the same computer you used for the FTP transfer, start watching a YouTube video or your favorite HTTP video site. If you use a local web server, to use the 350MB file in the root of C:\inetpub\wwwroot folder, use this URL:
http://<web server IP address>/350mbfile.txt

Make sure the FTP transfer is still active before you start the HTTP transfer.

14

WatchGuard Fireware XTM Training

Control Traffic Priority with QoS

5. In Service Watch, look at the amount of bandwidth that is used by both policies. After you start the HTTP transfer, the amount of bandwidth used by the FTP transfer is reduced, to allow at least 500Kbps for DNS and HTTP.

Traffic Management

15

Exercise 2:

Use a Traffic Management Action to Limit Bandwidth

When you use multiple internal interfaces, it might not be appropriate to reduce the Outgoing Interface Bandwidth on a Trusted or Optional interface, because this would prevent transfers between internal interfaces from using their link speed. You can achieve similar results by restricting the bandwidth of policies that would consume bandwidth needed for more important business functions. This exercise is intended to be completed after Exercise 1 and follows the same requirements.

Re-Define Outgoing Interface Bandwidth


Because your computers on the trusted network download files from a server on the external network, you define Outgoing Interface Bandwidth on the device trusted interface. You do not need to define Outgoing Interface Bandwidth on the external interface for this exercise.

1. Select Network > Configuration


The Network Configuration dialog box appears.

2. In the Interfaces list, select Trusted (Interface 1). Click Configure.


The Interface Settings dialog box appears.

3. Select the Advanced tab.

4. Set the Outgoing Interface Bandwidth to 0 Kbps. 5. Click OK.


When you select 0 Kbps, Fireware XTM uses the physical link speed to determine the available bandwidth.

6. Click OK to close the Network Configuration dialog box and return to Policy Manager.

Create a Traffic Management Action


We will use this action to limit bandwidth for a group of policies.

1. Select Setup > Actions > Traffic Management.


The Traffic Management Actions dialog box appears.

2. In the Name text box, type Max1000Kbps. 3. Click Add.


An interface appears in the Bandwidth configuration for outgoing traffic list.

16

WatchGuard Fireware XTM Training

Control Traffic Priority with QoS

4. To create a Traffic Management action, click Add.

5. From the Interface drop-down list, select Trusted. 6. In the Maximum Bandwidth column, double-click the cell for the Trusted interface and type 1000. 7. Click OK. 8. Click Close to return to Policy Manager.

Modify Policy Configuration


1. Double click the FTP policy, Or, select the FTP policy, and select Edit > Modify Policy.
The Edit Policy Properties dialog box appears.

2. Select the Advanced tab.

3. From the Traffic Management drop-down list, select Max1000Kbps. 4. Click OK to return to the Edit Policy dialog box. Click OK.
The FTP policy is now limited to a maximum of 1000Kbps.

5. Save the configuration to the XTM device.

Traffic Management

17

See the Results of the Configuration


With the FTP policy restricted to 1000Kbps, other policies will have the remaining bandwidth available. If we assume that the downstream bandwidth of the external interface was 1500Kbps, this configuration leaves 500Kbps available for HTTP and DNS. While this configuration does not restrict the Trusted interface to 1500Kbps, the FTP policy cannot use additional bandwidth, even if it is available.

1. Close all programs. Results can vary if other applications on your computer have access to the network. 2. With your computer connected to the trusted interface, start an FTP session to download a large file. If you are unable to identify a sufficient public FTP resource, follow the steps in Exercise 1 to set up a server on your external interface. You can use either the command line, Internet Explorer, or an FTP client of your choice to make the connection. 3. Open Firebox System Manager and select the Service Watch tab. The graph shows that the FTP transfer takes only the allotted bandwidth (1000Kbps).

4. On the same computer you used for the FTP transfer, start watching a YouTube video or your favorite HTTP video site. If you use a local web server, to use the 350MB file in the root of C:\inetpub\wwwroot folder, use this URL: http://<web server IP address>/350mbfile.txt
Make sure the FTP transfer is still active before you start the HTTP transfer.

18

WatchGuard Fireware XTM Training

Control Traffic Priority with QoS

5. In Service Watch, look at the amount of bandwidth that is used by both policies. After you start the HTTP transfer, the amount of bandwidth used by the FTP transfer could be reduced, however 500Kbps is available for the HTTP and DNS connections.

6. Now, apply the Max1000Kbps Traffic Management action to the HTTP policy.
The traffic management action is applied to the combined bandwidth of all policies where it is assigned.

Traffic Management

19

7. Start additional HTTP and FTP connections while you monitor Service Watch.

The traffic management action is applied to the combined bandwidth of the FTP and HTTP policies to which it is assigned.

20

WatchGuard Fireware XTM Training

Control Traffic Priority with QoS

Exercise 3:

Use QoS to Mark and Prioritize Traffic

Bandwidth reservation and restriction can be useful to ensure performance with known bandwidth requirements. When the bandwidth necessary for a critical application is variable or otherwise unknown, Quality of Service (QoS) allows you to prioritize traffic despite the uncertainty. The requirements for this exercise are the same as for Exercise 1 and 2. If you have completed a previous exercise, disable any traffic management action applied to your policies.

Before You Begin


Before you begin this exercise, you must: Enable Traffic Management and QoS features Disable previous Traffic Management actions Disable the Outgoing policy Configure HTTP, FTP, and DNS policies Configure Service Watch to monitor only the DNS, HTTP, and FTP packet filter policies

If you have not already completed these steps, see the previous procedures in Exercises 1 and 2.

Enable Prioritization by QoS Marking on Interfaces


1. Select Network > Configuration
The Network Configuration dialog box appears.

2. In the Interfaces list, select Trusted (Interface 1). Click Configure.


The Interface Settings dialog box appears.

3. Select the Advanced tab. 4. Select the Prioritize traffic based on QoS Marking check box.
This setting enables the prioritization of queued packets as they egress from the interface. From here, the markings can be cleared, preserved, or a new IP Precedence or DSCP marking can be applied.

5. Set the Outgoing Interface Bandwidth to 1500 Kbps. Click OK.


This restricts throughput to make sure that queuing occurs on the trusted interface to illustrate the use of prioritization.

Traffic Management

21

6. In the Interfaces list, select External (Interface 0). Click Configure.


The Interface Settings dialog box appears.

7. Select the Advanced tab.

8. Select the Prioritize traffic based on QoS Marking check box. 9. Click OK. 10. Click OK to close the Network Configuration dialog box and return to Policy Manager.

Prioritize Traffic by Policy


1. Double-click the HTTP policy.
The Edit Policy Properties dialog box appears.

2. Select the Override per-interface settings check box. 3. Select the Advanced tab.
Note that the same QoS marking options seen within interface configuration are available by policy. Also, if you want to mark packets for your network at a value different from your prioritization, you can prioritize traffic by Custom Value and choose a higher or lower priority than the marking.

4. Select the QoS tab. 5. Configure the QoS settings to Assign an IP Precedence value of 2 (Immediate), and Prioritize Traffic Based On QoS Marking. 6. Click OK to return to Policy Manager.

7. Double-click the DNS policy.


The Edit Policy Properties dialog box appears.

22

WatchGuard Fireware XTM Training

Control Traffic Priority with QoS

8. Select the Advanced tab. 9. Select the QoS tab. 10. Select the Override per-interface settings check box. 11. Modify the settings to Assign an IP Precedence value of 2 (Immediate), and Prioritize Traffic Based On QoS Marking. 12. Click OK to return to Policy Manager. 13. Save the configuration to the XTM device.

See the Results of the Configuration


Both the DNS and HTTP policies are prioritized higher than other traffic. While this configuration does not dedicate specific bandwidth, the prioritization does improve the performance of these policies when there is network congestion.

1. Close all programs. Results can vary if other applications on your computer have access to the network. 2. With your computer connected to the trusted interface, start an FTP session to download a large file. 3. Select the Service Watch tab. The graph shows that the FTP transfer takes all of the available bandwidth. This should be approximately equal to the value you set for Outgoing Interface Bandwidth on the Trusted interface (1500 Kbps).

4. On the same computer you used for the FTP transfer, start watching a YouTube video or your favorite HTTP video site. If you use a local web server, to use the 350MB file in the root of C:\inetpub\wwwroot folder, use this URL: http://<web server IP address>/350mbfile.txt

Traffic Management

23

Make sure the FTP transfer is still active before you start the HTTP transfer.

5. On the Service Watch tab, look at the amount of bandwidth that is used by both policies.

After you start the HTTP transfer, the amount of bandwidth used by the FTP transfer is reduced, to allow more bandwidth for the higher priority DNS and HTTP traffic.

What You Have Learned


You have learned that you can use bandwidth restrictions and reservations, together with prioritization, to make sure critical applications have the bandwidth they need. In this module, you learned how to: Create Traffic Management actions to guarantee or restrict bandwidth Prioritize traffic by QoS marking or policy Use Service Watch to see your changes at work

24

WatchGuard Fireware XTM Training

Fireware XTM Training

Using VLANs in Fireware XTM


Four Ways to Configure an XTM Device for VLANs

Introduction
A virtual local area network (VLAN) is a collection of computers on a LAN or LANs that are grouped together in a single broadcast domain independent of their physical location. A VLAN allows you to group devices according to function or traffic patterns instead of location or IP address. Members of a VLAN can share resources as if they were connected to the same LAN. Note
You must have Fireware XTM v11.6.1 or higher with a Pro upgrade for the exercises in this module.

What You Will Learn


This course explains the concept of a VLAN and describes several different VLAN technologies that are in use today. You will learn everything necessary to successfully deploy VLANs with your XTM device. We will present four typical use cases with VLANs, and you will configure the XTM device for each of these situations.

Course Outline
The exercises consist of situations in which you would use different VLAN configurations, a simplified view of the network topology for each setup, and step-by-step procedures for how to configure each setup. The excercises include: Two VLANs on the same XTM device interface One VLAN bridged across two XTM device interfaces One VLAN bridged across two XTM device interfaces (alternate configuration) Two VLANs as External Interfaces on the same XTM device

The course concludes with frequently asked questions about how to configure firewall policies to restrict incoming and outgoing access on VLAN interfaces, or to allow or deny traffic between different VLANs.

What VLANs Can Do For You


VLANs provide four main benefits: Increased performance by confining broadcasts. Each computer you add to a LAN increases the amount of background (broadcast) traffic, which can reduce performance. With VLANs, you can restrict this traffic and reduce the amount of bandwidth used by your network. Increase the hard limit of four WAN interfaces on your WatchGuard XTM 2 Series, XTM 3 Series, XTM 5 Series, XTM 8 Series, XTM 1050 and XTM 2050. To do this, you use Policy Manager to create a VLAN on an external network. You can create up to ten external VLANs this way. External VLANs are treated as any other non-VLAN external interface.
25

For example, they can be used as aliases when creating policies for static NAT, or configured as VPN endpoints for BOVPNs. Improved manageability and simplified network tuning. When you consolidate common resources into a VLAN, you reduce the number of routing hops needed for those devices to communicate. You can also manage traffic from each functional group more easily when each group uses a different VLAN. Increased security options. By default, members of one VLAN cannot see the traffic from another VLAN. You can apply separate security policies to VLANs. By contrast, a secondary network on an XTM device interface gives no additional security because there is no separation of traffic. The XTM device does not filter traffic between the primary network of an interface and a secondary network on that interface. It automatically routes traffic between primary and secondary networks on the same physical interface with no access restrictions.

Terms and Concepts You Should Know


VLAN trunk interface The physical interface (switch interface or XTM device interface) that connects a VLAN device to another VLAN device. Some vendors use this term only for a switch interface that carries traffic for more than one VLAN. We use this as a general term to indicate an Ethernet interface on a VLAN-capable device that connects the device to another VLAN-capable device. VLAN ID (VID) A number from 1 to 4094 associated with the VLAN. Every VLAN you use has a unique number. Tag This term has two meanings: one for the verb usage, and one for the noun usage. [noun] Information that is added to the header of an Ethernet frame. The format of the tag is defined by the IEEE 802.1Q standard. [verb] To add a VLAN tag to a data frames Ethernet header. The tag is added by an 802.1Q-compliant device such as an 802.1Q switch or router, or the XTM device. Because the physical segment between two 802.1Q devices normally carries only tagged data packets, we call it the tagged data segment. Untag To remove a VLAN tag from a frames Ethernet header. When an 802.1Q device sends data to a network device that cannot understand 802.1Q VLAN tags, the device untags the data frames. Because the physical segment between a VLAN device and a device that cannot understand VLAN tags normally carries only untagged data packets, we call it the untagged data segment. Tagging and untagging per interface When you assign VLAN membership for an Ethernet interface on an 802.1Q device, you also tell the interface whether to send and accept tagged or untagged data frames. Some VLAN devices allow one Ethernet interface to accept both tagged and untagged frames. This depends on which VLANs the interface is a member of. When you configure an XTM device Ethernet interface for VLAN, the interface will accept both tagged and untagged data frames, but only for VLANs in the trusted and optional security zones. For an external VLAN an XTM device VLAN interface will accept only tagged data frames.

26

WatchGuard Fireware XTM Training

VLAN Requirements and Recommendations

Use these two rules to decide whether to configure a switch interface for Tag or Untag: - If the interface connects to a device that can receive and understand 802.1Q VLAN tags, configure the switch interface for Tag. Devices you connect to this interface are usually VLAN switches (managed switches) or routers. - If the interface connects to a device that cannot receive and understand 802.1Q VLAN tags, configure the switch interface for Untag. (Such devices will likely strip the VLAN tag from the Ethernet header, or drop the frame altogether.) Devices you connect to this interface are usually computers or printers. Switches When you configure an XTM device Ethernet interface for VLAN, the switches that you connect to the XTM device interface must be able to use VLAN tags as defined in IEEE 802.1Q. A switch of this type is commonly called a managed switch or an 802.1Q switch. Types of VLANs VLANs can use different parameters to assign membership: - 802.1Q VLANs (used by the XTM device) The Institute of Electrical and Electronic Engineers (IEEE) publishes the 802.1Q standard to define the format of VLAN tags. This standard lets you use VLANs with any vendors equipment that conforms to 802.1Q standards. - MAC address-based VLANs use the physical address on a computers network interface card to put it in the correct logical group. - VLANs based on multicast groups put computers into VLANs based on whether the computer has subscribed to a particular multicast group. - Protocol-based VLANs put computers into VLANs based on the communication protocol each uses (such as IP, IPX, DECnet, or AppleTalk).

VLAN Requirements and Recommendations


To use a VLAN with a WatchGuard XTM device: If your XTM device is configured in drop-in mode, you cannot use VLANs. If your XTM device is configured in bridged mode you cannot configure VLANs on the XTM device. - The XTM device in bridge mode can pass VLAN tagged traffic between 802.1Q bridges or switches. - You can configure an XTM device in bridge mode to be managed from a VLAN that has a specified VLAN tag. A VLAN interface can send and received untagged traffic for only one trusted or optional VLAN. For example, if a VLAN interface is configured to send and receive untagged traffic for VLAN-10, it cannot also send and receive VLAN traffic for any other VLAN at the same time. Also, a VLAN interface cannot be configured to send and receive untagged traffic for an external VLAN. Multi-WAN configuration settings are applied to VLAN traffic. However, it can be easier to manage bandwidth when you use only physical interfaces in a multi-WAN configuration. Your device model and license controls the number of VLANs you can create. To see the number of VLANs you can add to your XTM device, Open Policy Manager and select Setup > Feature Keys. Find the row labeled Total number of VLAN interfaces. We recommend that you do not create more than 10 VLANs that operate on external interfaces. Too many VLANs on external interfaces affect performance. All network segments you want to add to a VLAN must have IP addresses on the VLAN network.

Using VLANs in Fireware XTM

27

Before You Begin


Before you begin the exercises, you must:

1. Make sure the switches that connect to the XTM device do not use Spanning Tree Protocol. Disable this protocol for any switch interface that connects to an XTM device Ethernet interface. 2. Know how to configure your VLAN switch. You should be familiar with how to configure your VLAN switch. Consult the documentation from the device manufacturer for help.

Firewall Configuration
If your XTM device is not yet configured, run the Quick Setup Wizard first to configure it. Use the Routed mode for the Quick Setup Wizard. (You cannot use VLANs with Drop-in mode or Bridge mode.) The Quick Setup Wizard with Routed mode has these defaults: - The external Interface 0 is configured and enabled with static IP addresss 203.0.113.X/24. Replace X in the external IP address with the student number your instructor gives you. - The trusted Interface 1 is configured and enabled with IP address 10.0.X.1/24. Replace X in the trusted IP address with the student number your instructor gives you. - All of the other interfaces are set to Disabled. - There are five policies in Policy Manager: FTP, Ping, WatchGuard WebUI, WatchGuard, and Outgoing. The trusted interface (Interface 1) is not a member of any VLAN in any of the exercises. The management computer is connected directly to the trusted interface with a crossover Ethernet cable. Make sure your management computer has an IP address in the same subnet as the trusted interface, with the correct subnet mask. Make sure the default gateway for the computer is the trusted interface IP address.

Necessary Equipment and Services


Management computer Use a computer with WSM version 11.5.1 software installed to configure the XTM device. This computer is connected to the XTM device trusted interface in all exercises. Two additional computers To test traffic flow with the VLANs you send traffic between two computers. Each computer is connected to a VLAN switch or to the XTM device itself, depending on the exercise. You can also use the management computer for one of the two computers to test traffic flow between VLANs. WatchGuard XTM device running Fireware XTM v11.6 with a Pro upgrade In the exercises, we assume that you ran the Quick Setup Wizard to configure the XTM device and you selected Routed mode (not Drop-in or Bridge mode). 802.1Q VLAN switches - One switch for Exercises 1 and 2 - Two switches for Exercise 3 and 4 Ethernet cables At a minimum, to complete all the exercises you must have: - Six Ethernet cables To interconnect the devices altogether.

28

WatchGuard Fireware XTM Training

Before You Begin

Configuring the VLAN Switch


Each physical interface on a VLAN switch is generally classified as one of two types: VLAN Access port A switch interface of this type removes VLAN tags from data frames before it sends them to the device attached to it. The interface also adds a VLAN tag to untagged frames it gets from the connected device. You connect computers, printers, and other networked devices to this type of interface. Configure this type of switch interface for untag mode. VLAN Trunk port A switch interface of this type preserves any VLAN tags in the data frames it receives. It also preserves VLAN tags when it sends tagged data frames to the device attached to it. You connect other VLAN-capable devices such as VLAN switches and routers to this type of interface. You also connect this type of interface to an XTM device interface configured to accept tagged data frames. Configure this type of switch interface for tag mode.

Select the VLAN ID Numbers


By default, each interface on most new, unconfigured switches belongs to VLAN number 1. Because this VLAN exists on every interface of most switches by default, the possibility exists that this VLAN can accidentally span the entire network, or at least very large portions of it. We recommend you use a VLAN ID number that is not 1 for any VLAN that passes traffic to the XTM device.

About the PVID


Some switch manufacturers require you to assign a Port VLAN ID (PVID) to each interface. The PVID number determines the VLAN ID number that the switch adds to the untagged packets it gets from devices connected to the interface. If you do not configure a PVID for an interface, it is possible that the switch can tag the data packets it gets on that interface with the default VLAN ID of 1. This is the case even if you configure the interface to untag for a different VLAN ID number. When you change the PVID setting on a switch interface to a PVID number that matches a VLAN number, the switch adds a VLAN tag for that VLAN to untagged packets it receives on this interface. If your switch uses PVID numbers, be sure to configure each switch interface that connects a computer to use the correct PVID number.

Using VLANs in Fireware XTM

29

Exercise 1:

Two VLANs on the Same XTM Device Interface

When to Use this Configuration


An XTM device interface is a member of more than one VLAN when the switch that connects to that interface carries traffic from more than one VLAN. You use multiple VLANs on one XTM device interface when you want to split an XTM device interface into multiple broadcast domains or multiple security zones. When you separate the traffic from different functional groups before it enters the XTM device interface, you get two major benefits: Broadcast traffic is confined within each VLAN, which reduces congestion. You can make access policies to allow limited traffic or no traffic between the VLANs. You also control access from each VLAN to other parts of your network and to the Internet. Compare the second benefit to the situation when you configure an XTM device interface as a physical interface (instead of as a VLAN) with a secondary network also configured on the interface: The XTM device does not filter traffic between the primary network of an interface and a secondary network on that interface. The primary network is not protected from a secondary network on that interface.

Network Topology
This exercise shows how to connect one switch that carries traffic from two different VLANs to one XTM device interface. In the subsequent diagram, the computers are connected to the 802.1Q switch, and the switch is connected to XTM device interface 3. The switch carries traffic from two different VLANs.

Figure 1: Network topology for Exercise 1

30

WatchGuard Fireware XTM Training

Before You Begin

Configure the XTM Device


1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.

Figure 2: Interfaces tab of Network Configuration dialog box

2. Select the VLAN tab.


The VLAN settings list is empty because you have not defined any VLANs.

