How To Manage Outgoing Traffic On Fireware Xtm

Fireware XTM Training Instructor Guide Fireware XTM Multi-WAN Methods Exploring Multi-WAN Through Hands-On Training This training is for: Devices WatchGuard XTM 2 Series /WatchGuard XTM 5 Series / WatchGuard XTM 8 Series / WatchGuard XTM 1050 Device OS versions Fireware XTM v11.4 with a Pro Upgrade Management Software versions WatchGuard System Manager v11.4 Category Advanced Networking / Multi-WAN Introduction What You Will Learn Many organizations have more than one Internet connection, or plan to have additional ones in the future. Fireware XTM OS gives you the option to configure up to four external interfaces. This course shows you how Fireware XTM manages outgoing traffic with each of the four different multi-wan modes of operation: Round-robin The XTM device distributes a balanced traffic load among the external interfaces. If you have a Fireware XTM with a Pro upgrade, you can assign a weight to each interface. Failover You select one external interface to be your primary external interface and define an order for backup interfaces. If the primary interface goes down, the XTM device sends all traffic to the next interface. Interface Overflow You define the order you want the XTM device to send traffic through external interfaces and configure each interface with a bandwidth threshold value. When traffic sent through the first interface reaches its bandwidth threshold, the XTM device uses the next interface. Routing Table If the XTM device does not find a specified route from its internal route table or from dynamic routing processes, it uses the ECMP (equal-cost multi-path) algorithm to select the route. About Instructor Notes Instructor Notes do not appear in the Student Guide. You can quickly find them by looking for the black vertical bar on the side of the page. The side note below appears in the Student Guide and the Instructor Guide. About Side Notes Side notes are extra information that is not necessary to understand the training. They might be configuration or troubleshooting tips, or extra technical information. You must have a Fireware XTM license with a Pro upgrade to use the Interface Overflow method. See the Frequently Asked Questions section near the end of this document for information on which features require Fireware XTM with a Pro upgrade. You also learn how to monitor the status of your external connections, how sticky connections influence routing decisions, and how to use policy-based routing. Exercises The step-by-step exercises in this course show how to configure two of the multi- WAN methods and demonstrate how outgoing connections behave when certain events occur. The first exercise shows the Interface Overflow multi-wan method and sticky connections. The second one shows the Failover multi-wan method and policy-based routing. 1

What Multi-WAN Can Do For You Multiple external connections provide several benefits: Redundancy If the main Internet connection goes down, you can use a backup connection for your outgoing connections. More bandwidth available for outgoing connections An additional connection to the Internet can reduce wait times for new connections and large downloads initiated from behind the XTM device. Dedicated access through a preferred connection You can make missioncritical applications or those that require a lot of bandwidth use a specified external interface. Terms and Concepts You Should Know Outgoing Traffic and Multi-WAN Fireware XTM lets you configure up to four XTM device interfaces as type External. Because each external interface must have a default gateway, each external interface provides a path that Fireware XTM can use to send traffic to external destinations. For every connection that starts in a network behind the XTM device and goes to an external destination, the XTM device must decide which external interface to use to send the traffic. Several factors determine whether the XTM device allows an outgoing connection, and which external interface the XTM device uses for allowed traffic: Policies in Policy Manager that allow and deny traffic Multi-WAN method you use Static and dynamic routes in the XTM device routing table Which external interfaces are currently able to send traffic Per-policy settings that can override the multi-wan method you use (policybased routing and sticky connections) The Appendix section includes a flow chart diagram that illustrates how the XTM device makes these decisions. Incoming Traffic For incoming connections, the decision process is much more simple. An incoming connection is allowed only if a policy in Policy Manager allows it. Any external interface can receive traffic, as long as Fireware s link monitors sense that the interface is active. The multi-wan method you use does not affect the path that incoming traffic takes to get to your XTM device. Because the XTM device cannot control which external interface an incoming connection attempts to come through, this training course does not discuss incoming connections. Instead the focus is on understanding how Fireware XTM handles outgoing connections using the different multi-wan methods and options. 2 WatchGuard Fireware XTM Training

