WatchGuard Support Center

Knowledge Base - Article

000013109
 Configure Link Monitor in Fireware v12.1 to v12.2.1

Information
How do I configure a link monitor target for a Firebox with Fireware v12.1 to v12.2.1?

In Fireware v12.2.1 or lower, Link Monitor settings appear in the multi-WAN configuration, and you must enable multi-WAN to configure Link Monitor targets. You can use the information in this article to configure Link Monitor in Fireware v12.1 to v12.2.1.

In Fireware v12.3 or higher, the steps to configure Link Monitor are different. Link Monitor settings are separate from multi-WAN configuration. If your Firebox has Fireware v12.3 or higher, see Configure Link Monitor in Fireware Help.

To configure Link Monitor in v12.0.2 or lower, see the Link Monitor section in Configure Modem Failover and Link Monitor in Fireware v12.0.2 and lower.

Recommendations for Link Monitor Targets

To make sure traffic is sent over a different interface when network issues occur, you must select an effective Link Monitor target. We recommend that you:

  • Configure at least one Link Monitor target for each external interface.
  • Specify a different Link Monitor host for each external interface.
  • Specify a Link Monitor target other than the default gateway. If you enable Link Monitor but do not configure a custom Link Monitor target, the Firebox pings the interface default gateway to find the interface status.
  • Ping an IP address, not a domain name.

For more information about effective link monitor targets, see About Link Monitor in Fireware Help.

Multi-WAN Interfaces Without Link Monitor

In Fireware v12.1 to v12.2.1, if you configure more than one external interface in mixed routing mode, multi-WAN and Link Monitor are automatically enabled for those interfaces.

If you disable Link Monitor for multi-WAN interfaces, the Firebox cannot detect logical link failures for those interfaces. Without Link Monitor targets, failover only occurs after a physical disconnection, or if a valid IP address is not assigned to the interface (if the interface is dynamic). This can lead to a network outage in certain cases.

For example, if you disconnect the cable for the preferred external interface, connections fail over to another external interface. This occurs because the Firebox detected a physical disconnection. However, if the preferred interface becomes unavailable because of issues outside of your network, failover does not occur because the Firebox has not detected a logical link failure. The Firebox requires Link Monitor targets to detect logical link failures. In this case, a network outage can occur because the Firebox continues to send traffic to an interface for which there is no WAN availability.

Configure Link Monitor

To define a Link Monitor host, from Fireware Web UI:

  1. Select Network > Multi-WAN.
    The Multi-WAN Configuration page appears.
  2. Select the interface and click Configure.
    The Configure Link Monitor dialog box appears.
  3. If the interface is a modem, and you want the modem interface to monitor the default gateway or another source that you specify, you must select the Enable Link Monitor check box.This check box is selected by default for interfaces that are not modems.
  4. To specify which Link Monitor methods the Firebox uses to verify the status of each external interface, select one or more of these check boxes:
    • Ping — Type the IP address or domain name for the Firebox to ping to verify the interface status.
    • TCP — Type the IP address or domain name of a computer that the Firebox can negotiate a TCP handshake with to verify the status of the WAN interface.
    • Both ping and TCP must be successful to define the interface as active — The interface is considered inactive unless both a ping and TCP connection complete successfully.

      If an external interface is a member of a FireCluster configuration, a multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond.
  5. If you add a domain name for the Firebox to ping, and any one of the external interfaces has a static IP address, you must configure a DNS server as described in Configure Network DNS and WINS Servers.
  6. To specify how often the Firebox verifies the status of the interface, in the Probe interval text box, type or select the amount of time in seconds.
    The default setting is 15 seconds.
  7. To change the number of consecutive probe failures that must occur before failover to the next specified interface occurs, in the Deactivate after text box, type or select the number of failures.
    The default setting is three. After the selected number of failures, the Firebox starts to send traffic through the next specified interface in the multi-WAN failover list. 
  8. To change the number of consecutive successful probes through an interface that must occur before an interface that was inactive can become active again, in the Reactivate after text box type or select the number of successful probes.
  9. Click OK.
  10. Repeat Steps 2–8 for each external interface.
  11. Click Save

To define a Link Monitor host, from Policy Manager:

  1. In the Network Configuration dialog box, select the Multi-WAN tab.
    The Multi-WAN Configuration dialog box appears.
  2. Select the Link Monitor tab.
  3. From the External Interfaces list, select an interface.
    The Settings information changes dynamically to show the settings for that interface.
  4. If the interface is a modem, and you want the modem interface to monitor the default gateway or another source that you specify, you must select the Enable Link Monitor check box.This check box is selected by default for interfaces that are not modems.
  5. To specify which link monitor methods the Firebox uses to verify the status of each external interface, select one or more of these check boxes:
    • Ping — Type the IP address or domain name for the Firebox to ping to verify the interface status.
    • TCP — Type the IP address or domain name of a computer that the Firebox can negotiate a TCP handshake with to verify the status of the WAN interface.
    • Both ping and TCP must be successful to define the interface as active — The interface is considered inactive unless both a ping and TCP connection complete successfully.

      If an external interface is a member of a FireCluster configuration, a multi-WAN failover caused by a failed connection to a link monitor host does not trigger FireCluster failover. FireCluster failover occurs only when the physical interface is down or does not respond. If you add a domain name for the Firebox to ping, and any one of the external interfaces has a static IP address, you must configure a DNS server as described in Configure Network DNS and WINS Servers in Fireware Help.
  6. To specify how often the Firebox verifies the status of the interface, in the Probe Interval text box, type or select the amount of time in seconds. The default setting is 15 seconds.
  7. To change the number of consecutive probe failures that must occur before failover to the next specified interface occurs, in the Deactivate after text box, type or select the number of failures.
    The default setting is three (3). After the selected number of failures, the Firebox starts to send traffic through the next specified interface in the multi-WAN failover list. 
  8. To change the number of consecutive successful probes through an interface that must occur before an interface that was inactive can become active again, in the Reactivate after text box type or select the number of successful probes.
  9. Repeat Steps 3–6 for each external interface.
  10. Click OK
  11. Save the Configuration File.

See Also

About Link Monitor in Fireware Help