Figure 3: VLAN tab of Network Configuration dialog box

3. Click Add and create a new VLAN.


The New VLAN Configuration dialog box appears.

4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For this example, type VLAN10. 5. (Optional) In the Description text box, type a description. For this example, type Accounting. 6. In the VLAN ID text box, type or select a number for the VLAN. For this example, select 10. 7. From the Security Zone drop-down list, select the security zone for the VLAN. For this example, select Trusted. 8. In the IP Address text box, type the IP address of the VLAN gateway. For this example, type 192.168.10.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.

9. (Optional) Configure DHCP for the new VLAN. a. Select Use DHCP Server. b. In the Address Pool section, click Add. c. Type or select the Starting Address and the Ending Address. For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 for the Ending Address. d. Click OK.
The new address pool appears in the Address Pool list.

Security zones correspond to aliases for interface security zones. For example, VLANs of type Trusted are handled by policies that use the alias Any-Trusted as a source or destination. VLANs can be defined as Trusted or Optional.

Using VLANs in Fireware XTM

31

10. Click OK.


The new VLAN appears.

Figure 4: VLAN tab with new VLAN10

11. Click Add and create another new VLAN.


The New VLAN Configuration dialog box appears.

12. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For this example, type VLAN20. 13. (Optional) In the Description text box, type a description. For this example, type Sales. 14. In the VLAN ID text box, type or select a number for the VLAN. For this example, select 20. 15. From the Security Zone drop-down list, select the security zone for the VLAN. For this example, select Optional. 16. In the IP Address text box, type the IP address of the VLAN gateway. For this example, type 192.168.20.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.

17. (Optional) Configure DHCP for the new VLAN. a. Select Use DHCP Server. b. In the Address Pool section, click Add. c. Type or select the Starting Address and the Ending Address. For this example, type 192.168.20.10 for the Starting Address and 192.168.20.20 for the Ending Address. d. Click OK.
The new address pool appears in the Address Pool box.

18. Click OK.


Both VLANs now appear.

Figure 5: Two new VLANS: VLAN10 and VLAN20

19. Select the Interfaces tab. 20. Select Interface 3 and click Configure.

32

WatchGuard Fireware XTM Training

Before You Begin

21. From the Interface Type drop-down list, select VLAN.

Figure 6: Select Interface Type VLAN The Interface Type Configuration section appears on the IPv4 tab. Both new VLANs appear in the list.
Because you cannot add a secondary network to a VLAN, the Secondary tab remains unavailable.

Figure 7: Interface 3

22. Select Send and receive tagged traffic for selected VLANs. 23. In the Member column, select the check boxes for VLAN10 and VLAN20.

Figure 8: The Member column shows which VLANs are on this interface

24. Click OK.


This interface now appears as type VLAN in the list of interfaces.

Using VLANs in Fireware XTM

33

25. Check your work. The Interfaces tab should look like this.

Figure 9: XTM device Interface 3 is now type VLAN

The VLAN tab should look like this.

Figure 10: VLAN tab after the VLANs are defined

26. Click and save this configuration to the XTM device. Or, select File > Save > To Firebox.

Configure the Switch


Refer to the instructions from your switch manufacturer to configure your switch.
As a general rule, remember that the physical segment between this switch interface and the XTM device is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN tagging. Some switch manufacturers refer to a switch interface that is configured like Step 2 a trunk port or trunk interface.

1. Add two VLANs to the 802.1Q switch configuration. Set the VLAN ID numbers for these VLANs to 10 and 20. 2. Configure the switch interface that connects the switch to the XTM device interface 3. a. Disable Spanning Tree Protocol on any switch interface that connects to the XTM device. b. Configure this interface on the switch to be a member of both VLANs 10 and 20. c. Configure this interface to tag for both VLANs. d. If necessary for your switch operating system, configure the switchmode to trunk. e. If necessary for your switch operating system, set encapsulation mode to 802.1Q. 3. Configure the switch interfaces that connect computers in VLAN10 to the switch. a. Configure each switch interface that will connect a computer in VLAN10 to be a member of VLAN10. b. Configure these interfaces to untag for VLAN10. 4. Configure the switch interfaces that connect computers in VLAN20 to the switch. a. Any switch interface that will connect a computer in VLAN20 must be a member of VLAN20. b. Configure these interfaces to untag for VLAN20.

34

WatchGuard Fireware XTM Training

Before You Begin

Physically Connect all Devices


1. Connect one end of an Ethernet cable to the XTM device interface 3. 2. Connect the other end of the Ethernet cable to the interface on the switch that you configured to tag for VLANs 10 and 20 (to the VLAN trunk interface of the switch). 3. Connect a computer to the interfaces on the switch that you configured to untag for VLAN10. 4. If you configured VLAN10 to use the DHCP server, configure the computers network card to use DHCP to get an IP address automatically. For more information, see Step 9 on page 31. 5. If you did not configure the VLAN to use the DHCP server, configure the computers network card with an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the computers default gateway to the XTM device VLAN IP address, 192.168.10.1. 6. Repeat Steps 13 to connect a computer to a switch interface that you configured to untag for VLAN20.

Test the Configuration


From the computer in VLAN10, you should be able to ping the computer in VLAN20, as well as ping the VLAN10 computer from the VLAN20 computer. The two computers can ping each other because the default settings of the Ping policy allow Any-Trusted and Any-Optional to send ICMP echo requests to Any. No other traffic is allowed between the two VLANs unless there is a policy that specifically allows it. The basic configuration loaded by the Quick Setup Wizard does not allow any other traffic between the VLANs.

As a general rule, remember that the physical segment between a switch interface and a computer (or other networked device) that connects to it is an untagged data segment. Traffic that flows over this segment does not have VLAN tags. Most switches sold today have interfaces that can auto-sense MDI/MDI-X for the Ethernet connection. When the interface senses a physical link, it automatically configures itself to be a normal or uplink interface. If you do not get link lights on the Ethernet interfaces with one type of Ethernet cable (straight-through or crossover), try the other type of Ethernet cable.

Using VLANs in Fireware XTM

35

Exercise 2:

One VLAN Bridged Across Two XTM Device Interfaces

When to Use this Configuration


The primary benefit of this configuration is the ability to bridge a VLAN between computers connected to a VLAN switch and computers directly connected to the XTM device. A typical network topology is this: You have a relatively large number of computers connected by way of a VLAN switch to one XTM device interface. You have a single computer (or a small group of computers) that must share the same resources as the first group, but it is physically separated from the first group. It is more convenient or cost-effective to connect the smaller group directly to the XTM device. To solve the challenge of putting all these computers into one logical group, you configure the XTM device with a VLAN that bridges two XTM device interfaces: One XTM device interface tags for the VLAN. This interface connects, by way of an Ethernet cable, to the VLAN switch that links the majority of the computers in this logical group. The other XTM device interface untags for the VLAN. This interface has a direct Ethernet connection to one computer (or a small group of computers) in the logical group. This second connection can be a shared media connection such as a hub connected to the interface, or a single computer connected to the interface with a crossover Ethernet cable. With this configuration, all the computers can easily share resources, and their broadcasts are confined to the VLAN.

36

WatchGuard Fireware XTM Training

Before You Begin

Network Topology
This exercise shows how to connect a switch to one XTM device interface, and computers to another XTM device interface. Figure 11 shows that the computers connected to the switch and to XTM device interface 4 are in the same VLAN.
The untagged XTM device interface in Figure 11 (Interface 4, with one computer connected) operates in much the same way as an untagged switch port on a VLAN switch.

Figure 11: Network topology for Exercise 2

Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN interface you configured in that exercise before you begin this one.

Configure the XTM Device


1. From Policy Manager, select Network > Configuration.

Figure 12: Interfaces tab of Network Configuration dialog box

Using VLANs in Fireware XTM

37

2. Select the VLAN tab.


The VLAN settings list is empty because you have not defined any VLANs.

Figure 13: VLAN tab of Network Configuration dialog box

3. Click Add and create a new VLAN.


The New VLAN Configuration dialog box appears.

4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For this example, type VLAN10. 5. (Optional) In the Description text box, type a description of the VLAN. For this example, type Accounting. 6. In the VLAN ID text box, select a number for the VLAN. For this example, type 10. 7. From the Security Zone drop-down list, select the security zone for the VLAN. For this example, select Trusted. 8. In the IP Address text box, type the IP address of the VLAN gateway. For this example, type 192.168.10.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.

9. (Optional) Configure DHCP for the new VLAN. a. Select Use DHCP Server. b. In the Address Pool section, click Add. c. Type or select the Starting Address and the Ending Address. For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 for the Ending Address. d. Click OK.
The new address pool appears in the Address Pool list.

10. Click OK.


The new VLAN appears.

Figure 14: The new VLAN10 appears on VLAN tab

38

WatchGuard Fireware XTM Training

Before You Begin

11. To make XTM device Interfaces 3 and 4 members of the new VLAN, select the Interfaces tab. 12. Select Interface 3 and click Configure. Or, double-click the interface. 13. From the Interface Type drop-down list, select VLAN.

The Interfaces column is blank in Figure 11. This is correct because no XTM device interfaces have been assigned to the new VLAN yet. We assign the VLAN to XTM device interfaces in the next steps.

Figure 15: Select VLAN for the Interface Type The Interface Type Configuration section appears on the IPv4 tab and includes the new VLAN10.

14. Select Send and receive tagged traffic for selected VLANs. 15. In the Member column, select the check box for VLAN10.

Because you cannot add a secondary network to a VLAN, the Secondary tab remains unavailable. Interface 3 will be a tagged VLAN interface, because it connects to a VLAN switch that sends it traffic with VLAN tags.

Figure 16: Select the check box to make the interface a member of the VLAN

16. Click OK.


This interface now appears as type VLAN in the list of interfaces.

17. Double-click Interface 4 and configure it to untag for VLAN10. 18. From the Interface Type drop-down list, select VLAN.

Using VLANs in Fireware XTM

39

You can only select one VLAN for untagged traffic. This option is not available if you choose a VLAN that has external specificed as the zone. You cannot configure an interface to send and receive both tagged and untagged traffic when a VLAN is configured as an external zone. If you do not want computers connected to an XTM device interface to be part of a VLAN, then do not configure the interface to be of type VLAN. Instead, configure the interface to be of type Trusted or Optional.

19. At the bottom of the dialog box, select the Send and receive untagged traffic for selected VLAN check box. From the adjacent drop-down list, select VLAN10 (192.168.10.1/24).

Figure 17: Make Interface 4 an untagged switch port

20. Click OK and check your work. The Interfaces tab should now look like this.

Figure 18: XTM device interfaces 3 and 4 now appear as type VLAN

The VLAN tab should look like this.

Figure 19: The VLAN interface used by interfaces 3 and 4

The VLAN settings list includes information about which interface tags and which interface untags for a particular VLAN. It uses either boldface type or normal type for the numbers in the Interfaces column: - boldface type entries are Untag - normal type entries are Tag.

21. Click and save this configuration to the XTM device. Or, select File > Save > To Firebox.

Configure the Switch


Refer to the instructions from your switch manufacturer to configure your switch.

1. Configure the switch interface that connects the switch to the XTM device interface 3. a. Disable Spanning Tree Protocol on any switch interface that connects to the XTM device. b. Configure this interface on Switch A to be a member of VLAN10. c. Configure this interface to tag for VLAN10. d. If necessary for your switch operating system, configure the switchmode to trunk. e. If necessary for your switch operating system, set encapsulation mode to 802.1Q.

40

WatchGuard Fireware XTM Training

Before You Begin

2. Configure the switch interfaces that connect computers to the switch. 3. Configure the other switch interfaces to be members of VLAN10 and to untag for VLAN10. As a general rule, remember that the physical segment between this switch interface and the XTM device is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN tagging.
As a general rule, remember that the physical segments between each of the other switch interfaces and the computers (or other networked devices) that connect to them are untagged data segments. Traffic that flows over these segments does not have VLAN tags.

Some switch manufacturers call an interface configured this way either a trunk port or a trunk interface.

Physically Connect all Devices


1. Connect one end of an Ethernet cable to the XTM device interface 3. 2. Connect the other end of the Ethernet cable to the interface on the switch that you configured to tag for VLAN10 (to the VLAN trunk interface of the switch). 3. Connect a computer to the one of the interfaces on the switch that you configured to untag for VLAN10. 4. If you configured VLAN10 to use the DHCP server, configure the computers network card to use DHCP to get an IP address automatically.
See Step 9 on page 38.

5. If you did not configure the VLAN to use the DHCP server, configure the computers network card with an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the computers default gateway to the XTM device VLAN IP address 192.168.10.1 6. Repeat these steps to connect a computer to XTM device interface 4.

Test the Configuration


You should be able to send a ping from the computer connected to the switch to the computer connected to XTM device interface 4, and from the computer connected to XTM device interface 4 to the computer connected to the switch. The two computers can communicate as though they were connected to the same physical LAN.

Using VLANs in Fireware XTM

41

Exercise 3:

One VLAN Bridged Across Two XTM Device Interfaces (Alternate Configuration)

When to Use This Configuration


You might use a configuration like this if your organization is spread across multiple locations. For example, suppose your network is on the first and second floors in the same building. Some of the computers on the first floor are in the same functional group as some of the computers on the second floor. You want to group these computers into one broadcast domain so that they can easily share resources, such as a dedicated file server for their LAN, host-based shared files, printers, and other network accessories. You connect the computers on one floor to one VLAN switch, and connect that switch to a XTM device interface. You connect the computers on the other floor to one VLAN switch, and connect that switch to another XTM device interface. This puts all of the computers into one LAN. One of the main benefits in this setup is cost savings: it is not necessary to connect another device to combine the traffic from the two switches before it enters the XTM device. The XTM device combines the traffic, and lets you apply strict security policies between the VLANs, the rest of your network, and untrusted segments such as the Internet. This saves you the cost of a different device, such as a router or a layer 3 switch.

Network Topology
This exercise shows how to connect two 802.1Q switches, both of which send traffic from the same VLAN, to two different XTM device interfaces. The subsequent shows how computers are connected to 802.1Q switches, and how the switches are connected to the XTM device. Two 802.1Q switches connected to XTM device interfaces 3 and 4 carry traffic from the same VLAN.

Figure 20: Network topology for Exercise 3


42 WatchGuard Fireware XTM Training

Before You Begin

Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN interface you configured in that exercise before you begin this one.

Configure the XTM Device


1. From Policy Manager, select Network > Configuration.

2. Select the VLAN tab.


The VLAN settings list is empty because you have not defined any VLANs

Figure 21: VLAN tab of Network Configuration dialog box

3. Click Add and create a new VLAN.


The New VLAN Configuration dialog box appears.

4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For this example, type VLAN10. 5. (Optional) In the Description text box, type a description of the VLAN. For this example, type Accounting. 6. In the VLAN ID text box, select a number for the VLAN. For this example, type 10.

Using VLANs in Fireware XTM

43

7. From the Security Zone drop-down list, select the security zone for the VLAN. For this example, select Trusted. 8. In the IP Address text box, type the IP address of the VLAN gateway. For this example, type 192.168.10.1/24.
Any computer in this new VLAN must use this IP address as its default gateway.

9. (Optional) Configure DHCP for the new VLAN. a. Select Use DHCP Server. b. In the Address Pool section, click Add. c. Type or select the Starting Address and the Ending Address. For this example, type 192.168.10.10 for the Starting Address and 192.168.10.20 for the Ending Address. d. Click OK.
The new address pool appears in the Address Pool list.

10. Click OK.


The new VLAN appears.

Figure 22: The VLAN tab with new VLAN10

11. To make XTM device Interfaces 3 and 4 members of the new VLAN, select the Interfaces tab. 12. Select Interface 3 and click Configure. Or, double-click the interface. 13. From the Interface Type drop-down list, select VLAN.

Figure 23: Select VLAN for the Interface Type

44

WatchGuard Fireware XTM Training

Before You Begin

The Interface Type Configuration section appears on the IPv4 tab and includes the new VLAN10.

Because you cannot add a secondary network to a VLAN, the Secondary tab remains unavailable.

Figure 24: VLAN10 appears in the list

14. Select Send and receive tagged traffic for selected VLANs. 15. In the Member column, select the check box for VLAN10.

Interface 3 will be a tagged VLAN interface because it connects to a VLAN switch that sends it traffic with VLAN tags.

Figure 25: Select the check box to make the interface a member of the VLAN

16. Click OK.


This interface now appears as type VLAN in the list of interfaces.

17. Repeat Steps 1116 for Interface 4 to make that interface a member of VLAN10. 18. Check your work. The Interfaces tab should look like this:.

Figure 26: Interfaces 3 and 4 are both type VLAN

Using VLANs in Fireware XTM

45

The numbers in the Interfaces column use normal type to indicate that these are tagged interfaces. If the interfaces are configured as untagged switch ports, the entry appears in bold type.

The VLAN tab should look like this:.

Figure 27: The VLAN tab shows that interfaces 3 and 4 are members of VLAN10

19. Click and save this configuration to the XTM device. Or, select File > Save > To Firebox.

Configure the Switches


Refer to the instructions from your switch manufacturer to configure your switch.

Switch A
1. Configure the switch interface that connects the switch to the XTM device interface 3. a. Configure this interface on Switch A to be a member of VLAN10. b. Configure this interface to send traffic with the VLAN10 tag. c. If necessary, set the switch mode to trunk. d. If necessary, set the encapsulation mode to 802.1Q. As a general rule, remember that the physical segment between this switch interface and the XTM device is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN tagging. 2. Configure the switch interfaces that connect computers to the switch. Configure the other switch interfaces to be members of VLAN10 . You must also configure these interfaces to send untagged traffic for VLAN10.
As a general rule, remember that the physical segments between each of the other switch interfaces and the computers (or other networked devices) that connect to them are untagged data segments. Traffic that flows over these segments does not have VLAN tags.

Some switch manufacturers refer to an interface that is configured like this as a trunk port or a trunk interface.

Switch B
Repeat the previous steps to configure Switch B:

1. Configure the switch interface that connects the switch to the XTM device interface 4. a. Disable Spanning Tree Protocol on any switch interface that connects to the XTM device. b. Configure one interface on Switch B to be a member of VLAN10. c. Configure this interface to send traffic with the VLAN10 tag. d. If necessary, set the switch mode to trunk. e. If necessary, set the encapsulation mode to 802.1Q. As a general rule, remember that the physical segment between this switch interface and the XTM device is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN tagging. 2. Configure the switch interfaces that connect computers to the switch. 3. Configure the other switch interfaces to be members of VLAN10. You must also configure these interfaces to send untagged traffic for VLAN10.

46

WatchGuard Fireware XTM Training

Before You Begin

As a general rule, remember that the physical segments between each of the other switch interfaces and the computers (or other networked devices) that connect to them are untagged data segments. Traffic that flows over these segments does not have VLAN tags.

Physically Connect All Devices


1. Connect one end of an Ethernet cable to the XTM device interface 3. 2. Connect the other end of this Ethernet cable to the interface on Switch A that you configured to tag for VLAN10 (to the VLAN trunk interface of Switch A). 3. Connect one end of an Ethernet cable to the XTM device interface 4. 4. Connect the other end of this Ethernet cable to the interface on Switch B that you configured to tag for VLAN10 (to the VLAN trunk interface of Switch B). 5. Connect a computer to the one of the interfaces on Switch A that you configured to untag for VLAN10. 6. If you configured VLAN10 to use the DHCP server, configure the computers network card to use DHCP to get an IP address automatically.
See Step 9 on page 44.

7. If you did not configure the VLAN to use the DHCP server, configure the computers network card with an IP address in the VLAN subnet 192.168.10.x. Use subnet mask 255.255.255.0 and set the computers default gateway to the XTM device VLAN IP address 192.168.10.1 8. Repeat these steps to connect a computer to Switch B.

Testing the Connection


You should be able to ping from a computer connected to Switch A to a computer connected to Switch B, and from a computer connected to Switch B to a computer connected to Switch A. Because they are in the same VLAN, the two computers can communicate as if they were connected to the same physical LAN.

Using VLANs in Fireware XTM

47

Exercise 4:

Two VLANs as External Interfaces on the Same XTM Device

When to Use this Configuration


You use VLANs as External interfaces when you need more than the hard limit of four WAN interfaces on your XTM devices. You can configure up to ten External VLANs in addition to the four physical External interfaces. Another case where you can use this configuration is when your service provider gives you Internet and MPLS connections on a single Ethernet cable, logically separated by VLANs. Rather than connecting the cable to a managed switch, then to separate physical interfaces on your XTM device, you can connect the cable directly to a single physical interface configured as a trunk on your XTM device.

Network Topology
This exercise simulates two service provider connections ISP-1 (VLAN 10) and ISP-2 (VLAN 20) carried by a single trunk port of the switch to one XTM device interface. In the subsequent diagram, the WAN connection is connected to the 802.1Q switch, and the trunk port of the switch (Switch A) is connected to XTM device interface 3.