Terms and Concepts You Should Know IPSec VPN Traffic The concepts in this training apply only to non-ipsec traffic. The methods that Fireware XTM uses to route normal (non-ipsec) traffic to external networks are distinct and separate from the way traffic is sent to the remote side of an IPSec VPN. When the XTM device sends traffic to the other side of a VPN tunnel, it selects from the interfaces specified in the gateway settings for that tunnel. Multiple external interfaces for IPSec VPNs are covered in a separate training module. Equal-Cost Multi-Path Routing (ECMP) An algorithm for routing packets to destinations when there are multiple next-hop paths of equal cost. The Routing Table multi-wan method uses ECMP to evenly distribute outgoing traffic across multiple external interfaces based on source and destination IP addresses, and based on the number of connections that go through each external interface. A routing table is a collection of data about destinations in a network and how to reach them. Fireware XTM always consults the XTM device routing table regardless of multi-wan method. Because of this, ECMP does not interfere with static routes you enter into Policy Manager, or with dynamic routing protocols such as RIP, OSPF, and BGP. An ECMP group is the group of external interfaces used for ECMP calculations. When the XTM device determines that an external interface in the ECMP group is no longer able to forward traffic to external networks, it removes that interface from the ECMP group. Fireware XTM puts the external interface back into the ECMP group when it determines that the interface is available again. For more information, see The Routing Table Multi-WAN Method on page 14. Sticky Connections Dynamic NAT changes the source IP address of an outgoing connection to match the IP address on the external interface the XTM device uses to send the connection. Some applications drop a client s connection if the client s source IP address changes. The most common situation is when a user is on a web site that uses HTTPS. Some HTTPS sites use a session cookie that includes the user s source IP address. If the user is on the site and the browser attempts a new connection (for example, a new GET or POST request to the site causes a new TCP session), the site might deny the new connection if the source IP address does not match what is in the session cookie. You use sticky connections to make sure that when an outgoing traffic flow is established, all connections between the inside user s IP address and the external site s IP address use the same external interface for a certain amount of time. Fireware XTM keeps a dynamic table of sticky connections that include the source/ destination pair for each outgoing connection, the external interface used for the connection, and the connection s age. If a new connection between the pair happens before the sticky connection timeout, the age is reset to zero. When the age of an entry reaches the sticky connection limit, the entry is deleted from the hash table. New connections between the two IP addresses can use a different external interface. 3

You cannot use sticky connection options when: You use the Failover multi-wan method. You enable policy-based routing for a policy. For any policy, you can override the global sticky connection setting. Policy-based sticky connection settings specify that outgoing traffic that uses the policy has a shorter or longer sticky connection setting than the global sticky connection setting. You can also disable sticky connections for a policy. We recommend you use the default settings for sticky connections. The threeminute timeout prevents most problems that arise when the source IP address of new traffic from behind the XTM device changes. If your users find that they need to re-authenticate more often to sites that use HTTPS, you might want to raise the per-policy sticky timeout for the policy that allows outbound HTTPS traffic. If you do not use a specific HTTPS policy in your XTM device configuration (for example, you have a policy that allows outbound connections over any TCP port), you might want to add a policy that allows only port 443 traffic. You can adjust the sticky connection timeout in this policy without affecting other connections. Load Balancing Interface Group (LBIG) The group of interfaces you include when you click Configure at the top of the Multi-WAN tab in Policy Manager. You can include or exclude any external interface from the multi-wan method that you use, but you must include at least two external interfaces in the group. Load Balancing Interface Groups apply only to the Round-robin, Failover, and Interface Overflow methods. The Routing Table method does not use the LBIG because the ECMP (equal-cost multi-path) routing algorithm manages all routing decisions. Policy-Based Routing The ability to specify, at a firewall policy level, that an outgoing traffic flow must use a specific external interface if the source and destination IP addresses of the traffic match the From and To lists of the policy. Policy-based routing lets you overrule the routing decision that Fireware XTM would otherwise apply based on the multi-wan method. Link Monitor Settings The XTM device has two ways to tell if an external interface is available to send or receive traffic: Monitor the physical link state of the interface s Ethernet peer. The XTM device monitors the physical link by default. If the kernel-level drivers sense that the physical Ethernet link is down, the XTM device immediately declares the interface down. New connections begin to flow through the other external interfaces, depending on various multi-wan and per-policy configuration options you set. 4 WatchGuard Fireware XTM Training