Figure 1: Network topology for Exercise 4

Note
If you have already completed the previous exercise, remove the VLANs and disable the VLAN interface you configured in that exercise before you begin this one.

48

WatchGuard Fireware XTM Training

Before You Begin

Configure the XTM Device


1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.

Figure 2: Interfaces tab of the Network Configuration dialog box

2. Select the VLAN tab.


The VLAN settings list is empty because you have not defined any VLANs.

Figure 3: VLAN tab of the Network Configuration dialog box

3. Click Add to create a new VLAN.


The New VLAN Configuration dialog box appears.

4. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For this example, type External-VLAN10. 5. (Optional) In the Description text box, type a description. For this example, type ISP-1. 6. In the VLAN ID text box, type or select a number for the VLAN. For this example, select 10. 7. From the Security Zone drop-down list, select the security zone for the VLAN. For this example, select External. 8. Select Use Static IP. 9. In the IP Address text box, type the IP address. For this exercise, type 192.51.100.X/24. Replace the X in the IP address with the student number your instructor gives you. For example, if your student number if 10, type 192.51.100.10/24 10. In the Default Gateway type the gateway address. For this exercise, type 192.51.100.1.
This configuration must have a corresponding upstream connection that is the default gateway (192.51.100.1).
Security zones correspond to aliases for interface security zones. For example, VLANs of type External are handled by policies that use the alias Any-External as a source or destination.

11. Click OK. 12. Click Add and create another new VLAN.
The New VLAN Configuration dialog box appears.

13. In the Name (Alias) text box, type a name for the VLAN. The name cannot contain spaces. For this example, type External-VLAN20. 14. (Optional) In the Description text box, type a description. For this exercise, type ISP-2. 15. In the VLAN ID text box, type or select a number for the VLAN. For this example, select 20.

Using VLANs in Fireware XTM

49

16. From the Security Zone drop-down list, select the security zone for the VLAN. For this example, select External. 17. Select Use Static IP. 18. In the IP Address text box, type the IP address. For this example, type 192.0.2.X/24. Replace the X in the IP address with the student number your instructor gives you. For example, if your student number if 10, type 192.0.2.10/24 19. In the Default Gateway type the gateway address. For this exercise, type 192.0.2.1.
This configuration must have a corresponding upstream connection that is the default gateway (192.0.2.1).

20. Click OK.


The new VLANs appear.

Figure 4: VLAN tab with new External-VLAN10 and External-VLAN20

21. Select the Interfaces tab. 22. Select Interface 3. Click Configure. 23. From the Interface Type drop-down list, select VLAN.

Figure 5: Select Interface Type VLAN


Because you cannot add a secondary network to a VLAN, the Secondary tab remains unavailable.

The Interface Type Configuration section appears on the IPv4 tab. Both new VLANs appear in the list.

Figure 6: Interface 3

24. Select Send and receive tagged traffic for selected VLANs.

50

WatchGuard Fireware XTM Training

Before You Begin

25. In the Member column, select the check boxes for External-VLAN10 and External-VLAN20.

Figure 7: The Member column shows which VLANs are on this interface

26. Click OK.


Interface 3 now appears as type VLAN in the list of interfaces.

27. Check your work. The Interfaces tab should look like this.

Figure 8: XTM device Interface 3 is now type VLAN

The VLAN tab should look like this.

Figure 9: VLAN tab after the VLANs are defined

28. Click to save this configuration to the XTM device. Or, select File > Save > To Firebox.

Using VLANs in Fireware XTM

51

Configure the Switch


The switch that you configure here is the Switch A in the diagram.

Refer to the instructions from your switch manufacturer to configure your switch.

1. Add two VLANs with the ID numbers 10 and 20 to the 802.1Q switch configuration. 2. Configure the switch interface that connects the switch to the XTM device interface 3. a. Disable Spanning Tree Protocol on any switch interface that connects to the XTM device. b. Configure this interface on the switch to be a member of both VLANs 10 and 20. c. Configure this interface to tag for both VLANs. d. If necessary for your switch operating system, set the switch mode to trunk. e. If necessary for your switch operating system, set the encapsulation mode to 802.1Q. 3. Configure the switch interface that connects ISP-1 in VLAN10 to the switch. a. Configure the switch interface that will connect to ISP-1 to be a member of VLAN10. b. Configure this interface to untag for VLAN10. 4. Configure the switch interface that connects ISP-2 in VLAN20 to the switch. a. Configure the switch interface that will connect to ISP-2 to be a member of VLAN20. b. Configure ths interface to untag for VLAN20.
As a general rule, remember that the physical segment between this switch interface and the XTM device is a tagged data segment. Traffic that flows over this segment must use 802.1Q VLAN tagging. Some switch manufacturers refer to a switch interface that is configured like Step 2 a trunk port or trunk interface. As a general rule, remember that the physical segment between a switch interface and the networked device that connects to it is an untagged data segment. Traffic that flows over this segment does not have VLAN tags.

You can use another XTM device to simulate ISP-1 and ISP-2 connections. Configure a Trusted interface with an IP Address of 192.51.100.1/24 and another Trusted interface with an IP Address 192.0.20.1/24 on another XTM device. Make sure that these subnets (192.51.100.0/24 and 192.0.2.0/24) are included on the Dynamic NAT and that these translate to Any-External to get an Internet connection.

Physically Connect All Devices


1. Connect one end of an Ethernet cable to the XTM device interface 3. 2. Connect the other end of the Ethernet cable to the interface on the switch that you configured to tag for VLANs 10 and 20 (to the VLAN trunk interface of the switch). 3. Connect the interface on the switch that you configured to untag for VLAN10 to the upstream internet connection of ISP-1. 4. Connect the interface on the switch that you configured to untag for VLAN20 to the upstream internet connection of ISP-2.

Test the Configuration


From the management computer or any computer on the trusted zone, you should be able to access the Internet. Create an HTTP Policy and enable logging for the allowed packets. You should see which External interface each packet uses to reach the destination. You may also enable logging on the Outgoing and Ping policies to try using other protocols. This should log which External Interface each packet used reach its destination.

52

WatchGuard Fireware XTM Training

Using VLANs in XTM Device Policies

Using VLANs in XTM Device Policies


Apply Firewall Policies to Intra-VLAN Traffic
You can configure more than one XTM device interface as a member of the same VLAN. By default, policies are not applied to traffic that passes through the firewall between hosts on different interfaces that are on the same VLAN. If you want to apply policies to VLAN traffic between local interfaces you must edit the VLAN settings for that VLAN to enable it.

1. Select Network > Configuration. 2. Select the VLAN tab. 3. Double click the VLAN to edit. 4. At the bottom of the Edit VLAN dialog box, select the Apply firewall policies to intra-VLAN traffic check box. 5. Save the configuration to the XTM device.
If you want to apply policies to intra-VLAN traffic, make sure that no alternate path exists between the source and destination. The VLAN traffic must go through the XTM device in order for firewall policies to apply. Intra-VLAN policies are applied by IP address, user, or alias. If the intra-VLAN traffic does not match any defined policy, the traffic is denied as unhandled packets. Intra-VLAN non-IP packets are allowed.

Aliases
When you add the new VLAN, the VLAN name appears as a new alias in the list of XTM device aliases. To open the Aliases dialog box, select Setup > Aliases.

You can use this alias in XTM device policies to specify the new VLAN.

Using VLANs in Fireware XTM

53

For example, to specify that users in Trusted-VLAN30 are allowed to make SSH connections to a server in the trusted network with IP address 10.0.1.56, configure an SSH policy as shown in the subsequent image.

Figure 10: SSH policy

Three other aliases can include a VLAN Any-Trusted, Any-Optional, and Any-External: If you configure the VLAN in the Trusted security zone, then the Any-Trusted alias includes the VLAN. The Any-Trusted alias includes VLANs that use the Trusted security zone, and all networks connected to an XTM device interface of type Trusted. If you configure the VLAN in the Optional security zone, then the Any-Optional alias includes the VLAN. The Any-Optional alias includes VLANs that use the Optional security zone, and all networks connected to an XTM device interface of type Optional. If you configure the VLAN in the External security zone, then the Any-External alias includes the VLAN. The Any-External alias includes VLANs that use the External security zone, and all networks connected to an XTM device interface of type External.
54 WatchGuard Fireware XTM Training

Frequently Asked Questions

Frequently Asked Questions


If I want to allow traffic to a VLAN from a device outside the VLAN, do I need a policy for it? Yes. By default, the XTM device does not allow traffic to a device in any VLAN. To allow this traffic, add a policy for it and include the VLANs alias name in the To section. If I want to allow traffic that starts in a VLAN and leaves the VLAN, do I need a policy for it? Yes. Traffic is not allowed to leave a network protected by the XTM device unless there is a policy to allow it. However, the default configuration the Quick Setup Wizard creates for the XTM device includes the Outgoing policy, which allows traffic from Any-Trusted to the external network. If your VLAN uses the Trusted security zone, any device in the VLAN can use the Outgoing policy to send traffic to the external network. This is because a VLAN that uses the Trusted security zone is included in the Any-Trusted alias. If I want to allow traffic that starts in one VLAN and goes to another VLAN, do I need a policy for it? Yes. By default, devices in one VLAN cannot see the traffic from another VLAN. You can apply separate security policies to VLANs. If I want to allow traffic that starts in a VLAN and goes to a device in the same VLAN, do I need a policy for it? No. If a computer connected to Switch A sends traffic to a computer connected to Switch B (see Figure 20 on page 42 in Exercise 3), and both computers are in the same VLAN, the XTM device does not filter this traffic. In this setup, the XTM device serves as a VLAN bridge between the two computers and the two switches. The two computers communicate as if they were in the same physical LAN, not separated by the XTM device. How many VLANs can I use? First, you must have a Fireware XTM license with the Pro upgrade to use VLANs. The number of VLANs you can add to your configuration is 50 to 500, depending on the XTM device model. To verify the number of VLANs you can add to your XTM device:

1. From Policy Manager, select Setup > Feature Key.


The Firebox Feature Key dialog box appears.

2. Scroll down to find the Total Number of VLAN Interfaces row.


The number of available VLANs appears in the Value column.

Out of the above number of VLANs how many External VLANs can I use? The recommended maximum number of External VLANs is ten. These ten External VLANs plus four physical External Interfaces make a total of fourteen External Interfaces all in all.

What You Have Learned


You learned what a VLAN is. You learned some benefits of using VLANs in your network. You learned how VLANs work on the XTM device. You configured the XTM device to use VLANs in four different configurations.
55

Using VLANs in Fireware XTM

56

WatchGuard Fireware XTM Training

Fireware XTM Training

Fireware XTM Multi-WAN Methods


Exploring Multi-WAN Through Hands-On Training
Introduction
What You Will Learn
Many organizations have more than one Internet connection, or plan to have additional ones in the future. Fireware XTM OS gives you the option to configure up to four external interfaces. This course shows you how Fireware XTM manages outgoing traffic with each of the four different multi-WAN modes of operation: Round-robin The XTM device distributes a balanced traffic load among the external interfaces. If you have a Fireware XTM with a Pro upgrade, you can assign a weight to each interface. Failover You select one external interface to be your primary external interface and define an order for backup interfaces. If the primary interface goes down, the XTM device sends all traffic to the next interface. Interface Overflow You define the order you want the XTM device to send traffic through external interfaces and configure each interface with a bandwidth threshold value. When traffic sent through the first interface reaches its bandwidth threshold, the XTM device uses the next interface. Routing Table If the XTM device does not find a specified route from its internal route table or from dynamic routing processes, it uses the ECMP (equal-cost multi-path) algorithm to select the route. You also learn how to monitor the status of your external connections, how sticky connections influence routing decisions, and how to use policy-based routing.

Exercises
The step-by-step exercises in this course show how to configure two of the multi-WAN methods and demonstrate how outgoing connections behave when certain events occur. The first exercise shows the Interface Overflow multi-WAN method and sticky connections. The second one shows the Failover multi-WAN method and policy-based routing.

You must have a Fireware XTM license with a Pro upgrade to use the Interface Overflow method. See the Frequently Asked Questions section near the end of this document for information on which features require Fireware XTM with a Pro upgrade.

What Multi-WAN Can Do For You


Multiple external connections provide several benefits: Redundancy If the main Internet connection goes down, you can use a backup connection for your outgoing connections. More bandwidth available for outgoing connections An additional connection to the Internet can reduce wait times for new connections and large downloads initiated from behind the XTM device. Dedicated access through a preferred connection You can make mission-critical applications or those that require a lot of bandwidth use a specified external interface.

57

Terms and Concepts You Should Know


Outgoing Traffic and Multi-WAN
Fireware XTM lets you configure up to four XTM device interfaces as type External. Because each external interface must have a default gateway, each external interface provides a path that Fireware XTM can use to send traffic to external destinations. For every connection that starts in a network behind the XTM device and goes to an external destination, the XTM device must decide which external interface to use to send the traffic. Several factors determine whether the XTM device allows an outgoing connection, and which external interface the XTM device uses for allowed traffic: Policies in Policy Manager that allow and deny traffic Multi-WAN method you use Static and dynamic routes in the XTM device routing table Which external interfaces are currently able to send traffic Per-policy settings that can override the multi-WAN method you use (policy-based routing and sticky connections)

The Appendix section includes a flow chart diagram that illustrates how the XTM device makes these decisions.

Incoming Traffic
For incoming connections, the decision process is much more simple. An incoming connection is allowed only if a policy in Policy Manager allows it. Any external interface can receive traffic, as long as Firewares link monitors sense that the interface is active. The multi-WAN method you use does not affect the path that incoming traffic takes to get to your XTM device. Because the XTM device cannot control which external interface an incoming connection attempts to come through, this training course does not discuss incoming connections. Instead the focus is on understanding how Fireware XTM handles outgoing connections using the different multi-WAN methods and options.

IPSec VPN Traffic


The concepts in this training apply only to non-IPSec traffic. The methods that Fireware XTM uses to route normal (non-IPSec) traffic to external networks are distinct and separate from the way traffic is sent to the remote side of an IPSec VPN. When the XTM device sends traffic to the other side of a VPN tunnel, it selects from the interfaces specified in the gateway settings for that tunnel. Multiple external interfaces for IPSec VPNs are covered in a separate training module.

Equal-Cost Multi-Path Routing (ECMP)


ECMP is an algorithm for routing packets to destinations when there are multiple next-hop paths of equal cost. The Routing Table multi-WAN method uses ECMP to evenly distribute outgoing traffic across multiple external interfaces based on source and destination IP addresses, and based on the number of connections that go through each external interface. A routing table is a collection of data about destinations in a network and how to reach them. Fireware XTM always consults the XTM device routing table regardless of multi-WAN method. Because of this, ECMP does not interfere with static routes you enter into Policy Manager, or with dynamic routing protocols such as RIP, OSPF, and BGP.

58

WatchGuard Fireware XTM Training

Terms and Concepts You Should Know

An ECMP group is the group of external interfaces used for ECMP calculations. When the XTM device determines that an external interface in the ECMP group is no longer able to forward traffic to external networks, it removes that interface from the ECMP group. Fireware XTM puts the external interface back into the ECMP group when it determines that the interface is available again. For more information, see The Routing Table Multi-WAN Method on page 68.

Sticky Connections
Dynamic NAT changes the source IP address of an outgoing connection to match the IP address on the external interface the XTM device uses to send the connection. Some applications drop a clients connection if the clients source IP address changes. The most common situation is when a user is on a web site that uses HTTPS. Some HTTPS sites use a session cookie that includes the users source IP address. If the user is on the site and the browser attempts a new connection (for example, a new GET or POST request to the site causes a new TCP session), the site might deny the new connection if the source IP address does not match what is in the session cookie. You use sticky connections to make sure that when an outgoing traffic flow is established, all connections between the inside users IP address and the external sites IP address use the same external interface for a certain amount of time. Fireware XTM keeps a dynamic table of sticky connections that includes the source/destination pair for each outgoing connection, the external interface used for the connection, and the connections age. If a new connection between the pair happens before the sticky connection timeout, the age is reset to zero. When the age of an entry reaches the sticky connection limit, the entry is deleted from the hash table. New connections between the two IP addresses can use a different external interface. You cannot use sticky connection options when: You use the Failover multi-WAN method. You enable policy-based routing for a policy. For any policy, you can override the global sticky connection setting. Policy-based sticky connection settings specify that outgoing traffic that uses the policy has a shorter or longer sticky connection setting than the global sticky connection setting. You can also disable sticky connections for a policy. We recommend you use the default settings for sticky connections. The three-minute timeout prevents most problems that arise when the source IP address of new traffic from behind the XTM device changes. If your users find that they need to re-authenticate more often to sites that use HTTPS, you might want to raise the per-policy sticky timeout for the policy that allows outbound HTTPS traffic. If you do not use a specific HTTPS policy in your XTM device configuration (for example, you have a policy that allows outbound connections over any TCP port), you might want to add a policy that allows only port 443 traffic. You can adjust the sticky connection timeout in this policy without affecting other connections.

Load Balancing Interface Group (LBIG)


The Load Balancing Interface Group is the group of interfaces you include when you click Configure at the top of the Multi-WAN tab in the Policy Manager network configuration. You can include or exclude any external interface from the multi-WAN method that you use, but you must include at least two external interfaces in the group. Load Balancing Interface Groups apply only to the Round-robin, Failover, and Interface Overflow methods. The Routing Table method does not use the LBIG because the ECMP (equal-cost multi-path) routing algorithm manages all routing decisions.

Fireware XTM Multi-WAN Methods

59

Policy-Based Routing
The ability to specify, at a firewall policy level, that an outgoing traffic flow must use a specific external interface if the source and destination IP addresses of the traffic match the From and To lists of the policy. Policy-based routing lets you overrule the routing decision that Fireware XTM would otherwise apply based on the multi-WAN method.

Link Monitor Settings


The XTM device has two ways to tell if an external interface is available to send or receive traffic: Monitor the physical link state of the interfaces Ethernet peer. The XTM device monitors the physical link by default. If the kernel-level drivers sense that the physical Ethernet link is down, the XTM device immediately declares the interface down. New connections begin to flow through the other external interfaces, depending on various multi-WAN and per-policy configuration options you set. Monitor the ability to make connections to external locations. You can specify how the XTM device determines if an external interface is available. From Policy Manager, select Network > Configuration and select the Multi-WAN tab. Highlight the interface to monitor in the External Interface column and view the settings on the Link Monitor tab within the Multi-WAN tab.

Figure 11: Link Monitor tab

Use these settings: Select the Ping check box to add an IP address or domain name for the XTM device to ping to check for interface status.

60

WatchGuard Fireware XTM Training

Terms and Concepts You Should Know

Select the TCP check box to add the IP address or domain name where the XTM device sends a TCP SYN packet. Use the Port box to set the port the XTM device uses when it sends the SYN packet. If the target sends an ACK in reply, the XTM device knows it can reach the external target. The XTM device closes the connection with a RST packet when it gets an ACK. Select the Both ping and TCP must be successful to define the interface as active check box if you want the interface to be considered down when either a ping probe or a TCP packet probe fails. If you do not select this box, then both the ping probe and the TCP packet probe must fail for the XTM device to consider the interface down. Multi-WAN does not require that you use either the Ping or TCP check boxes, but we recommend that you use one or both of them to determine whether the external interface can send traffic out of your network. Select targets that have a record of high uptime, such as servers hosted by your ISP. If there is a site you must be able to contact at all times, such as a credit card processing site or business partner, it may be worthwhile to ask the administrator at that site if they have a device that you can use as a monitoring target to verify connectivity to their site. Use the Probe Interval setting to configure the frequency you want the XTM device to do the ping and TCP probes. By default, the XTM device probes every 15 seconds. Use the Deactivate after setting to change the number of consecutive probe failures that must occur before failover. By default, after three probe failures, the XTM device removes the interface from the list of active external interfaces. Outgoing traffic continues based on the multi-WAN method you use. See the next section, Failover/Failback. Use the Reactivate after setting to change the number of consecutive successful probes through an interface before an interface that was inactive becomes active again. Configure these settings for each external interface.
If you do not select either of these check boxes (Ping or TCP), Fireware XTM monitors each interface by sending an ICMP echo to the interfaces default gateway IP address. Because this does not test whether the interface can send traffic beyond the edge of your network, we recommend you indicate probe targets.

Failover/Failback
Failover occurs when an interface that was previously active becomes unable to send traffic to external networks. Failback occurs when an interface that was previously not able to reach external locations becomes active again.

Failover On an External Interface


If an external interface goes down, the XTM device removes that external interface from all routing decisions. The action the XTM device takes depends on the multi-WAN method currently in use: Round-robin The failed interface is removed from the Round-robin group. If your Round-robin group has only two external interfaces, all outgoing connections now use the remaining active interface. If your Round-robin group has more than two external interfaces, Fireware XTM reduces the size of the group so that it includes only the remaining active interfaces. It continues to use the relative weights of the remaining interfaces to make routing decisions. Failover The failed interface is removed from the failover group. Traffic goes out through the next available interface in the failover list. Interface Overflow The failed interface is removed from the Interface Overflow group. The XTM device uses the Interface Overflow threshold assigned to each interface to determine which to use for outgoing traffic. If your Interface Overflow interface group has only two external interfaces, all outgoing connections now use the remaining active interface. Routing table The failed interface is removed from the ECMP group. ECMP continues to make routing decisions based on the external interfaces that remain active.