Terms and Concepts You Should Know Monitor the ability to make connections to external locations. You can specify how the XTM device determines if an external interface is available. From Policy Manager, select Network > Configuration and select the Multi-WAN tab. Highlight the interface to monitor in the External Interface column and view the settings on the Link Monitor tab within the Multi-WAN tab. Figure 1: Link Monitor tab You can use the following settings: Select the Ping check box to add an IP address or domain name for the XTM device to ping to check for interface status. Select the TCP check box to add the IP address or domain name where the XTM device sends a TCP SYN packet. Use the Port box to set the port the XTM device uses when it sends the SYN packet. If the target sends an ACK in reply, the XTM device knows it can reach the external target. The XTM device closes the connection with a RST packet when it gets an ACK. Select the Both ping and TCP must be successful to define the interface as active check box if you want the interface to be considered down when either a ping probe or a TCP packet probe fails. If you do not select this box, then both the ping probe and the TCP packet probe must fail for the XTM device to consider the interface down. 5

If you do not select either of these check boxes (Ping or TCP), Fireware XTM monitors each interface by sending an ICMP echo to the interface s default gateway IP address. Because this does not test whether the interface can send traffic beyond the edge of your network, we recommend you indicate probe targets. Multi-WAN does not require that you use either the Ping or TCP check boxes, but we recommend that you use one or both of them to determine whether the external interface can send traffic out of your network. Select targets that have a record of high uptime, such as major web portals or servers hosted by your ISP. Use the Probe Interval setting to configure the frequency you want the XTM device to do the ping and TCP probes. By default, the XTM device probes every 15 seconds. Use the Deactivate after setting to change the number of consecutive probe failures that must occur before failover. By default, after three probe failures, the XTM device removes the interface from the list of active external interfaces. Outgoing traffic continues based on the multi-wan method you use. See the next section, Failover/Failback. Use the Reactivate after setting to change the number of consecutive successful probes through an interface before an interface that was inactive becomes active again. Configure these settings for each external interface. Failover/Failback Failover occurs when an interface that was previously active becomes unable to send traffic to external networks. Failback occurs when an interface that was previously not able to reach external locations becomes active again. Failover On an External Interface If an external interface goes down, the XTM device removes that external interface from all routing decisions. The action the XTM device takes depends on the multi- WAN method currently in use: Round-robin The failed interface is removed from the Round-robin group. If your Round-robin group has only two external interfaces, all outgoing connections now use the remaining active interface. If your Round-robin group has more than two external interfaces, Fireware XTM reduces the size of the group so that it includes only the remaining active interfaces. It continues to use the relative weights of the remaining interfaces to make routing decisions. Failover The failed interface is removed from the failover group. Traffic goes out through the next available interface in the failover list. Interface Overflow The failed interface is removed from the Interface Overflow group. The XTM device uses the Interface Overflow threshold assigned to each interface to determine which to use for outgoing traffic. If your Interface Overflow interface group has only two external interfaces, all outgoing connections now use the remaining active interface. Routing table The failed interface is removed from the ECMP group. ECMP continues to make routing decisions based on the external interfaces that remain active. 6 WatchGuard Fireware XTM Training

Terms and Concepts You Should Know Failback On an External Interface When the Link Monitor probes determine that an interface is active again, the interface is made available for outgoing traffic. The Probe Interval and the Reactivate After settings on the Link Monitor tab determine how long this takes. The defaults are to send a probe every 15 seconds and to reactivate the interface after three successful probes. Failback can take up to a full minute if you use the default setting on the Link Monitor tab. New outgoing connections, unless they match an entry in the sticky connections table, start to use the now-active external interface based on the multi-wan method you select. Existing connections (including traffic that matches an entry in the sticky connections table) behave according to the option you select in the Failback for Active Connections drop-down list: Immediate Failback - The XTM device drops all currently active connections. - TCP RST packets are sent to close all open TCP connections. - NAT ports that are open for return UDP packets are closed. - The sticky connections table is purged. Gradual Failback - All currently active connections are allowed to finish before Fireware XTM begins to use the multi-wan method to send them through another external interface. - The sticky connections table stays the same. Use Immediate Failback if your backup line is expensive, you want to use the backup line only in emergency, and your organization can tolerate dropped connections when the failback happens. Use Gradual Failback if your organization cannot tolerate dropped connections when the failback happens. 7