Fireware XTM Multi-WAN Methods

61

Failback On an External Interface


When the Link Monitor probes determine that an interface is active again, the interface is made available for outgoing traffic. The Probe Interval and the Reactivate After settings on the Link Monitor tab determine how long this takes. The defaults are to send a probe every 15 seconds and to reactivate the interface after three successful probes. Failback can take up to a full minute if you use the default setting on the Link Monitor tab. New outgoing connections, unless they match an entry in the sticky connections table, start to use the now-active external interface based on the multi-WAN method you select. Existing connections (including traffic that matches an entry in the sticky connections table) behave according to the option you select in the Failback for Active Connections drop-down list: Immediate Failback - The XTM device drops all currently active connections. - TCP RST packets are sent to close all open TCP connections. - NAT ports that are open for return UDP packets are closed. - The sticky connections table is purged. Gradual Failback - All currently active connections are allowed to finish before Fireware XTM begins to use the multi-WAN method to send them through another external interface. - The sticky connections table stays the same. Select Immediate Failback if your backup line is expensive, you want to use the backup line only in emergency, and your organization can tolerate dropped connections when the failback happens. Select Gradual Failback if your organization cannot tolerate dropped connections when the failback happens.

The Round-Robin Multi-WAN Method


When to Use It
Use the Round-robin method when: You have a license for Fireware XTM with a Pro upgrade and you want to specify a weighted distribution of outgoing traffic across your external interfaces. You have a standard Fireware XTM license and you want to distribute bandwidth evenly among your external interfaces. (If you have the standard Fireware XTM license, you cannot assign weights to the interfaces.)

How It Works
The Round-robin method distributes traffic to each external interface based on bandwidth, not connections. This gives you more control over how many bytes of data are sent through each ISP. For light traffic loads, weighted Round-robin behaves like a connection-based Round-robin because the weights you use tend to determine the number of connections through each external interface. When the traffic load increases, weighted Round-robin behaves more like a load-based Round-robin because the weights you assign tend to determine the load through each external interface. The Round-robin method uses the run-time average of Tx (transmit) and Rx (receive) bytes through each interface to balance outgoing traffic according to the relative weights you assign to the interfaces.

62

WatchGuard Fireware XTM Training

The Round-Robin Multi-WAN Method

Fireware XTM takes a measurement four times a second to determine run-time traffic load on the external interfaces. The Round-robin algorithm is applied only after routes, sticky connections, and policy-based routing fail to give a routing decision. The weights you assign are relative weights. For example, suppose interface 0 (eth0) is an external interface and you give it a weight of 3. Interface 1 (eth1) is also an external interface and you give it a weight of 2. For every three bytes of traffic that go through eth0, two bytes will go through eth1. The byte count sent through eth0 will be one and one-half times as much as eth1. To determine which interface to use for a new outgoing connection, weighted Round-robin calculates the load:weight ratio (current traffic load as a proportion of the assigned weight) for each external interface and chooses the interface with least value for the new connection. For example, configure Interfaces 0, 1, and 2 as external interfaces, and use Round-robin weights of 8, 2, and 1 for those interfaces respectively. Assume that new connections happen in sequence, and each new connection increases the load on an interface equally. The algorithm assigns the new connections as shown in the table in Figure 1:

Current ratio of {traffic load : weight} Interface 0


0:8 1:8 1:8 1:8 2:8 3:8 4:8 5:8 5:8 6:8 7:8 8:8

Current ratio of {traffic load : weight} Interface 1


0:2 0:2 1:2 1:2 1:2 1:2 1:2 1:2 2:2 2:2 2:2 2:2

Current ratio of {traffic load : weight} Interface 2


0:1 0:1 0:1 1:1 1:1 1:1 1:1 1:1 1:1 1:1 1:1 1:1

New connection uses this interface


0 1 2 0 0 0 0 1 0 0 0 Use ECMP when all interfaces have full traffic load

Figure 1: This table shows which external interface is used for a new outgoing connection based on {traffic load : weight} ratio

This example is simplified. The actual situation is more complex. Each new connection does not cause equal traffic load. Many connections close very quickly, causing load to drop quickly. The load on each interface is constantly changing.

Calculate weights for Round-robin


You can only use whole numbers for the interface weights; no fractions or decimals are allowed. To ensure optimal load-balancing, you might need to perform a calculation to know which whole-number weight to assign for each interface. Use a common multiplier so that the ratios of bandwidth at each external connection is resolved to whole numbers.

Fireware XTM Multi-WAN Methods

63

Example
You have three Internet connections. One ISP gives you 6 Mbps, another ISP gives you 1.5 Mbps, and a third ISP gives you 768 Kbps. Convert the proportion to whole numbers: First convert the 768 Kbps to Mbps so that you use the same unit of measurement for all three lines. This is approximately .75 Mbps. Your three lines are rated at 6, 1.5, and .75 Mbps. Multiply each value by 100 to remove the decimals. Proportionally, these are equivalent: {6 : 1.5 : .75} is the same ratio as {600 : 150 : 75}. Find the greatest common divisor of the three numbers. In this case, 75 is the largest number that evenly divides all three numbers 600, 150, and 75. Divide each of the numbers by the greatest common divisor. The results are 8, 2, and 1. This gives the whole-number weights used for the example.

How to Configure It
1. From Policy Manager, select Network > Configuration.
The Network Configuration dialog box appears.

2. Select the Multi-WAN tab. 3. From the Multi-WAN Configuration drop-down list, select Round-robin.

Figure 2: Select the Round-robin method for multi-WAN

4. Click Configure, as shown in Figure 2 to set the relative weights for the external interfaces.
The Multi-WAN Round-robin Configuration dialog box appears.

Figure 3: Multi-WAN Round-robin Configuration dialog box

5. In the Include column, select the check boxes next to the interfaces you want to include in the Round-robin configuration. By default, all external interfaces are included. If you have more than two external interfaces you might reserve one external interface for a special purpose.

64

WatchGuard Fireware XTM Training

The Round-Robin Multi-WAN Method

For example, you might want to use an external interface only for routing traffic to an application service provider, for only VPN traffic. To exclude an external interface from the round-robin, clear the check box next to that interface in Figure 3. You must include at least two interfaces.

6. To change the weight of one of the interfaces, select the interface and click Configure in Figure 3.
The Round-robin Weight dialog box appears:.

Figure 4: Set the weight for the interface you selected

7. In the Round-robin Weight text box shown in Figure 4, type or select a number to use for this interfaces weight. 8. Click OK.
Figure 5 shows two external interfaces with Round-robin weights set to 3 and 2:

Figure 5: Two interfaces set to relative weights 3 and 2.

When an External Interface Fails


The failed external interface is removed from the Round-robin group. Fireware XTM continues to use the relative weights of the remaining interfaces to make routing decisions.

Fireware XTM Multi-WAN Methods

65

The Failover Multi-WAN Method


When to Use It
Use the Failover method: When you want to use one external interface for all traffic, and you have another ISP that you can use if the primary line goes down. If you want to reserve a WAN2 interface for special traffic, and use WAN1 for all other traffic. If the primary WAN1 connection goes down, all traffic can use WAN2 for the emergency outage. Sticky connection settings cannot be used with the Failover method.

How it Works
The XTM device sends all traffic through the external interface at the top of the list in the Multi-WAN Failover Configuration dialog box. If that interface is not active, the XTM device checks the next external interface in the list. The first active interface in the list is the gateway for all outgoing traffic. If the XTM device senses an Ethernet link failure, failover happens immediately. When you use the default link probe settings, an external interface can take from 45 seconds to one minute to change state from active to not active, or from not active to active. The default probe options are: Send a probe every 15 seconds Deactivate the interface after three probes in a row fail Reactivate the interface after three successful probes in a row If an external interface that was previously down becomes active again, and it is higher in your list than the currently active external interface, the XTM device immediately starts to send all new connections out the active external interface that is now highest in the list. You control how the XTM device handles any existing connections that currently use the interface that is now lower in your list. Such a connection can immediately be disconnected and routed over the new active interface, or it can use the current interface until the connection is finished.

How to Configure It
Select the Multi-WAN tab on the Network Configuration dialog box to configure this method. You then use additional dialog boxes to select the interfaces you want to participate in the failover and establish a failover sequence for them. For more details on configuring this method, see Exercise 2.

When an External Interface Fails


The failed interface is removed from the failover group. The next available interface in the Failover list assumes the highest precedence. Client connections time out and are reestablished with the new route.

66

WatchGuard Fireware XTM Training

The Interface Overflow Multi-WAN Method

The Interface Overflow Multi-WAN Method


When to Use It
Use the Interface Overflow method when you want to restrict the maximum bandwidth that each external interface uses. When the bandwidth threshold is reached for an external interface, new connections use the next external interface in your list. You must have a Fireware XTM license with a Pro upgrade to use this multi-WAN method.

How it Works
When you use the Interface Overflow method, you select the order you want the XTM device to send traffic through external interfaces and configure each interface with a bandwidth threshold value. The XTM device starts to send traffic through the first external interface in the Interface Overflow Configuration list. When the traffic through that interface reaches the bandwidth threshold you set for that interface, the XTM device starts to send new connections through the next interface in the list. This multi-WAN method allows the amount of traffic sent over each external interface to be restricted to a specified bandwidth limit. To determine traffic volume through an interface, the XTM device examines the amount of sent (TX) and received (RX) packets and uses the higher number. When you configure the interface bandwidth threshold for each interface, you must consider the needs of your network for this interface and set the threshold value based on these needs. For example, if your ISP is asymmetric and you set your bandwidth threshold based on a large TX rate, interface overflow will not be triggered by a high RX rate. When all external interfaces reach their threshold, the XTM device uses the ECMP algorithms to find the best path.

How to Configure It
Select the Multi-WAN tab on the Network Configuration dialog box to configure this method. You then use an additional dialog box to configure the bandwidth threshold for each interface. For more details on configuring this method, see Exercise 1.

When an External Interface Fails


The failed interface is removed from the interface overflow group. Traffic goes out through the other external interfaces in the group, according to the interface overflow threshold assigned to each.

Fireware XTM Multi-WAN Methods

67

The Routing Table Multi-WAN Method


When to Use It
Use the Routing Table method when you want a quick and easy way to evenly distribute outgoing traffic among multiple external interfaces. This method is the quickest way to take advantage of load balancing more than one route to the Internet. Because the ECMP algorithm manages all connection decisions, no additional configuration is necessary after it is enabled. This multi-WAN method is based on connections, not bandwidth or load. Routes configured statically or learned from dynamic routing are used before the ECMP algorithm.

How it Works
If you have multiple active external interfaces, multiple default routes to the external network are available with the same cost (one hop). With the Routing Table method, Fireware XTM puts all the active external interfaces into one ECMP group. It uses the ECMP algorithm to decide which next-hop (path) to use to send each packet. This algorithm does not consider current byte count through the external interfaces. When you select the Routing Table method for your multi-WAN configuration, the XTM device first looks at policy-based routing actions in your policies, the routes in its internal route table, and the sticky connection table to see if it should send a packet through a specific external interface. If the XTM device does not find a specified route, it selects a route based on the ECMP (equal-cost multi-path) algorithm specified in http://www.ietf.org/rfc/rfc2992.txt.

How to Configure It
There is only one setting:

1. From Policy Manager, select Network > Configuration.


The Network Configuration dialog box appears.

2. Select the Multi-WAN tab. 3. From the Multi-WAN Configuration drop-down list, select Routing Table.

Figure 6: Select the Routing Table method for multi-WAN

When an External Interface Fails


The failed interface is removed from the ECMP group. ECMP continues to make routing decisions based on the external interfaces that remain active.

68

WatchGuard Fireware XTM Training

Before You Begin

Before You Begin


Necessary Equipment and Services
Before you start the exercises, make sure you have these items: Management computer (See the subsequent section for configuration details.) Ethernet cables - One crossover Ethernet cable to connect your computer to the trusted interface on your student XTM device. - Two Ethernet cables to connect two external interfaces from your XTM device to the central classroom XTM device (or to a hub that connects all student XTM devices to the central XTM device). WSM version 11.6 software and Fireware XTM with a Pro upgrade v11.6 software Your instructor provides this software, or you can download it from the WatchGuard web site when you log in with a valid WatchGuard account. XTM device Feature key Your instructor will provide a feature key to enable the features the XTM device must have for these exercises. The feature key must include Fireware XTM Pro. You use the feature key near the end of the Quick Setup Wizard when you configure the XTM device. FTP Server Your instructor will provide you access to an FTP server for use in these exercises.

Management Computer Configuration


Before you begin these exercises, make sure your management computer is configured correctly. Install WSM management software and the Fireware XTM operating system with a Pro upgrade. You do not have to install the server components, just the WSM client software. Connect the management computer directly to the trusted interface 1 on the XTM device with a crossover Ethernet cable. Make sure your management computer has an IP address in the same subnet as the trusted interface with the correct subnet mask. Use the XTM device trusted interface IP address as the default gateway of the computer.

Fireware XTM Multi-WAN Methods

69

Firewall Configuration
If your XTM device is not yet configured, run the Quick Setup Wizard and select mixed routing mode. Mixed routing mode has these defaults:
In the exercises, your external interface and trusted interface IP addresses are determined by your student number. Replace the X in the exercises with your student number.

The external Interface 0 is configured and enabled with a static IP address. Your instructor will tell you what IP address to assign to the external interface. The trusted Interface 1 is configured and enabled with IP address 10.0.1.1/24. Your instructor will give you an IP address to use for the trusted interface and for your management computer. Your trusted interface IP address shoud be 10.0.X.1/24 None of the other interfaces are configured (they are all set to Disabled). The configuration file you open in Policy Manager includes five policies: FTP, Ping, DNS, WatchGuard, and Outgoing.

Bandwidth Available at Each External Interface


In general, this training module does not discuss traffic management. However, you should know the available upstream and downstream caps that your ISP puts on your Internet connection for each external interface. You must know these values to: Make accurate threshold limits for the Interface Overflow method. If you set threshold limits too low, you might not use the full available bandwidth before traffic flows over to another external interface. If you set threshold limits too high, the other external interfaces might never be used (traffic from an external interface might never flow over to another interface because the threshold is never reached). Correctly set the relative weights for the Round-robin method. You can more effectively balance the outgoing traffic between external interfaces when you know how much bandwidth each ISP allocates.

Physically Connecting your Devices


Because these exercises are designed for a classroom environment, the external interfaces of all student XTM devices should be connected to two network segments. All the student XTM devices should be connected to the instructor XTM device.

70

WatchGuard Fireware XTM Training

Before You Begin

Exercise 1:

Demonstrate the Interface Overflow Multi-WAN Method and Sticky Connections

When to Use the Interface Overflow Method


The Interface Overflow method lets you use one WAN for outgoing connections until the bandwidth for that interface goes above a threshold that you set. Then outgoing connections use another external interface. When the bandwidth use through the first interface falls below the threshold, new connections use that interface again.

Network Topology
This exercise shows how to configure the XTM device to use two Internet connections using the Interface Overflow method. Figure 7shows how your equipment is connected.

Figure 7: Network topology for Exercise 1. Each student XTM device has two external interfaces.

Fireware XTM Multi-WAN Methods

71

Configure the XTM Device


Configure the Main External Interface
1. From Policy Manager, select Network > Configuration. The Network Configuration dialog box appears.

Figure 8: Network Configuration dialog box

2. Double-click Interface 0 to configure it. Configure the IPv4 tab as shown.

Figure 9: Interface 0 configuration

3. Type a name for the interface in the Interface Name (Alias) text box.
For this example we type Main-Internet for Interface 0.

4. (Optional) Type an interface description if desired.


We use Primary WAN.

5. From the Interface Type drop-down list, select External.


72 WatchGuard Fireware XTM Training

Before You Begin

6. Select Use Static IP. 7. In the IP Address text box, type 203.0.113.X/24. Replace the X in the IP address with the student number your instructor gives you.
In Figure 3, we show the configuration for Student 10. For example, if you are Student 30, the IP address you type is 203.0.113.30/24

8. In the Default Gateway text box, type 203.0.113.1 9. Click OK to return to the main Network Configuration dialog box.

Configure the Second WAN Interface


1. Double-click Interface 3 to configure it. Configure the IPv4 tab as shown.

Figure 10: Interface 3 configuration

2. (Optional) Type a name for the interface in the Interface Name (Alias) text box.
For this example we call Interface 3 Secondary-Internet.

3. (Optional) Type an interface description.


For this example, type Backup WAN.

4. From the Interface Type drop-down list, select External. 5. Select Use Static IP. 6. In the IP Address text box, type 192.51.100.X/24. Replace the X in the IP address with the student number your instructor gives you. In Figure 10 we show the configuration for Student 10. For example, if you are Student 40, the IP address you type is 192.51.100.40/24. 7. In the Default Gateway text box, type 192.51.100.1. 8. Click OK to return to the main Network Configuration dialog box.

Fireware XTM Multi-WAN Methods

73

Configure the Multi-WAN Method


1. Select the Multi-WAN tab. 2. From the Multi-WAN Configuration drop-down list, select Interface Overflow.

Figure 11: Select the Interface Overflow method

3. Click Configure.
The Multi-WAN Interface Overflow Configuration dialog box appears.

Figure 12: Interface Overflow Configuration dialog box

4. Select interface 0 (Main-Internet) and click Configure to configure its threshold.


Note that the window in Figure 13 keeps values only in increments of 100 Kbps. For example, if you type 256 Kbps here, Policy Manager changes it to 200 Kbps.

The Interface Overflow Threshold dialog box appears.

Figure 13: Configure the interface overflow threshold for the primary WAN

74

WatchGuard Fireware XTM Training

Before You Begin

5. From the right drop-down list, select Kbps. In the text box, set the threshold for this interface to 200 Kbps.

Figure 14: The Interface Overflow Configuration dialog box should look like this

6. Make sure that interface 0 is at the top of the list. If it is not, select the Main-Internet (0) interface and click Move Up to move it to the top of the list. 7. Click OK twice to return to the main Policy Manager window.
You do not need to configure anything on the Link Monitor tab or the Advanced tab for this exercise.

Enable Logging of Allowed Packets For the FTP and Outgoing Policies
By default, the XTM device sends log messages only for denied packets. To see what interface the XTM device uses to send outgoing connections, enable the logging of allowed packets for the FTP and Outgoing policies.

This example is not meant to show a real-world Internet connection. We set this to a low value to demonstrate the Interface Overflow method. Remember also that Fireware XTM does not use the overflow threshold value as a cap to throttle available bandwidth. The threshold is only a trigger to start sending new connections out a different external interface. Throughput can exceed the overflow threshold you set for an external interface, but Fireware XTM does not send new outgoing connections through the interface until current throughput for the interface goes below the overflow threshold.

1. Right-click the FTP policy and select Modify Policy to edit it.
You can also double-click a policy to modify it.

Figure 15: Right-click or double-click a policy to modify it

Fireware XTM Multi-WAN Methods

75

2. Select the Properties tab and click Logging.

Figure 16: Click Logging on the Properties tab of the policy

3. Select the Send Log Message check box to enable logging of allowed packets that the XTM device sends through this policy, and then click OK.

Figure 17: Enable logging of allowed packets for this policy

4. Click OK. 5. Repeat Steps 14 to enable logging of allowed packets for the Outgoing policy.

76

WatchGuard Fireware XTM Training

Before You Begin

6. Make sure Policy Manager uses the Details view. If Policy Manager has large icons, right-click anywhere in the main Policy Manager window and select Details View.

You can also switch views using the View menu. Select View and then select Large Icons or Details.

Figure 18: Switch to Details View

7. Note that the Action column shows an icon for policies that have logging enabled. Position the mouse over the action column to see a description of what each icon represents.

Figure 19: The Action column shows which policies have logging enabled

8. Click and save this configuration to the XTM device. Or, select File > Save > To Firebox.

Demonstrate It
How the Demonstration Works
First you browse several web sites and see the connections go out the Main-Internet interface. You start an FTP download of a large file to use up the allotted 2 Mbps on the Main-Internet interface, Interface 0. When the throughput for the Main-Internet interface reaches the Interface Overflow threshold, you observe that new outgoing connections use the Secondary-Internet interface, Interface 3. You see some connections continue to use the Main-Internet interface even though the Interface Overflow threshold is reached for that interface, because the connections are sticky.
Fireware XTM Multi-WAN Methods 77

Note
Important! When the FTP download starts, you must visit a new web site quickly to see the XTM device change the interface it uses for outgoing connections. If you wait too long and the FTP transfer finishes, the rate of traffic through the main external interface falls below the threshold and the interface becomes available for new connections again. Before you begin, think of some sites you can use that you have not been to before, so you can quickly demonstrate the Interface Overflow behavior when the FTP transfer starts.

Verify that Outgoing HTTP Connections Use the Correct Interface


To make sure that your outgoing HTTP connections use the correct interface, you connect to Firebox System Manager and then browse the Internet.

1. Connect to Firebox System Manager and select the Traffic Monitor tab.

Figure 20: The Traffic Monitor tab of Firebox System Manager


Do not start any file downloads in Step 2. A large file download can trigger the Interface Overflow threshold before you are ready to observe it. The FTP transfer in the next section will trigger the interface overflow.

2. Use your web browser to visit several web sites and see if your connections use the correct interface. 3. Watch Traffic Monitor to see log messages that show outgoing connections using the Main-Internet interface. You see messages like this in Traffic Monitor:
Allow 10.0.10.2 206.253.208.100 http/tcp 2892 80 1-Trusted 0-Main-Internet allowed, mss not exceeding 1460, idle timeout=43205 sec 48 128 (Outgoing-00) rt="MWAN" src_ip_nat="203.0.113.10" src_port_nat="10119"

The rt=MWAN message means that Fireware XTM decided which external interface to use based only on the multi-WAN method in use.

78

WatchGuard Fireware XTM Training

Before You Begin

Start the FTP Transfer to Trigger the Interface Overflow


Use Internet Explorer or an FTP client to connect to the FTP server. The subsequent steps show how to use Internet Explorer 9.0 as an FTP client.

1. If the instructor has configured a local FTP server, in the Internet Explorer address bar, type ftp://192.51.100.2.
If a local FTP server is not available, the instructor will provide instructions to connect to an FTP server on the Internet.

The FTP server should allow anonymous access (it is not necessary to give a user name and password). If this is the case, you see a large file listed.
If anonymous FTP access is not allowed, your instructor will give you credentials to log in.

Figure 21: Internet Explorer as an FTP client

2. Press Alt, then select View > Open FTP site in Windows Explorer.
The FTP site opens in Windows Explorer.

3. Drag the file to the Desktop icon at the left to copy the file to your desktop.

Figure 22: Drag the file to the Desktop icon on the left.

The download starts

Browse to Sites and See Which Interface is Used


1. Browse to a web site you visited less than three minutes ago. 2. Select the Traffic Monitor tab of Firebox System Manager. 3. Find the Sticky Connections log message for the connection to this site. Look for a log message similar to this, with rt=STICKY in the message:
Allow 10.0.10.2 206.253.208.100 http/tcp 2892 80 1-Trusted 0-Main-Internet allowed, mss not exceeding 1460, idle timeout=43205 sec 48 128 (Outgoing-00) rt="STICKY" src_ip_nat="203.0.113.10" src_port_nat="10145"

This connection uses the primary external interface Main-Internet, even though this interface reached the threshold. This is because it matches an entry in the Sticky Connections table.

New connections that match an entry in the sticky connections table use the same external interface for the sticky timeout period. This is true even if current throughput for the interface is over the Interface Overflow threshold. When the throughput for the Main-Internet connection exceeds the Interface Overflow threshold, new connections use the Secondary-Internet interface.

4. Go to a web site you have not visited before. 5. On the Traffic Monitor tab, find the log message for this new connection. The log message will be similar to the following message, and will include the text rt=MWAN.
Allow 10.0.10.2 66.35.250.150 http/tcp 2892 80 1-Trusted 3-Secondary-Internet allowed, mss not exceeding 1460, idle timeout=43205 sec 48 128 (Outgoing-00) rt="MWAN" src_ip_nat="192.51.100.10" src_port_nat="10163"

This connection switched to the Secondary-Internet interface, because the Main-Internet interface reached the Interface Overflow threshold.

Fireware XTM Multi-WAN Methods

79

6. After the FTP transfer finishes, go back to the web site you visited in Step 3 (if it was less than three minutes ago) and press Ctrl-F5 on your keyboard to force all content on the page to reload.
This is the site you visited that went through the Secondary-Internet connection, shown in the log message in Step 5.

7. On the Traffic Monitor tab, find the log messages for this connection. Verify that it still uses the Secondary-Internet interface.
It still uses the Secondary-Internet interface because it matches an entry in the sticky connections table.

8. Go to a web site you have not visited in the last three minutes. 9. On the Traffic Monitor tab, find the log messages for this connection. Verify that new connections now use the Main-Internet interface.
New connections start to use the Main-Internet interface because the throughput for that interface is below the Interface Overflow threshold.

80

WatchGuard Fireware XTM Training

Before You Begin

Exercise 2:

Demonstrate the Failover Multi-WAN Method and Policy-Based Routing

This exercise demonstrates what happens when an external interface that uses the Failover Multi-WAN method fails.

When to Use the Failover Method


Failover gives stability to your organizations outgoing connections. Use the Failover method when you have more than one Internet connection that you can use. If the primary line goes down, connections flow through the backup line.

Network Topology
The physical setup is the same as for Exercise 1. Figure 23 shows how your equipment is connected.

Figure 23: The network topology for Exercise 2 is the same as for Exercise 1.

Fireware XTM Multi-WAN Methods

81

Configure the XTM Device


Configure the External Interfaces
The configuration of the main and secondary external interfaces is the same as for Exercise 1. If you have completed Exercise 1, proceed to the next section. If you have not completed Exercise 1, you must do so before you can proceed. In the section Configure the XTM Device, on page 72, complete Steps 117 of Exercise 1.

Configure the Multi-WAN Method


1. In the Network Configuration dialog box, select the Multi-WAN tab. 2. From the Multi-WAN Configuration drop-down list, select Failover.

Figure 24: Select the Failover Multi-WAN method

3. Click Configure.
The Multi-WAN Failover Configuration dialog box appears.

Figure 25: The Multi-WAN Failover Configuration dialog box

4. Make sure that interface 0 is at the top of the Interface list. If it is not, select Main-Internet (0) and click Move Up to move it to the top of the list. 5. Click OK.

82

WatchGuard Fireware XTM Training

Before You Begin

Configure Link Monitor Target For the Main-Internet Interface


1. On the Link Monitor tab, in the External Interfaces list, select Main-Internet and configure monitor targets for this external interface. 2. Set the ping target: a. Select the Ping check box. b. From the Ping drop-down list, select IP Address. c. In the Ping text box, type the IP address of the instructors FTP server: 192.51.100.2.

It is not necessary to configure a link monitor target for the Secondary-Internet connection. When you do not configure link monitor targets for an external interface, the XTM device monitors the health of the interface by sending ICMP requests to the interfaces default gateway. In a real-world installation, you would normally select sites for the link monitor targets, based on a record of superior uptime.

Figure 26: Ping target for monitoring the Main-Internet interface

3. Click OK.

Enable Logging of Allowed Packets For Policies


If you previously completed Exercise 1, you enabled logging of allowed packets for the Outgoing and FTP policies. Now we will use the same procedure to enable logging of allowed packets for the Ping and Outgoing policies.

1. Right-click or double-click the Ping policy and select Modify Policy to edit it.
The Edit Policy Properties dialog box appears.

2. Select the Properties tab and click Logging.


The Logging and Notification dialog box appears.

3. Select the Send log message check box to enable logging of allowed packets that the XTM device sends through this policy. 4. Click OK.
The Logging and Notification dialog box closes and the Edit Policy Properties dialog box appears.

5. Click OK.
The Edit Policy Properties dialog box closes and Policy Manager appears.

6. Right-click or double-click the Outgoing policy and select Modify Policy to edit it.
The Edit Policy Properties dialog box appears.

7. Select the Properties tab and click Logging.


The Logging and Notification dialog box appears.

8. Select the Send log message check box to enable logging of allowed packets that the XTM device sends through this policy. 9. Click OK.
The Logging and Notification dialog box closes and the Edit Policy Properties dialog box appears.

Fireware XTM Multi-WAN Methods

83

You can also change views using the View menu. Select View and then select Large Icons or Details.

10. Click OK. 11. Make sure Policy Manager uses the Details view. If Policy Manager has large icons, right-click anywhere in the main Policy Manager window and select Details View.

Figure 27: Change to Details View

Note that the Action column shows a Log icon for each policy that has logging enabled.

Figure 28: The Action column shows which policies have logging enabled

12. Click and save this configuration to the XTM device. Or, select File > Save > To Firebox.

Enable Policy-based Routing For the Ping Policy


1. Double-click the Ping policy to edit it. 2. On the Policy tab, select the Use policy-based routing check box. 3. From the Use policy-based routing drop-down list, select Main-Internet.

84

WatchGuard Fireware XTM Training

Before You Begin

4. Do not select the Failover check box.

Do not enable failover in Step 4. This lets you see what happens when the policy-routing interface is not available.

Figure 29: Enable policy-based routing for the Ping policy

5. Click OK. 6. Click and save this configuration to the XTM device. Or, select File > Save > To Firebox.

Enable Policy-Based Routing For the Outgoing Policy


1. Double-click the Outgoing policy to edit it. 2. On the Policy tab, select the Use policy-based routing check box. 3. From the Use policy-based routing drop-down list, select Main-Internet.

Fireware XTM Multi-WAN Methods

85

4. Select the Failover check box.

Figure 30: Enable policy-based routing for the Outgoing policy

5. Click OK. 6. Click and save this configuration to the XTM device. Or, select File > Save > To Firebox.

Demonstrate It
How the Demonstration Works
First, you browse to several web sites using HTTP and HTTPS, and see the connections that go out the Main-Internet interface. Ping some external IP addresses to see the XTM device send the echo requests through the Main-Internet interface with the policy-based routing you enabled for the Ping policy. Your instructor will cause your XTM device Main-Internet interface to fail by causing pings to the link monitor target to fail. After the failover event, browse some web sites again to see the connections go out the Secondary-Internet interface. Your pings to external locations will fail, because you did not enable failover for the Ping policys policy-based routing.
86 WatchGuard Fireware XTM Training

Before You Begin

Verify Outgoing Connections Use the Correct Interface


To make sure that your outgoing connections use the correct interface, connect to Firebox System Manager and then browse the Internet.

1. Open WSM and connect to your XTM device. 2. Select the XTM device and click
Firebox System Manager appears.

3. Select the Traffic Monitor tab to begin monitoring traffic. 4. Use your browser to connect to some web sites. Visit several sites with HTTP and HTTPS addresses. 5. Watch Traffic Monitor to see log messages that show the outgoing connections using the Main-Internet interface. Log messages like this appear in Traffic Monitor:
Allow 10.0.10.2 206.253.208.100 http/tcp 2892 443 1-Trusted 0-Main-Internet allowed, mss not exceeding 1460, idle timeout=43205 sec 48 128 (Outgoing-00) rt="MWAN" src_ip_nat="203.0.113.10" src_port_nat="10119" rt=MWAN in the log message indicates that Fireware XTM decided which external interface to use based only on the Multi-WAN method in use.

6. Ping some sites external to the XTM device. Log messages show that the echo requests go out the Secondary-Internet interface. Log messages like this appear:
Allow 10.0.10.2 64.233.167.99 icmp-Echo 1-Trusted 0-Main-Internet allowed 60 128 (Ping-00) rt="PRO" src_ip_nat="203.0.113.10"

PRO in the log message for Step 6 stands for Policy Routing Object. It signifies that the connection matches a policy that uses policy-based routing. The instructor causes ICMP requests to your link monitor target to fail. A log message like this appears in Traffic Monitor:
monitord No response from WAN Ping Target 203.0.113.2 on eth0

After three probes fail, the XTM device sees that the Main-Internet interface is not available to send traffic. A log message like this appears:
Target Probing on gateway 203.0.113.1 (gateway on eth0) failed

7. Browse to more web sites. Outgoing connections now use the Secondary-Internet interface. Log messages like this appear in Traffic Monitor:
Allow 10.0.10.2 206.253.208.100 http/tcp 2892 443 1-Trusted 3-Secondary-Internet allowed, mss not exceeding 1460, idle timeout=43205 sec 48 128 (Outgoing-00) rt="MWAN" src_ip_nat="192.51.100.10" src_port_nat="10119"

Remember that the number of failed probes is configurable. Three is the default.

8. Send pings again to the external network. The XTM device drops the packets. Log messages like this appear in Traffic Monitor:
Deny 10.0.10.2 64.233.167.99 icmp-Echo 1-Trusted 0-Secondary-Internet all gateways in policy routing are down, drop this packet 60 128 (internal policy)

This message appears when failover is not enabled for the Ping policys policy-based routing. If you enable failover for policy-based routing in Figure 29, the ping is allowed through the other interface.

Fireware XTM Multi-WAN Methods

87

Frequently Asked Questions


Which Multi-WAN features require a Fireware XTM license with a Pro upgrade? There are two licensing options for the OS on the XTM device: Fireware XTM and Fireware XTM with a Pro upgrade. A standard Fireware XTM license does not include some multi-WAN functions. A Fireware XTM license with a Pro upgrade gives all the multi-WAN functions that the OS offers. XTM 2 Series devices must have Fireware XTM with a Pro upgrade to use any of the multi-WAN methods except serial modem failover. For all other XTM models, certain multi-WAN functions are available only if you have a Pro upgrade to the Fireware XTM license: - Policy-based routing - The Interface Overflow multi-WAN method - Weighted Round-robin Note
You can use the Round-robin multi-WAN method, but you cannot assign weights to the interfaces if you do not have a Fireware XTM license with a Pro upgrade. If you have a Fireware XTM license, all external interfaces that participate in the Round-robin have equal weight of 1.

If all external interfaces have a Round-robin weight of 1, what is the difference between the Round-robin method and the Routing Table method? Round-robin distributes outgoing connections based on bandwidth. Thus, if you set the weight for each external interface to 1 in Round-robin mode, the algorithm attempts to equalize the amount of bits per second sent through each interface. Compare this to the Routing Table method. The Routing Table uses ECMP to distribute outgoing connections based on the number of connections. The Routing Table method attempts to equalize the number of connections going out each interface. It does not consider the amount of bandwidth sent through each interface.

88

WatchGuard Fireware XTM Training

Appendix

Appendix
How Fireware XTM Makes Multi-WAN Routing Decisions For Outbound Traffic
When a computer behind the XTM device on a trusted or optional network attempts to send traffic to the external network, the XTM device must make three main decisions: Whether the traffic is allowed out Whether an external interface is available to send the traffic Through which external interface to send the traffic To make these decisions, the XTM device considers these questions:

1. Does the packet match the From and To lists in a policy? - If No drop the packet and send a log message with the reason Unhandled Internal Packet. - If Yes continue. 2. What is the disposition of the policy? - If Deny drop the packet and send a log message (if logging is enabled for the policy) with the policy name as the reason. - If Block same as Deny, and put the source on the XTM device Auto-blocked Sites list. - If Allow continue. 3. Does the policy use policy-based routing? - If Yes send the traffic through the indicated external interface If Failover is enabled for policy-based routing, the first interface in the list that is active is selected. If none of the policy-based routing interfaces for this policy are available, the packet is dropped and a log message with the reason all gateways are down is sent, this packet (internal policy) is dropped. - If No continue. 4. Check the XTM device kernel routing table. Is there a specific route (a route that is not a default route) that matches the traffics source and destination? - If Yes use the gateway for that route. - If No continue. 5. How many default routes are in the kernel routing table? - If Zero (the kernel routing table has no default route) drop the packet; all external interfaces are down. - If Exactly One default route in the routing table use the gateway interface for this default route to send the packet out. - If there is more than one default route in the routing table continue. 6. Does the traffic match an entry in the sticky connections hash table? - If Yes send the traffic using the sticky interface. - If No continue.

Fireware XTM Multi-WAN Methods

89

Load-balancing interface groups pertain only to the Round-robin, Failover, and Interface Overflow multi-WAN methods. A load-balancing interface group includes all the interfaces you specify to participate in the Round-robin, Failover, or Interface Overflow configuration.

7. Do the interface aliases in the policys To list contain all the members of a load balancing interface group? - If Yes use the specified multi-WAN routing method: weighted Round-robin, Failover, or Interface Overflow. - If No use the Equal Cost Multi-Path (ECMP) routing method to send the packet.
The following flow chart diagram is split on two pages. It shows how the XTM device decides which interface to use to send an outgoing connection. The notes that follow the diagram correspond to the numbered Earth icons in the diagram.

Multi-WAN Routing Decision Flow Chart

90

WatchGuard Fireware XTM Training

Appendix

Diagram Notes
1. A specific route is a route that is not a default route. A default route has destination 0.0.0.0. 2. You can see the XTM device Kernel IP routing table on the Status Report tab of Firebox System Manager. 3. You can see which external interfaces are up with XTM device System Manager. View the Status Report tab of Firebox System Manager for current interface status. 4. The [source IP address / destination IP address] pair of each outgoing connection is combined to make a unique hash value. The hash value for an outgoing connection is put in the sticky connections hash table, and the table entry is associated with the external interface used to send the outgoing traffic.

Fireware XTM Multi-WAN Methods

91

If the [source IP / destination IP] hash of an outgoing connection matches an entry in the hash table, the external interface associated with that entry in the table is used for that connection. A timer counts down for each entry in the table. The time for a table entry starts with the value specified in your configuration for sticky connections. When a new outgoing connection matches an entry in the hash table, the time for that table entry is reset to the full time for sticky connections and the timer starts again. When the timer for an entry in the hash table reaches zero, the entry is purged from the table.

5. A load balancing interface group is the group of interfaces you include when you click Configure at the top of the Multi-WAN tab in Policy Manager. You can exclude any external interface from participating in the multi-WAN method that you use. Load balancing interface groups apply only to the Round-robin, Failover, and Interface Overflow methods. The Routing Table method does not use the load balancing interface group because the ECMP (equal-cost multi-path) routing algorithm manages all routing decisions.

What You Have Learned


In this module, you learned: How Fireware XTM manages outgoing traffic with each of these multi-WAN modes of operation: - Round-robin - Failover - Interface Overflow - Routing Table How to monitor the status of your external connections How sticky connections influence routing decisions How to use policy-based routing

92

WatchGuard Fireware XTM Training

Fireware XTM Training

Routing
Configure Static and Dynamic Routing
Introduction
You can use static and dynamic routing to ensure connectivity between networks that connect to your XTM device. Static routing is the use of manually configured non-changing routes in an XTM device or routers routing table. Dynamic routing allows your XTM device and connected network routers to share information about network accessibility and to dynamically update their local routing tables based on changes to the network topology. Note
You must have Fireware XTM v11.6 or higher with a Pro upgrade for the exercises in this module.

What You Will Learn


This course explains the concepts related to static and dynamic routing, and describes when and how to use each routing method. In this course, you will learn how to: Select the best routing protocol to use Configure static routing over a point-to-point link and a multi-hop link Configure OSPF for dynamic routing over a point-to-point link Configure BGP for dynamic routing over a multi-hop link Use the Status Report and Diagnostic Log Levels to monitor and troubleshoot routing

The step-by-step exercises in this course show you how to configure IPv4 static and dynamic routing between Fireware XTM devices.

93

Terms and Concepts You Should Know


To understand static and dynamic routing, you should be familiar with these terms and concepts:

Route
A route is the sequence of devices that network traffic must go through to get from its source to its destination. A packet can go through many network points with routers before it reaches its destination. Routes can be static or dynamic. Static route A manually configured route to a specific network or host. Dynamic route A route automatically learned and updated by a router, based on communication with adjacent network routers.

Router
The device on a network that uses a routing table to find the next network point through which to send the network traffic toward its destination.

Routing Table
A router, or a network device such as a Fireware XTM device, stores information about static and dynamic routes in a routing table. The device looks in the routing table to find a route to send each received packet toward its destination. With an XTM device, you can see the device routing table in Firebox System Manager, on the Status Report tab. Routes in the routing table on the XTM device include: Routes to networks for all enabled XTM device interfaces Static network routes or host routes you add to your XTM configuration Routes the XTM device learns from dynamic routing processes that are enabled on the device

Routing Protocol
Dynamic routing protocols enable routers to communicate with each other and share information about the status of network accessibility. All dynamic routing protocols perform these tasks: Send information about network accessibility to other routers Receive information about network accessibility from other routers Determine the best routes based on the known accessibility information and save the best routes in the local routing table React to and advertise network topology changes

94

WatchGuard Fireware XTM Training

Terms and Concepts You Should Know

Exterior Vs. Interior Routing Protocols


One way to classify routing protocols is based on whether they are best used to communicate routing information between devices within a single organization or whether they are best used to communicate routing information between two separate organizations. Interior An interior protocol is most often used to communicate routing information between networks managed by the same or closely related organizations. Interior protocols include RIP and OSPF. Interior protocols cannot scale to very large networks, but they are easy to manage and have low overhead. OSPF is most often used for routing between interior networks because it is more scalable and has a shorter convergence time than RIP. Exterior An exterior protocol is most often used to communicate routing information between networks at different sites or sites managed by independent organizations. Independent organizations can use an exterior protocol, such as BGP, to communicate routing information to other externally managed sites. Exterior protocols are most often used only for multi-hop links between networks.

Distance-Vector Vs. Link State Protocols


Another way to categorize routing protocols is based on the type of information they exchange about routes, and how routers use this information to update their routing tables. Distance-vector In a distance-vector protocol, each router sends information about all network destinations it knows how to reach. For each destination, it sends a metric that indicates how far away the destination is (the distance), and the next hop (the vector) toward that destination. The distance metric can be the number of hops, or it can be based on other information about the route toward a destination. BGP and RIP are both distance-vector protocols. Link state In a link state protocol, each router sends a list of all the network links it directly connects to, and the functional status of each link (the link state). Changes to link state are immediately communicated to other routers on the network. Each router can then construct its own view of the network topology based on the status of the links, and uses that to populate the routing table with the best path to any destination. OSPF is a link state protocol.

Convergence Time
Convergence time refers to the time it takes for connected routers to establish consistent and correct routing tables after a network topology change. Convergence time is shorter for the BGP and OSPF protocols than it is for the RIP dynamic routing protocol.

Routing

95

Decide Which Type of Routing to Use


Static vs. Dynamic Routing
When you configure a network, the simplest solution is usually best. It is good practice to use dynamic routing only if static routing is not a practical solution. For a small network, or for a network that does not change much, static routing is often a simpler and better solution. That said, for large or growing networks, dynamic routing can provide these advantages: Simplify the management of network routes as your network topology changes. When your network changes, you only need to update the configuration on one device instead of several. Increase the redundancy and fault-tolerance of your network. Dynamic routing can allow your XTM device to automatically fail over to a secondary VPN network connection if the primary route between two sites is unavailable.

Supported Dynamic Routing Protocols


XTM devices support three dynamic routing protocols. Which protocol to use depends on the size of your network and the type of network link you need to send data through.
Fireware XTM does not support dynamic routing for IPv6 traffic.

Routing Information Protocol (RIP v1 and RIP v2) RIP is a distance-vector routing protocol that uses hop count as the only metric to decide the best route. It can be used for point-to-point network links, but is usually recomended only if OSPF is not an option. RIP is the only supported dynamic routing protocol if your XTM device does not have Fireware XTM with a Pro upgrade. Open Shortest Path First (OSPF) OSPF is a link state routing protocol and is commonly used for point-to-point links between interior networks. OSPF is more scalable and has a faster convergence time than RIP, so OSPF is usually the recommended interior protocol. Border Gateway Protocol (BGP v4) BGP is an exterior distance-vector protocol that uses many decision factors (not just hop count) to decide the best route. BGP is commonly used for exterior multi-hop links. This is because we do not want to base routing on the link state since we cannot monitor the state of multiple links. BGP is used for any interdomain dynamic routing between TCP/IP networks, and is the protocol used by ISPs for routing across the Internet.

eBGP and iBGP


Connections between two BGP peers can be external (eBGP) or internal (iBGP). Which type of connection it is depends on the autonomous system (AS) number assigned to each of the peers. The AS number indicates whether the peers are part of networks managed by the same or different organizations. If two BGP peers are part of the same autonomous system, they both use the same AS number, and the BGP connection between them is an iBGP session. If two BGP peers have different AS numbers, the BGP connection between them is an eBGP session. When you connect your network to two different ISPs, it is called multihoming. Multihoming provides redundancy and network optimization. You can use eBGP to make sure that the XTM device routes outbound traffic to the ISP that can provide the best path to the destination.

96

WatchGuard Fireware XTM Training

Dynamic Routing Policies

When you use eBGP to exchange BGP routes with an upstream ISP peer, the eBGP peer might send you these different types of routes: Default route the 0.0.0.0/0 route. The ISP can send you a default route if they use the BGP command default-information originate. The default router your ISP sends you does not affect the XTM device, because when you configure an external interface, you are must specify a gateway IP address, which is the default route for that interface. Customer routes the collection of all static and dynamic routes to other customers who are subscribed to the same ISP. Default and customer routes the combined list of default route and customer routes Full routes the list of all customer routes and all other dynamic routes learned from the ISPs upstream (higher tier) ISP and peer ISPs that are part of a local Internet exchange point network. You can use the access-list and route-maps BGP commands to filter BGP route updates that come from an eBGP peer. For the exercises in this training, we only configure iBGP, but it is important to know that eBGP can result in a very large routing table that you must manage.

Dynamic Routing Policies


When you enable a dynamic routing protocol, Policy Manager automatically creates the necessary policy to allow the traffic, if an existing policy to allow the traffic does not exist. The automatically added policies for each protocol are: DR-RIP-Allow This is the automatically created dynamic routing policy for RIP. The DR-RIP-Any policy is configured to allow RIP multicasts to the reserved multicast address for RIP v2. If you use RIP v1, you must configure the RIP policy to allow RIP broadcasts from the network broadcast IP address to the XTM device. For example, if your external interface IP address is 203.0.113.2/24, you must configure the RIP policy to allow traffic from the broadcast address 203.0.113.255 to the XTM device. DR-OSPF-Allow This is the automatically created dynamic routing policy for OSPF. The DR-OSPF-Any policy is configured to allow OSPF multicasts to the reserved multicast addresses for OSPF. DR-BGP-Allow This is the automatically created dynamic routing policy for BGP. You can edit these policies to add authentication or restrict the policy to listen on only the correct interfaces. If you remove or disable these dynamic routing policies, or if you remove the necessary multicast IP addresses from the To section of the RIP or OSPF policies, dynamic routing cannot function.

An Internet exchange point (IX or IXP) is neutral location located between some Tier 2 and below ISPs that allows the ISPs to directly exchange Internet traffic between their networks without the need to route through a Tier 1 ISP.

Network Link Types


When you enable dynamic routing on the XTM device, it is important that the XTM device is the single ingress and egress point for traffic from the local networks. You can use dynamic routing to route traffic between sites, or between different devices at the same site. When you implement dynamic routing, it is important to consider the type of link you have between the devices. Before you can enable dynamic routing between two devices, you must make sure the peer interfaces on the two XTM devices can communicate with each other.
Routing 97

Point-to-Point Link
In a point-to-point link connection, interfaces on the XTMdevices connect directly to each other. The peer interfaces are on the same subnet and can communicate directly. Typical examples of a point-to-point link between two sites are fiber-to-Ethernet converters, layer 2 VLAN connections, a fiber optic connection, or a leased line with serial-to-Ethernet converters at each end.

Figure 1: Point-to-point link between two devices at different locations


This diagram is intended to represent a section of a larger network topology that would include the connections to other departments and to the Internet.

A point-to-point link could also be a direct link between devices at the same location, such as devices that connect to networks for different departments.

Figure 2: Point-to-point link between two devices at the same location

98

WatchGuard Fireware XTM Training

Network Link Types

Multi-Hop Link
In a multi-hop link connection, the XTMdevices do not connect to the same network. The device at each site connects to a local router or other networking device. Those routers between the XTM devices connect to each other. A typical example of this type of connection is a leased line terminated on routers at each site. Or, the connection between the routers could be over an MPLS network.

Figure 3: Example of a Multi-hop link between two XTM devices

If the two XTM devices are connected with a multi-hop link, the peer interfaces route through one or more intermediate routers. If the connection is a multi-hop link, you must configure static routes to enable the peer interfaces to communicate before you can enable dynamic routing between the two devices.

Routing

99

A Common Cause of Routing Inconsistency


One common cause of network routing inconsistency is a network topology that does not provide a single path for traffic between networks. A topology with more than one ingress or egress point can create asymmetric routes between the two sites. This can occur, for example, if a peer router that connects to another site does not connect to the XTM device, but instead connects to a switch on an internal network.

Figure 4: A common cause of routing inconsistency

In this topology, there is not a single ingress and egress point at each site. This could create asymmetric routes between the two sites. Connections between the two sites can fail regardless of whether TCP SYN checking is enabled, because the firewall at each site might see only one side of the TCP handshake. Asymmetric routing can occur in this topology because:

1. Packets sent from a computer at Site A to a computer at Site B are routed through the default gateway at Site A (the Site A XTM device). The packets are then routed over the peer link to the computer at Site B. These packets do not go through the Site B XTM device. 2. The returned packets from the computer at Site B are routed through the default gateway at Site B (the Site B XTM device). The packets are then routed over the peer link to the computer at Site A. These packets do not go through the Site A XTM device.
With this network topology, the XTM device cannot control network failover to a branch office VPN, as described in the next section. Even if you do not use dynamic routing or configure failover to a VPN, this network configuration can cause routing problems and should be avoided.

100

WatchGuard Fireware XTM Training

Failover from a Dynamic Route to a Branch Office VPN

Failover from a Dynamic Route to a Branch Office VPN


When you use dynamic routing to establish the routes between networks behind two XTM devices, you can optionally configure automatic failover to a VPN connection if a route between the networks is not present in the routing table. When you use dynamic routing, the failover happens automatically, when the route between two devices is removed from the routing table. To configure network failover to a branch office VPN you must:

1. Configure dynamic routing between the two sites over the primary connection. 2. Configure a branch office VPN tunnel between the two sites over another XTM device interface. 3. Enable the global VPN setting Enable the use of non-default (static or dynamic) routes to determine if IPSec is used.
This setting enables the automatic failover to the VPN based on changes to the routing table.

When you use dynamic routing, if the primary network link fails, the route is automatically removed from the routing table. When the route is removed, if this global VPN setting is enabled, the XTM device automatically uses the VPN tunnel to routes packets between the two networks. When the primary routing problem is resolved, the dynamic routing protocol adds the route back to the table, and the XTM device automatically begins to use that route instead of the VPN tunnel for traffic between the two networks.

Figure 5: Branch Office VPN as a failover for a connection between two devices

Routing

101

Note
For a complete description of this VPN failover configuration, with sample configuration files, see the Branch Office VPN Failover from a Private Network Link example on the WatchGuard Configuration Examples page at http://www.watchguard.com/help/configuration-examples/index.asp.

If you do not use dynamic routing, you can still use this VPN failover setting, but the failover to the VPN is not automatic. You must manually remove the static routes on both devices if the static route has a problem.

Monitoring Tools
The Status Report
The Status Report in Firebox System Manager is an important tool you can use to understand the current state of routes and routing protocols on your XTM device. To see the Status Report, connect to the device and open Firebox System Manager. Then select the Status Report tab. Look for these sections to find routing status information:
The format of the routing tables is different for Fireware XTM version prior to v11.5.3.

Routes The Routes section of the status report shows a list of all destination hosts and networks that your XTM device can send traffic to. The Routes section can include four route tables. - Route table: main shows all IPv4 and IPv6 static routes - Route Table: default shows information about the default route - Route Table: ethx.out shows active routes for an external interface, ethx, where x is the interface number - Route Table: any.out shows active routes for all external interfaces with multi-path default routes, when multi-WAN is configured - Route Table: zebra shows dynamic routes received from a peer, if dynamic routing is enabled Dynamic Routing The Dynamic Routing section has additional information about the status of the dynamic routing process that runs on the XTM device. This section shows these types of status information: ENABLED the dynamic routing protocol is enabled in the configuration RUNNING the dynamic routing process is running STOP the dynamic routing process is stopped LICENSED the dynamic routing protocol is licensed CFGSYNC reserved for future use

BGP This section shows BGP routes and detailed information about the status of BGP dynamic routing. OSPF This section shows OSPF routes and detailed information about the status of OSPF dynamic routing. RIP This section shows RIP routes and detailed information about the status of RIP dynamic routing.

102

WatchGuard Fireware XTM Training

Monitoring Tools

Diagnostic Logging
If you need to troubleshoot issues with dynamic routing, it can be useful to change the diagnostic log level for dynamic routing. By default, the dynamic routing diagnostic log level is set to Error. You can increase the level to see more detailed dynamic routing information in the log files.

1. In Policy Manager, select Setup > Logging. 2. Click Diagnostic Log Level. 3. Under the Networking category, select Dynamic Routing.

4. Move the slider to set the diagnostic log level.

Debug Logging
The RIP, OSPF, and BGP protocols all include commands to enable debug logging. If you enable debug logging in your RIP, OSPF, or BGP dynamic routing configuration, that debug information is available in the /tmp/debug/quagga.log file, which is included in the support snapshot file, support.tgz. The support snapshot file contains a snapshot of your device configuration and other information that can help you or WatchGuard technical support troubleshoot issues with your device. To save the support snapshot:
Fireware XTM supports the dynamic routing commands for the Quagga routing suite. For a list of commands for the supported dynamic routing protocols, see the Quagga documentation at http:// www.quagga.net/ docs/.

1. In Firebox System Manager, select the Status Report tab. 2. Click Support. 3. Choose a location to save the support.tgz file. 4. Click Retrieve. 5. Extract the contents of support.tgz to a folder on your computer.
Routing

103

6. If you have enabled debug options in your dynamic routing configuration, the dynamic routing debug log file is in /tmp/debug/quagga.log.
If you have enabled debug logging in the dynamic routing configuration and you also want the debug log messages to appear in the XTM device log file, you must also set the diagnostic logging level for Dynamic routing to the highest level, Debug.

Exercise 1:

Configure Static Routing Over a Point-to-Point Link

You can use static routing to route traffic between any two networks, as long as the networks are connected by one or more XTM devices or routers. To configure static routing, you must add static routes to all XTM devices and routers that route traffic between the two networks. This exercise shows how to configure static routing between two devices that are connected by a point-to point link. In a point-to-point link connection, the XTMdevices connect directly to the same network. For this exercise, we assume the point-to-point link in the training environment looks like this:

Figure 6: Point-to-point link between two XTM devices

These exercises require that you configure two XTM devices with different IP addresses. For the instructions in these exercises, we assume each device is configured by a different student. The student numbers in the IP addresses are represented as A and B. The diagrams and configuration settings shown in these exercises assume that: Site A is configured by student A, who is assigned student number 10 Site B is configured by Student B, who is assigned student number 20 When you configure the network settings, use the student numbers your instructor gives you. In the training environment, the external interface of all devices connect to the 203.0.113.0/24 network. So there is already a point-to-point link between the devices, over the external interfaces. To route traffic between the private networks at each site, all you need to do is add a static route on each XTM device.

104

WatchGuard Fireware XTM Training

Monitoring Tools

For example, for student 10 and student 20, the network interface configuration for the two sites looks like this:

Add a Static Route to the Site A Device


1. Open the configuration for the Site A XTM device in Policy Manager. 2. Select Network > Routes.
The Setup Routes dialog box appears.

3. Click Add.
The Add Route dialog box appears.

4. From the Choose Type drop-down list, select Network IPv4. 5. In the Route To text box, type the IP address of the Site B trusted network. The Site B trusted network is 10.0.B.0/24 6. In the Gateway text box, type the IP address of the Site B external interface.
The Gateway (next hop) is 203.0.113.B.

Fireware XTM also supports IPv6 static routes.

Routing

105

Replace the B in the IP address with the student number your instructor gives to the student who manages the Site B device.

7. Save the configuration to the Site A device.

Add a Static Route to the Site B Device


1. Open the configuration for the Site B XTM device in Policy Manager. 2. Select Network > Routes.
The Setup Routes dialog box appears.

3. Click Add.
The Add Route dialog box appears.

4. From the Choose Type drop-down list, select Network IPv4. 5. In the Route To text box, type the IP address of the Site A trusted network. The Site A trusted network is 10.0.A.0/24. 6. In the Gateway text box, type the IP address of the Site A external interface. The Gateway (next hop) is 172.16.100.A. Replace the A in the IP address with the student number your instructor gives to the student who manages the Site A device. 7. Save the configuration to the Site B device.

106

WatchGuard Fireware XTM Training

Monitoring Tools

Review the Routing Tables


1. Connect to the Site A XTM device with Firebox System Manager. 2. Select the Status Report tab. 3. Scroll down to the Routes section.
The route you added appears in the Routes list.

The static route you add appears in the routing table only if the routing table contains a route to the specified gateway. For the static route we added in this exercise, the gateway specified in the static route can be reached through the 203.0.113.0/24 network on the eth0 interface. So the interface for the static route is also eth0.

4. Use the same steps to verify that the static route appears in the routing table for the Site B XTM device.

Test the Static Route


To test the static route, you can ping a device or interface on the remote network. Because this exercise uses the external interface as the point-to-point link, you must update the ping policy to allow the ping between networks for testing. The default Ping policy does not allow ping traffic in through the external interface. To enable ping traffic for testing:

1. In Policy Manager, double-click the Ping policy to edit it. 2. Add Any-External to the From section of the policy. 3. Save the configuration to the device.

Routing

107

4. Repeat these steps to enable ping traffic on the other device.


Now that ping traffic is allowed from the external network, you can use the ping command to test the static routes between these two sites. To do this, open the Windows command prompt on the management computer connected to the Site A network and issue a ping command to the IP address of a device on the private network on the Site B device. Or, you can use Firebox System Manager to issue a ping. To issue a ping from Firebox System Manager for the Site A device:

1. Select the Traffic Monitor tab. 2. Right-click anywhere on the tab.


A context menu appears.

3. From the context menu, select Diagnostic Tasks.


The Diagnostic Tasks dialog box appears.

4. In the Address text box, type the IP address of a device on the Site B private network.
The address can be the address of the Site B XTM device trusted interface, or it can be a connected computer.

5. Click Run Task.


The results of the ping appear in the Results text box.

6. Repeat these steps to test the static route from Site B to the Site A private network.

The Downside to Using Only Static Routes


You can use static routes to set up routing between all of your networks. But if you use only static routes, you must manually update the static routes on all devices each time a network is added or changed. As the network complexity and the number of subnets at each site grows, the level of effort to update and maintain the static routes increases. As you see in the next exercise, dynamic routing provides a way to reduce the administrative effort required to update network routes when there are additions or changes to the network topology. It is important to understand static routing before you implement dynamic routing. When you implement dynamic routing between sites, you often must first define static routes to enable the communication between the peer interfaces of the two devices.
108 WatchGuard Fireware XTM Training

Monitoring Tools

Exercise 2:

Configure Dynamic Routing over a Point-to-Point Link

You can use dynamic routing to simplify the management of configuration updates to your network as the topology at each site changes. In this exercise you configure static routing between two XTM devices connected over a point-to-point link. This exercise also demonstrates how dynamic routing automatically adds new routes to one device after you change the network configuration on the other device.

Network Topology
For this exercise, we will configure dynamic routing over the point-to-point network we configured in Exercise 1.

Figure 7: Point-to-point link between two sites

To establish dynamic routing between two XTM devices, each device must be able to reach the interface on the other XTM device you want to peer it with. For a point-to-point link, the external interfaces on both devices are on the same subnet so there is nothing we need to do to allow the two devices to communicate.

Remove the Static Routes


First, remove the static routes you added in Exercise 1. From Policy Manager for the Site A XTM device:

1. Select Network > Routes. 2. Select the existing static route. 3. Click Remove. 4. Repeat these steps to remove the static route from the Site B XTM device.

Routing

109

Configure Dynamic Routing with OSPF


1. Open Policy Manager for the Site A XTM device. 2. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.

3. Select the Enable Dynamic Routing check box. 4. Select the OSPF tab. 5. Select the Enable OSPF check box.
If you do not specify the OSPF router-id, OSPF sets the router-id based on the IP addresses of the device interfaces. We recommend that you always specify the router-id to avoid the possibility of duplicate router-ids for devices that have similar interface IP addresses. On both devices, all interfaces except eth0 are passive. Even though OSPF announces the network on interface 1, the device does not need to send OSPF multicasts on eth1, so eth1 is a passive interface.

6. Type the Site A dynamic routing configuration in the text box. The OSPF commands used in this exercise are:
router ospf Enables the OSPF protocol ospf router-id Specifies the IP address of the Site A interface that routes to Site B network Defines each network that OSPF sends information about passive-interface default Configures interfaces to not participate in OSPF by default no passive-interface Defines interfaces that participate in OSPF

If the Site A device is managed by student 10, the OSPF configuration for Site A looks like this:
router ospf ospf router-id 203.0.113.10 network 203.0.113.0/24 area 0.0.0.0 network 10.0.10.0/24 area 0.0.0.0 passive-interface default no passive-interface eth0

7. Click Yes to automatically add the required dynamic routing policy.


Policy Manager adds the DR-OSPF-Allow policy to allow the OSPF multicasts to the reserved multicast IP addresses for OSPF.

Note
If you remove or disable the DR-OSPF-Allow policy, or if you remove the multicast IP addresses from the To section of the policy, dynamic routing cannot function.

8. Save the configuration to the Site A device.


Policy Manager automatically verifies the syntax in your dynamic routing configuration before it saves the configuration to the device. If an error is found, Policy Manager displays information about the error, and does not save the configuration.

9. Repeat the same steps to enable OSPF on the Site B XTM device. If the Site B device is managed by student 20, the OSPF configuration for Site B look like this:
router ospf ospf router-id 203.0.113.20 network 203.0.113.0/24 area 0.0.0.0 network 10.0.20.0/24 area 0.0.0.0 passive-interface default no passive-interface eth0

10. Save the configuration to the Site B device.

110

WatchGuard Fireware XTM Training

Monitoring Tools

If Student 10 manages the Site A device, and Student 20 manages the Site B device, the finished dynamic routing configuration for these two sites looks like this:

OSPF dynamic routing configurations for Site A (left) and Site B (right)

Review the Routing Table


Now, you can review the routing table for each device to see the routing table entries added by the dynamic routing process.

1. Connect to the Site A XTM device with Firebox System Manager. 2. Select the Status Report tab. 3. Scroll down to the OSPF section.
The OSPF network routing table shows the dynamic routes added by OSPF.:

The OSPF routing table at Site A includes a route to the trusted network at Site B.

Routing

111

4. Scroll to the Routes section.


The dynamic routes appear in the zebra route table in the Routes section of the status report.

Add a New Network at Site B


Now we can add another trusted network at Site B and see how OSPF propagates the changes to Site A. First, configure a new network interface at Site B:

1. Open Policy Manager for the Site B XTM device. 2. Select Network > Configuration. 3. Select interface 4. Click Configure. 4. From the Interface Type drop-down list, select Trusted. 5. In the IP Address text box, type 192.168.B.1/24. Click OK. Replace the B in the IP address with the student number your instructor gives to the student who manages the Site B device. For example, if your student number is 20, type 192.168.20.1/24.
Next, update the OSPF dynamic routing configuration at Site B:

1. Select Network > Dynamic Routing. 2. Click the OSPF tab. 3. Add a network statement for the new network: network 192.168.B.0/24 area 0.0.0.0
Replace the B in the IP address with the student number your instructor gives to the student who manages the Site B device. For example, if your student number is 20, type;
network 192.168.20.0/24 area 0.0.0.0

4. Save the configuration to the device at Site B.

112

WatchGuard Fireware XTM Training

Monitoring Tools

5. In the FSM status report for Site A, review the OSPF network routing table.

The OSPF network routing table at Site A automatically includes a route to the new trusted network at Site B. This exercise demonstrates how dynamic routing can make it easier to accommodate changes to your network topology. When you add to or change a local network connected to one device, you do not need to manually add routes to the new networks at all the other devices. Dynamic routing takes care of that automatically.

Routing

113

Exercise 3:

Configure Static Routing Over a Multi-Hop Link

Next, lets look at how to configure static routes between these two sites if they are connected with a multi-hop link. In a multi-hop link connection, the XTMdevices do not connect to the same network, but instead each connects to a router or other device that routes traffic between the two devices. For this exercise, an interface on the instructor XTM device is configured with secondary addresses to emulate a multi-hop link.

Network Topology
To configure the XTM device for this exercise, you must connect interface 2 to a switch that connects to the instructor XTM device.

Figure 8: Multi-hop link training network topology, with IP addresses for student 10 and student 20

Before You Begin


Before you begin this exercise: Remove any static routes added in a prior exercise. Disable any dynamic routing protocols enabled in a prior exercise Make sure the device is configured with these interface settings: Site A XTM device configuration - Eth0 (External) is 203.0.113.A/24 - Eth1 is a trusted interface, with the IP address 10.0.A.1/24. - Eth3 and Eth4 are disabled. Replace the A in the IP addresses with the student number for the Site A device. Site B XTM device configuration - Eth0 (External) is 203.0.113.B/24. - Eth1 is a trusted interface, with the IP address 10.0.B.1/24. - Eth3 and Eth4 are disabled. Replace the B in the IP addresses with the student number for the Site B device.
114 WatchGuard Fireware XTM Training

Monitoring Tools

Configure the Peer Interfaces


Configure interface 2 on each device as the peer interface to use for dynamic routing over the multi-hop link.

Configure the peer interface at Site A


1. Open the configuration for the Site A XTM device in Policy Manager. 2. Select Network > Configuration. 3. Select interface 2. Click Configure. 4. From the Interface Type drop-down list, select Optional. 5. In the IP Address text box, type 172.16.A.2/30. Click OK.
Replace the A in the IP addresses with the student number for the Site A device.
You can use either a trusted or optional interface as the peer interface.

Configure the peer interface at Site B


1. Open the configuration for the Site B XTM device in Policy Manager. 2. Select Network > Configuration. 3. Select interface 2. Click Configure. 4. From the Interface Type drop-down list, select Optional. 5. In the IP Address text box, type 172.16.B.2/30. Click OK. Replace the B in the IP addresses with the student number for the Site B device.

Configure Static Routes Between the Trusted Networks at Each Site


When you configure routing over a multi-hop link, you must look at your network topology to determine all the devices that route traffic between these two networks. You can then determine the static routes you must add to allow the two XTM devices to communicate. For this network, we must add a static route to each of the XTM devices. And the instructor must add static routes to the XTM device in the middle, that connects to both networks.

Add a Static Route to the Site A XTM Device


1. Open the configuration for the Site A XTM device in Policy Manager. 2. Select Network > Routes.
The Setup Routes dialog box appears.

3. Click Add.
The Add Route dialog box appears.

4. From the Choose Type drop-down list, select Network IPv4.

Routing

115

5. In the Route To text box, type 10.0.B.0/24, the IP address of the Site B trusted network.
For example, if the Site B device is managed by Student 20, use 10.0.20.0/24.

6. In the Gateway text box, type 172.0.A.1, the IP address of the instructor XTM device that connects to the optional network on this device.
For example, if your student number is 10, type 172.0.10.1

7. Save the configuration to the device.

Add a Static Route to the Site B XTM Device


1. Open the configuration for the Site B XTM device in Policy Manager. 2. Select Network > Routes.
The Setup Routes dialog box appears.

3. Click Add.
The Add Route dialog box appears.

4. From the Choose Type drop-down list, select Network IPv4. 5. In the Route To text box, type 10.0.B.0/24, the IP address of the Site A trusted network.
For example, if the Site B device is managed by Student 10, use 10.0.10.0.

6. In the Gateway text box, type 172.16.A.1, the IP address of the instructor XTM device that connects to both networks.
For example, if your student number is 20, type 172.0.20.1

7. Save the configuration to the device.

116

WatchGuard Fireware XTM Training

Monitoring Tools

Add Static Routes to Routers Between the Two Sites


If the XTM devices at each site were connected to routers, you would need to add a static route to the routers at each site. In the training network configuration, the instructor XTM device has multiple IP addresses assigned to one interface, so it acts as a router for both sites. To complete the static route configuration, the instructor must add static routes to the instructor XTM device. The configuration for the static routes on the instructor XTM device looks like this:

Static routes on the instructor XTM device for all student trusted networks. The routes to the networks for student 10 and student 20 are circled.

Test the Static Route


You can look in the routing table in Firebox System Manager Status Report tab to verify that the static routes were added for each device.

Route table on the Student 10 device shows the static route to the Student 20 trusted network. You can use the Ping command in the Windows command line to test the static route between the two sites. For example, you can ping the address of the trusted interface of the device at Site B from the management computer connected to Site A.

Routing

117

Exercise 4:

Dynamic Routing Over a Multi-Hop Link

In this exercise, we configure dynamic routing over a multi-hop link with the BGP routing protocol.

Network Topology
To configure the XTM device for this exercise, you must connect interface 2 to a switch that connects to the instructor XTM device. The network topology for this exercise is exactly the same as for Exercise 3.

Figure 9: Multi-hop link training network topology

Before You Begin


Make sure the two XTM devices are configured with these interface settings. These are the same settings that were required for the previous exercise. Remove any static routes added in a prior exercise. Disable any dynamic routing protocols enabled in a prior exercise Make sure the device is configured with these interface settings: Site A XTM device configuration - Eth0 (External) is 203.0.113.A/24 - Eth1 is a trusted interface, with the IP address 10.0.A.1/24. - Eth2 is an optional interface, with the IP address 172.16.A.2/30. - Eth3 is disabled. Replace the A in the IP addresses with the student number for the Site A device. Site B XTM device configuration - Eth0 (External) is 203.0.113.B/24. - Eth1 is a trusted interface, with the IP address 10.0.B.1/24. - Eth2 is an optional interface, with the IP address 172.16.B.2/30. - Eth3 is disabled or disconnected. Replace the B in the IP addresses with the student number for the Site B device.

118

WatchGuard Fireware XTM Training

Monitoring Tools

Configure Static Routes Between the Peer Interfaces


To configure static routing over a multi-hop link, you must add static routes on each XTM device and on any network routing devices between them to correctly direct the traffic between the two networks. The peer interfaces are the XTM device interfaces that connect to the router between the sites. To configure static routing over a multi-hop link, you must add static routes on each XTM device and on the routers between them to correctly direct the traffic between the two peer interfaces, 172.16.A.2 at Site A, and 172.16.B.2 at Site B. The first thing you must do is look at your network topology to determine all the devices that route traffic between these two interfaces. You can then determine what static routes must be added to allow the two XTM devices to communicate. For this network, we must add a static route to each of the XTM devices. There is no need for the instructor to add static host routes to the XTM device in the middle, since that device already connects directly to the networks for the optional interfaces of both XTM devices.
The difference between this and the static routes added in the prior exercise, is that these are host routes to the IP address of the peer interface, rather than network routes to the private network on the peer device.

Add a Static Route to the Site A XTM Device


1. Open the configuration for the Site A XTM device in Policy Manager. 2. Select Network > Routes.
The Setup Routes dialog box appears.

3. Click Add.
The Add Route dialog box appears.

4. From the Choose Type drop-down list, select Host IPv4. 5. In the Route To text box, type 172.16.B.2, the IP address of the Site B peer interface. 6. In the Gateway text box, type 172.16.A.1, the IP address of the instructor XTM device interface that connects to the peer interface on the Site A XTM device. 7. Save the configuration to the device.

Routing

119

Add a Static Route to the Site B XTM Device


1. Open the configuration for the Site B XTM device in Policy Manager. 2. Select Network > Routes.
The Setup Routes dialog box appears.

3. Click Add.
The Add Route dialog box appears.

4. From the Choose Type drop-down list, select Host IPv4. 5. In the Route To text box, type 172.16.A.2, the IP address of the Site A peer interface. 6. In the Gateway text box, type 172.16.B.1, the IP address of the instructor XTM device interface that connects to the peer interface on the Site B XTM device. 7. Save the configuration to the device.

Add Static Routes to Routers Between the Two Sites


In the training network configuration, the XTM device acts as a router between the two networks. There is no need for the instructor to add static routes to the XTM device in the middle, since that device can already route traffic to the peer interfaces of both XTM devices. If the XTM devices at each site connected to routers, you would need to add static routes on those routers so that traffic can be routed between the peer interfaces of the XTM devices at each site.

120

WatchGuard Fireware XTM Training

Monitoring Tools

Test the Static Route Between the Peer Interfaces


After you configure the static routes on the XTM devices and routers, you can use the Diagnostic Tasks in Firebox System Manager to test the static route between the peer interfaces, External (203.0.113.A) at Site A, and external interface (192.51.100.B) at Site B.
You cannot use the ping command from the Windows command line to test this static route, since the static route is only between the peer interfaces.

1. In Firebox System Manager for the Site A device, click the Traffic Monitor tab. 2. Right-click anywhere on the tab to open the context menu. 3. Select Diagnostic Tasks from the context menu. 4. Select the Advanced Options check box.

5. In the Arguments text box, type:


-I<source interface IP address> <destination IP address to ping>

This starts an extended ping from the XTM device. The -I option allows you to specify the IP address of the interface to ping from. For this exercise, we use these addresses: - Source address: 172.16.A.2 - Destination address: 172.16.B.2 For example, to ping from the Student 10 peer interface to the Student 20 peer interface, type:
-I172.16.10.2 172.16.20.2

When you enable Advanced Options, you can move the mouse pointer over the Arguments text box to see a list of the available arguments.

6. Click Run Task.


It can take more than a minute for the results to appear in the Results text box.

Repeat the above steps from the XTM device at Site B to test routing to the peer interface at Site A. At Site B, the arguments for the extended ping are reversed: Source address: 172.16.B.2 Destination address: 172.16.A.2 After you verify that the peering interfaces can communicate, you are ready to set up dynamic routing between the two networks.

Routing

121

Configure Dynamic Routing with BGP


1. Open Policy Manager for the Site A XTM device. 2. Select Network > Dynamic Routing.
The Dynamic Routing Setup dialog box appears.

3. Select the Enable Dynamic Routing check box. 4. Select the OSPF tab.
Clear the Enable OSPF check box to disable OSPF dynamic routing you enabled in Exercise 2.

5. Select the BGP tab.


Autonomous System (AS) numbers identify the network for BGP routing. Use a private AS number, in the range 64512 to 65536, for internal BGP between private networks. This avoids the need to register for a public AS number.

6. Select the Enable BGP check box. 7. Type the Site A dynamic routing configuration in the text box. Basic BGP statements are: - router Enables the BGP protocol and specifies the BGP AS number to use - network Defines each local network that BGP sends information about - neighbor Defines the IP address and AS number of the remote peer If Student 10 manages the Site A XTM device and Student 20 manages the Site B XTM device, the BGP configuration for Site A looks like this:
router bgp 65535 network 10.0.10.0/24 neighbor 172.16.20.2 remote-as 65535

8. Click Yes to automatically add the required dynamic routing policy.


Policy Manager adds the DR-BGP-Allow policy.

9. Save the configuration to the XTM device.


Policy Manager automatically verifies the syntax in your dynamic routing configuration before it saves the configuration to the device. If an error is found, Policy Manager displays information about the error, and does not save the configuration.

10. Repeat the same steps to disable OSPF and enable BGP on the Site B XTM device. If Student 10 manages the Site XTM device and Student 20 manages the Site B XTM device, the BGP configuration for Site B looks like this:
router bgp 65535 network 10.0.20.0/24 neighbor 172.16.10.2 remote-as 65535

11. Save the configuration to the XTM device at Site B.

122

WatchGuard Fireware XTM Training

Monitoring Tools

Review the Routing Table


Now, review the routing table to verify that the expected routing table entries were added.

1. Connect to the Site A XTM device with Firebox System Manager. 2. Select the Status Report tab. 3. Scroll down to the BGP section.
The BGP network routing table shows the dynamic routes added by BGP.:

4. Scroll to the Routes section. - The static route to the peer interface at Site B appears in the main route table. - The dynamic routes added by BGP appear in the zebra route table. 5. Repeat these steps to examine the routing table in the status report for the Site B XTM device.

Test the Static Route


You can use the Ping command in the Windows command line to test the static route between the two sites. For example, you can ping the address of the management computer connected to the trusted network at Site B from the management computer connected to the trusted network at Site A.

The zebra route table shows the first 20 routes added by a dynamic routing protocol. The complete list of dynamic routes appears in the Status Report section for the routing protocol that added each route (BGP, OSPF, or RIP).

Routing

123

What You Have Learned


In this course you have learned the concepts related to static and dynamic routing, and when and how to use each routing method. This includes how to: Select the best routing protocol to use Configure static routing over a point-to-point link and a multi-hop link Configure OSPF for dynamic routing over a point-to-point link Configure BGP for dynamic routing over a multi-hop link Use the Status Report and Diagnostic Log Levels to monitor and troubleshoot routing

124

WatchGuard Fireware XTM Training

Fireware XTM Training

FireCluster
Redundancy and Load Sharing for Your Network
Introduction
What You Will Learn
With the Fireware XTM FireCluster feature, you can configure two XTM devices as a cluster to increase network prerformance and scalability. In this module, you learn how to: Understand the clustering requirements for your XTM device Set up a FireCluster See status for a FireCluster Understand what happens when a FireCluster failover occurs

About FireCluster
A FireCluster is a pair of XTM devices configured to provide network redundancy and improved scalability. Both devices connect to routers or switches connected to each network. The XTM devices also connect directly to each other to exchange information necessary for the operation of the cluster.

Figure 1: A FireCluster with a trusted and an optional network


125

To set up a FireCluster, you first configure one device with the network and policy configuration you want to use for the cluster. You reset the second device to factory default settings. When you connect the two devices to each other and enable FireCluster, the connected devices synchronize their configuration and operate as a cluster. When you configure XTM devices as a FireCluster, there are some management limitations: You cannot use Fireware XTM Web UI to manage a FireCluster. You cannot use WSM with a Management Server to schedule an OS updated for a FireCluster member.

Terms and Concepts You Should Know


Cluster Member
A device that is part of a FireCluster. A cluster member can take on one of two roles in the cluster. Cluster master The device that updates and maintains all the connection and session information for the cluster, and synchronizes that information with the backup master. In an active/ active cluster, the cluster master assigns connections and sessions to itself or to the backup master. Backup master The device that monitors the cluster master, and automatically takes over the role of cluster master in the event of a failover.

Active/Active Cluster
In an active/active cluster, both cluster members share the load of traffic that passes through the cluster. An active/active cluster improves scalability because both devices share the load. If either member of an active/active cluster fails, the other member takes on the entire load for the cluster. To add both redundancy and load sharing to your network, select an active/active cluster.

Active/Passive Cluster
In an active/passive, also known as an active/standby cluster, only the cluster master handles network traffic. The backup master actively monitors and synchronizes status with the cluster master. If the cluster master fails, the backup master becomes cluster master, and takes over all the traffic for the cluster. An active/passive cluster provides redundancy, but not increased scalability, because the traffic load is handled by only one device at a time. To add redundancy, choose an active/passive cluster.

Load Balance Methods


An active/active FireCluster supports two load balance methods: Least connection The cluster master assigns each new traffic flow to the cluster member that has the lowest number of open connections. Round-robin The cluster master assigns each new traffic flow alternately to the cluster master and the backup master.

126

WatchGuard Fireware XTM Training

Terms and Concepts You Should Know

Cluster ID
The cluster ID uniquely identifies your FireCluster. The default cluster ID is 1. If you enable more than one FireCluster on the same network, it is important to assign each cluster a different cluster ID. An active/passive FireCluster uses a virtual MAC address, calculated based on the Cluster ID and the interface numbers. If you configure more than one active/passive FireCluster on the same subnet, it is important to know how to set the Cluster ID to avoid a possible virtual MAC address conflict. The virtual MAC addresses for interfaces on an active/passive FireCluster start with 00:00:5E:00:01. The sixth octet of the MAC address is set to a value that is equal to the interface number plus the Cluster ID. For example, if you set the Cluster ID to 1, the virtual MAC addresses for the first three interfaces are: Interface 0: 00:00:5E:00:01:01 Interface 1: 00:00:5E:00:01:02 Interface 2: 00:00:5E:00:01:03 If you add a second active/passive FireCluster to the same subnet, you must set the Cluster ID to a number that is different enough from the Cluster ID of the first FireCluster to avoid a virtual MAC address conflict between interfaces on the two FireClusters. It is also possible that the FireCluster virtual MAC addresses can conflict with HSRP and VRRP devices on your network. Keep this in mind when you decide which Cluster ID to use.
You can see the virtual MAC address in Firebox System Manager, in the details for each interface.

Cluster Interface
The cluster interface is an interface on each cluster member that is dedicated to communication between the cluster members. The cluster interfaces of the cluster members must connect to each other. You must define at least one cluster interface. You can optionally configure a second cluster interface that is only used if communication over the primary cluster interface is interrupted.

Cluster Interface IP Address


Each pair of cluster interfaces must be assigned an IP address on the same subnet. To avoid conflict with routeable IP addresses, we recommend you allocate a dedicated private subnet to each cluster interface, or use link-local IP addresses for the cluster interfaces. Link-local IP addresses begin with 169.254. You might find it useful to define your cluster interface IP addresses like this:
169.254.<interface number>.<member number>/24
RFC 3927 specifies that a link-local address must be in the 169.254.0.0/16 subnet. Because the cluster interface connection is an isolated network, it is not a problem to use the /24 IP address.

For example if interface 4 is a cluster interface, you could set the interface IP addresses to: Member 1 169.254.4.1/24 Member 2 169.254.4.2/24 This link-local IP address convention is used in the exercises included in this module. Note
Do not set the Primary or Backup cluster IP address to the default IP address of any interface on the device. The default interface IP addresses are in the range 10.0.0.1 - 10.0.17.1.

FireCluster

127

Management Interface
You must select one of the active traffic interfaces as the interface for management IP address. Set this to the interface your management computer is connected to. This is usually the trusted network. You must also configure a management IP address for each cluster member. The address must be an unused IP address on the network for the selected interface. Management software use the Management IP address to connect to cluster members for upgrade, failover, reboot, shutdown and other operations. You can also use the management IP address to connect to a specific cluster member with the management software.

About Failover
Failover occurs when one of the cluster members experiences a failure and the other cluster member takes over the traffic that was assigned to the failed device. Because both devices in the cluster constantly monitor each others status over the cluster interface, each member can detect if the other member has a problem that requires a failover.

Causes of FireCluster Failover


Failover of a cluster member can be triggered by one of these events: Software or hardware malfunction If a software or hardware error is detected on a cluster member, that can trigger failover of that device. Monitored interface link down The FireCluster monitors all active interfaces (all interfaces that are not set to status Disabled). This is why it is important that you disable any interfaces that are not connected to a switch or router as part of the FireCluster. Failover Master command In Firebox System Manager, you can select Tools > Cluster > Failover Master to force the cluster master to fail over. The factors that can trigger a failover are collectively referred to as the cluster health status . The health status takes into account the link status of monitored interfaces, and other factors that indicate a software or hardware malfunction. Each cluster member has a health status index, which is the weighted average of the health factors for that member. If the health status index of the backup master is greater than the health status index of the master, failover of the cluster master is triggered. This makes sure that the device with the highest health status is always the cluster master. You can see the health index for the cluster members in the Cluster Health section of the status report in Firebox System Manager.

128

WatchGuard Fireware XTM Training

Monitoring Tools

What Happens During a Failover


The impact of a FireCluster failover depends on which device fails. If the cluster master fails: The packet filter connections, branch office VPN tunnels, and user sessions from the failed cluster master fail over automatically to the other cluster member. Proxy connections assigned to the failed device must be restarted. All Mobile VPN connections assigned to either device must be restarted. The backup master becomes the new cluster master. The failed device reboots and tries to rejoin the cluster as the backup master. If the backup master fails: In an active/passive cluster, no sessions or connections are interrupted, since the backup master is passive, and does not handle any traffic. In an active/active cluster, all packet filter connections, branch office VPN tunnels, and user sessions that were handled by the failed backup master fail over to the cluster master without interruption. In an active/active cluster, proxy connections assigned to the failed device must be restarted. In an active/active cluster, Mobile VPN connections assigned to the failed device must be restarted. The failed device reboots and tries to rejoin the cluster as the backup master.

Monitoring Tools
Firebox System Manager and the Fireware XTM log files are useful tools to monitor the status and operation of your FireCluster.

Firebox System Manager


On the Front Panel tab in Firebox System Manager, you can monitor the real-time status of your FireCluster. If you connect to the cluster, you can see the status of the cluster as a whole. If you connect to an individual cluster member, you can see more details about that specific device. To connect to a cluster member:

1. Connect to a cluster member and open Firebox System Manager. 2. Select Tools > Cluster > Connect to Member.
The Status Report tab in Firebox System Manager is an important tool you can use to understand more details about the current state of your XTM FireCluster. To see the Status Report:

1. Connect to the cluster and open Firebox System Manager. 2. Select the Status Report tab.
When Firebox System Manager is in cluster view, the Status Report has a report section for each member. When you connect to a specific cluster member, the status report shows information about just that member.

FireCluster

129

Diagnostic Logging
If you need to troubleshoot issues with FireCluster, it can be useful to change the diagnostic log level for FireCluster. By default, the FireCluster diagnostic log level is set to Error. You can increase the level to see more detailed information in the log files. To configure the diagnostic log level for FireCluster:

1. In Policy Manager, select Setup > Logging. 2. Click Diagnostic Log Level.
From the Networking category, select FireCluster.

3. Select the FireCluster category to set the diagnostic log level for all the FireCluster components, or select a sub-category to change the log level for the category of FireCluster operations that you want to monitor more closely. - Cluster Management Log messages for FireCluster configuration and management tasks - Cluster Operation Log messages for all current FireCluster member roles and operations - Cluster Event Monitoring Log messages for the process that monitors FireCluster resources and takes the appropriate action for each event that occurs in the FireCluster - Cluster Transport Log messages for FireCluster member communications channels
After you increase the diagnostic log level, you can see more detailed log messages in Traffic Monitor and in your log files, if you have configured a Log Server.

130

WatchGuard Fireware XTM Training

FireCluster Requirements

FireCluster Requirements
To use FireCluster, your XTM devices and network configuration must meet these requirements:

Hardware Requirements
Both XTM devices must be the same model. FireCluster is supported on all of these XTM device models: XTM 2050 XTM 1050 XTM 8 Series All models XTM 5 Series All models XTM 3 Series XTM330 and XTM 33 XTM 2 Series XTM25 and XTM 26

FireCluster is not supported on: XTM3 Series wireless XTM33-W XTM 2 Series wireless XTM21-W, 22-W, 23-W, 25-W, and 26-W XTM 2 Series wired XTM21, 22, and 23 XTMv All editions

License Requirements
Both devices must use the same version of Fireware XTM with a Pro upgrade Both devices must have an active LiveSecurity Service subscription. For an active/active cluster, we recommend both devices have active licenses for the same set of security services such as Gateway AV, Intrusion Prevention Service, and Application Control. For an active/passive cluster, you need an active license for any security services on only one of the cluster members, and that license is used by whichever device is active.
For an XTM 330, you must have Fireware XTM v11.5.2 or later to use FireCluster. For an XTM 33, 25, o r26, you must have Fireware XTM v11.6.1 or later.

Network Configuration Requirements


You cannot configure the network in bridge mode for an active/active or active/passive cluster. You cannot configure the network in drop-in mode for an active/active cluster. You must configure the external interface with a static IP address. We recommend that you do not use the default IP address 10.0.1.1 for interface 1.

Switch and Router Requirements


Switch and router requirements depend on the type of FireCluster. Active/Active or Active/Passive FireCluster In any FireCluster, all active traffic interfaces must be connected to a separate switch or VLAN. Active/Active FireCluster For an active/active FireCluster, your configuration must also meet these requirements: All switches and routers in the broadcast domain must not block ARP requests if the response contains a multicast MAC address. - This is the default behavior for most layer 2 switches. - For routers and layer 3 switches, the default behavior is to follow RFC 1812. If possible, disable this behavior. If you are unable to block RFC 1812 support, you might need to configure static MAC and staric ARP entries on your routing device.

The default ARP behavior is described in RFC 1812, section 3.3.2.

FireCluster

131

To find the multicast MAC addresses for the FireCluster, select FireCluster > Configure.

All switches in the broadcast domain must be configured to forward traffic to all ports connected to FireCluster members when the destination MAC address is the multicast MAC address of the FireCluster. - For unmanaged layer 2 switches, this should be the default behavior. - For managed switches, you could need to add static MAC and static ARP entries for the FireCluster. You could need to add the IP address and MAC address of each router or layer 3 switch in the broadcast domain as a static ARP entry in the FireCluster configuration. To add static ARP entries:

1. Find the IP address and MAC address of your layer 3 switch. 2. In Policy Manager, select Network > ARP Entries.

3. Add one static ARP entry for each switch that connects directly to your FireCluster.

132

WatchGuard Fireware XTM Training

FireCluster Requirements

FireCluster Pre-Configuration Checklist


When youre ready to set up a FireCluster, it can be helpful to run though this checklist to make sure prerequisites have been met and you are ready to enable FireCluster:

Checklist item
_______ _______ _______ _______ _______ You have two identical XTM devices with matching model numbers. These cannot be XTM 21, 22, 23, or any XTM wireless model. Both devices have the same version of Fireware XTM OS installed. Both XTM devices have a Fireware XTM Pro upgrade license. You have a crossover cable (red) to connect the cluster interfaces. You know the serial numbers for each XTM device: Member 1:__________________________________ Member 2: _________________________________ _______ _______ _______ You have saved the feature keys for both devices to a local file. You have one switch or router for each active traffic interface. You have decided which interfaces and IP addresses to use for this FireCluster. Record these in the table below.

FireCluster interfaces and IP addresses:

Interface number Primary Cluster Interface Backup Cluster Interface Management Interface
Note

Member 1 IP Address

Member 2 IP Address

Do not assign IP addresses in the range 10.0.0.1 - 10.0.13.254 to the primary or backup cluster interfaces. This address range includes XTM device default interface IP addresses and cannot be used for the cluster interfaces.

For the FireCluster Management IPaddress, select an unused IP address on the same subnet as the address assigned to the management interface. For example, if you select the trusted interface as the management interface, choose two unused IP addresses from your trusted subnet to use as the FireCluster management IP addresses. If you choose the External interface as the Interface for management IP address, choose two unused external IP addresses on the same subnet as the External interface IPaddress that you can dedicate to FireCluster management functions. Note
If you set the Management IP addresses of a FireCluster member to an IP address that is not on the same subnet as the IP address of the FireCluster management interface, make sure your network configuration includes routes to allow the management software to communicate with FireCluster members, and to allow the FireCluster members to communicate with each other.

Now you are ready to set up the FireCluster as described in Exercise 1.

FireCluster

133

Exercise 1:

Set Up an Active/Passive Cluster

In this exercise you learn how to configure two XTM devices as an active/passive FireCluster. To complete this exercise, you must have: Two supported XTM devices of the same model number. Fireware XTM v11.6.1 or higher installed on both devices. Fireware XTM Pro enabled in the feature key for both devices. Feature key for both devices saved locally in a file. A switch or router for each enabled network interface.

In this exercise, we refer to the members of the FireCluster as Member 1 and Member 2, because that is how the FireCluster Setup wizard refers to them. Member 1 is the first device you configure. Member 2 is the second device that you add when you enable FireCluster. For the first part of this exercise, Member 2 must be powered off.

Configure the External Interface to Use a Static IP Address


1. Make sure that Member 2 is powered off. 2. In WatchGuard System Manager, connect to Member 1. 3. Open Policy Manager. 4. Select Network > Configuration.
The Network Configuration dialog box appears.

5. In the Interfaces tab, select External (Interface 0). Click Configure.


The Interface Settings dialog box appears.

6. Make sure that the Interface Type is set to External. 7. Select Use Static IP. 8. In the IP Address text box, type 203.0.113.X/24. Replace the X in the IP address with the student number your instructor gives you.
For example, if you are Student 10, the IP address you type is 203.0.113.10/24

9. In the Default Gateway text box, type the IP address of the default gateway. Click OK.

134

WatchGuard Fireware XTM Training

FireCluster Requirements

Configure the Trusted Interface


1. In the Interfaces tab, select Trusted (Interface 1). Click Configure.
The Interface Settings dialog box appears.

2. Make sure the Interface Type is set to Trusted. 3. In the IP Address text box, type 10.0.X.1/24. Replace the X in the IP address with the student number your instructor gives you.
Note
It is important that you do not use the default IP address, 10.0.1.1, for interface 1, because that would create a temporary IP address conflict with the second device before the cluster is formed.

4. In the DHCP Address Pool list, configure the address range 10.0.X.2 - 10.0.X.100.

We set the IP address range here, so that we can identify an address outside of this range to use for the Management IP address.

5. Click OK.

FireCluster

135

Disable Unused Network Interfaces


In this exercise, we assume there is only one trusted network, connected to Interface 1. Before we can enable FireCluster, we need to disable all the other unused interfaces. This is an important step, because FireCluster monitors the link status of all enabled interfaces to determine whether to start failover.

1. Select Network > Configuration.


The Network Configuration dialog box appears.

Becaue the external and trusted network connect to interfaces 0 and 1, and there are no other networks, all the other interfaces must be disabled.

2. Select an optional interface. Click Configure. 3. From the Interface Type drop-down list, select Disabled. Click OK.
Repeat this for all the other unused interfaces.

4. Click OK.
136 WatchGuard Fireware XTM Training

FireCluster Requirements

5. Save the configuration to the XTM device.


Because you have changed the trusted IP address, you must use the new address, 10.0.X.1 to reconnect to the device in WatchGuard System Manager.

Decide Which Interfaces and Interface Address to Use


Next, you must decide which interfaces and IP addresses to use for FireCluster. For this exercise, use these interfaces and addresses:r

Interface number Primary Cluster Interface Backup Cluster Interface Management Interface
6 5 1

Member 1 IP Address
169.254.6.1/24 169.254.5.1/24 10.0.X.101/24

Member 2 IP Address
169.254.6.2/24 169.254.5.2/24 10.0.X.102/24

Replace the X in the IP address with the student number your instructor gives you.

Connect the Cables


You are now ready to connect the cables.

1. Make sure that Member 2 is powered off before you connect the cables. 2. Use a red cross-over cable to connect interface 6 on Member 1 to interface 6 on Member 2.

FireCluster

137

3. Use a red cross-over cable to connect interface 5 on Member 1 to interface 5 on Member 2. 4. Connect interface 0, the external interface of both devices, to a switch or router. 5. Connect interface 1, the trusted interface of both devices, to another switch or router. 6. Connect the management computer to the switch or router on the trusted network.

Run the FireCluster Setup Wizard


1. Connect to Member 1 with WatchGuard System Manager at 10.0.X.1. 2. Start Policy Manager 3. Select FireCluster > Setup. 4. If Member 1 does not already have a feature key installed, the wizard prompts you to install it. Click Yes to add the feature key.
The Firebox Feature Key dialog box appears.

5. In the Import Firebox Feature Key dialog box, click Import to import the feature key.
The Import Firebox Feature Key dialog box appears.

6. Copy the feature key for Member 1 from your local feature key file to the Import Firebox Feature Key dialog box. Verify that the serial number in the feature key matches the serial number of the Member 1 device. 7. Click OK.
The Firebox Feature Key dialog box appears, with the feature key added.

8. Click OK.
The FireCluster Setup Wizard welcome page appears.

9. Click Next to continue.


The first page of FireCluster global properties appears.

138

WatchGuard Fireware XTM Training

FireCluster Requirements

10. Select the cluster type. For this exercise, select Active/Passive cluster.

If you select Active/ Active cluster, you must also select the load balance method on this page.

11. Set the Cluster ID to your student number.


If multiple FireClusters connect to the same network, each cluster must have a unique ID.

12. Click Next.


The FireCluster global properties page appears.

13. Find the Member 1 Primary and Backup cluster interface and Management IP address interface from the table at the start of this exercise. - From the Primary drop-down list, select interface 6. - From the Backup drop-down list, select interface 5. - From the Interface for management IP address drop-down list, select interface 1.

FireCluster

139

Up to this point, the wizard has asked for global cluster configuration settings that apply to the cluster as a whole. In the next set of steps you configure properties that are unique to each cluster member.

14. Click Next.


The Feature key page appears.

15. For the first member, you have already imported the feature key. Verify that the serial number in this feature key matches the serial number for the device you are connected to. Click Next.
The Name and serial number page appears.

The wizard automatically gets the serial number from the feature key. The default member name for the first device is Member1. For this exercise, do not edit the Member Name.

140

WatchGuard Fireware XTM Training

FireCluster Requirements

16. Click Next.


The Cluster interface IP addresses configuration page appears.

17. Type the cluster interface and management interface IP addresses for member 1 from the table at the start of this exercise. - For the Primary cluster interface IP address, type 169.254.6.1/24. - For the Backup cluster interface IP address, type 169.254.5.1/24. - For the Management IP address, type 10.0.X.101/24. Replace the X in the Management IP address with your student number. 18. Click Next.
The Add another cluster member page appears.

FireCluster

141

19. Select Yes to add another device. Click Next.


The Feature key page appears for the second device.

20. Click Import to add the feature key for the second cluster member.
The Import Firebox Feature Key dialog box appears.

21. Paste the feature key for the second device. Make sure the serial number matches. Click OK.
The feature key is added to the wizard.

22. Click Next.


The Name and serial number page appears.

The wizard automatically gets the serial number from the feature key. The default member name for the first device is Member2. For this exercise, do not edit the Member Name.

142

WatchGuard Fireware XTM Training

FireCluster Requirements

23. Click Next.


The cluster IP addresses page appears for Member 2.

24. Type the cluster interface and management interface IP addresses for Member 2 from the table at the start of this exercise. - For the Primary cluster interface IP address, type 169.254.6.2/24. - For the Backup cluster interface IP address, type 169.254.5.2/24. - For the Management IP address, type 10.0.X.102/24. Replace the X in the management IP address with your student number.

FireCluster

143

25. Click Next.


The Summary page appears.

26. Review your FireCluster settings carefully. In the Global Properties, make sure the interfaces match the interfaces you have connected and that you have set a unique FireCluster ID.
In the Member Properties, check these things: The primary cluster IP addresses for both members are on the same subnet The backup cluster IP addresses for both members are on the same subnet The cluster IP addresses do not use addresses in the range 10.0.0.1 - 10.0.13.254. The management IP addresses for both devices are on the trusted network.

27. Click Next.


The wizard completion page appears.

144

WatchGuard Fireware XTM Training

FireCluster Requirements

28. Click Finish.


The FireCluster Configuration dialog box appears.

You can return to this dialog box at any time from Policy Manager. Select FireCluster > Configure. From the FireCluster Configuration dialog box, you can enable or disable the FireCluster, or you can review and change the configuration. There are three tabs: - In the General tab you can see and configure the FireCluster global properties. - In the Members tab you can see and configure the FireCluster member properties. - In the Advanced tab you can see and configure FireCluster logging and notification.

29. Click OK to close the FireCluster configuration dialog box. 30. Select File > Save > To Firebox to save the configuration to the XTM device.
The first device is now the cluster master. Now we can add the second device to the cluster.

Discover the Second Cluster Member


1. To start the device in safe mode, press and hold the down arrow button on the device front panel while you power on the device. Release the button when you see the words Safe mode starting on the LCD display. In safe mode, the device starts with a default configuration. 2. In WatchGuard System Manager, connect to the cluster at 10.0.X.1, if you are not already connected. 3. Click
to launch Firebox System Manager.
The cluster shows that one cluster member is the master, and the other member is inactive.

4. Select Tools > Cluster > Discover member. 5. Type the configuration passphrase.

FireCluster

145

6. Monitor the status of Member2 in Firebox System Manager.


The status appears in parentheses after the member name. It will change from (inactive) to (idle) to (backup master).

You can see that this is an Active/Standby cluster, and that Member1 is the master.

146

WatchGuard Fireware XTM Training

FireCluster Requirements

Exercise 2:

Monitor Cluster Status

In this exercise, you learn how to use Firebox System Manager to monitor the cluster and cluster member status.

Monitor the Cluster


1. In WatchGuard System Manager, connect to the cluster, if you are not already connected. 2. Click
to launch Firebox System Manager (FSM).

Notice that the Firebox System Manager title bar says (Cluster View). This means that you are monitoring the cluster, rather than a specific cluster member. When you are in cluster view, the detail section of the Front Panel tab does not show system uptime, because it is not the same for both cluster members. Instead, you can see the uptime in the tree under each member.

3. Expand the Cluster section of the tree below the device.


You can see the status and configuration information for each cluster member.

4. Select the Status Report tab to see more detailed cluster status.
When FSM is in cluster view, the Status Report has a report section for each member.

FireCluster

147

Monitor a Cluster Member


Sometimes you want to connect to a specific cluster member to see more information about its status. This can be useful if you need to troubleshoot a FireCluster issue.

1. In Firebox System Manager, select Tools > Cluster > Connect to Member.

2. Select a cluster member to connect to. Click OK.


Another Firebox System Manager window opens, to monitor the cluster member.

3. Expand the sections of the tree in the Front Panel to see status information for this device.

148

WatchGuard Fireware XTM Training

FireCluster Requirements

Exercise 3:

Test FireCluster Failover

In this exercise you trigger a failover, and learn what to expect to see while you monitor the cluster during a failover.

Force a Failover from Firebox System Manager


One easy way to watch what happens during failover is to trigger a failover of the master from Firebox System Manager.

1. Open Firebox System Manager to monitor the cluster. 2. Expand the cluster section of the tree in the Front Panel tab. 3. Select Tools > Cluster > Failover Master.

4. Type the Configuration Passphrase. 5. Watch the status of the devices in Firebox System Manager.

The original cluster master fails over. The backup master becomes the master. The old cluster master rejoins the cluster as the backup master.

Trigger a Failover Due to Link Status


Another way to trigger failover is to disconnect a network cable from the cluster master.

1. Disconnect the cable from interface 0 of the cluster master. 2. Monitor the cluster status in Firebox System Manager
Failover initiates and the other member becomes the cluster master.

Notice that the interface status for Eth0 does not show a problem in cluster view. But if you connect to the backup master, you can see the interface is disconnected.

Use the Backup Cluster Interface


1. Disconnect the primary cluster interface cable from interface 6. 2. Monitor the cluster status in Firebox System Manager.
The cluster continues to operate, because the cluster members can communicate over the backup cluster interface, interface 5.

FireCluster

149

Trigger a Failover Due to Power Failure


We recommend that you connect your clustered devices to different power circuits. If the power is lost to one device, the cluster can fail over to the other device.

1. Power off the cluster master.


The backup master becomes the cluster master. The other member has the status (inactive).

2. Power on the cluster master.


The second device status changes to (backup master).

Test Failover with Network Traffic


If your classrom environment enables you to connect to a server or the Internet over the external network, you can repeat any of the above failover exercises while you browse the web or download a file from a server, and see how the traffic is not interrupted when a failover occurs.

What You Have Learned


In this module, you learned how to: Understand the clustering requirements for your XTM device Set up a FireCluster See status for a FireCluster Understand what happens when a FireCluster failover occurs

150

WatchGuard Fireware XTM Training