The Round-Robin Multi-WAN Method When to Use It Use the Round-robin method when: You have a license for Fireware XTM with a Pro upgrade and you want to specify a weighted distribution of outgoing traffic across your external interfaces. You have a standard Fireware XTM license and you want to distribute bandwidth evenly among your external interfaces. (If you have the standard Fireware XTM license, you cannot assign weights to the interfaces.) How it Works The Round-robin method distributes traffic to each external interface based on bandwidth, not connections. This gives you more control over how many bytes of data are sent through each ISP. For light traffic loads, weighted Round-robin behaves like a connection-based Roundrobin because the weights you use tend to determine the number of connections through each external interface. When the traffic load increases, weighted Round-robin behaves more like a load-based Round-robin because the weights you assign tend to determine the load through each external interface. The Round-robin method uses the run-time average of Tx (transmit) and Rx (receive) bytes through each interface to balance outgoing traffic according to the relative weights you assign to the interfaces. Fireware XTM takes a measurement four times a second to determine run-time traffic load on the external interfaces. The Round-robin algorithm is applied only after routes, sticky connections, and policy-based routing fail to give a routing decision. The weights you assign are relative weights. For example, suppose interface 0 (eth0) is an external interface and you give it a weight of 3. Interface 1 (eth1) is also an external interface and you give it a weight of 2. For every three bytes of traffic that go through eth0, two bytes will go through eth1. The byte count sent through eth0 will be one and one-half times as much as eth1. To determine which interface to use for a new outgoing connection, weighted Round-robin calculates the load:weight ratio (current traffic load as a proportion of the assigned weight) for each external interface and chooses the interface with least value for the new connection. 8 WatchGuard Fireware XTM Training

The Round-Robin Multi-WAN Method For example, configure Interfaces 0, 1, and 2 as external interfaces, and use Roundrobin weights of 8, 2, and 1 for those interfaces respectively. Assume that new connections happen in sequence, and each new connection increases the load on an interface equally. The algorithm assigns the new connections as shown in the table in Figure 1: Current ratio of {traffic load : weight} Interface 0 Current ratio of {traffic load : weight} Interface 1 Current ratio of {traffic load : weight} Interface 2 New connection uses this interface 0:8 0:2 0:1 0 1:8 0:2 0:1 1 1:8 1:2 0:1 2 1:8 1:2 1:1 0 2:8 1:2 1:1 0 3:8 1:2 1:1 0 4:8 1:2 1:1 0 5:8 1:2 1:1 1 5:8 2:2 1:1 0 6:8 2:2 1:1 0 7:8 2:2 1:1 0 8:8 2:2 1:1 Use ECMP when all interfaces have full traffic load This example is extremely simplified. The actual situation is more complex. Each new connection does not cause equal traffic load. Many connections close very quickly, causing load to drop quickly. The load on each interface is constantly changing. Figure 1: This table shows which external interface is used for a new outgoing connection based on {traffic load : weight} ratio 9

How to Configure It 1. From Policy Manager, select Network > Configuration. The Network Configuration dialog box appears. 2. Select the Multi-WAN tab. 3. From the Multi-WAN Configuration drop-down list, select Round-robin. Tip: Calculating weights for Round-robin: You can use only whole numbers for the interface weights; no fractions or decimals are allowed. To ensure optimal loadbalancing, you might need to perform a calculation to know which whole-number weight to assign for each interface. Use a common multiplier so that the ratios of bandwidth at each external connection is resolved to whole numbers. Figure 2: Select the Round-robin method for multi-wan 4. Click Configure, as shown in Figure 2 to set the relative weights for the external interfaces. The Multi-WAN Round-robin Configuration dialog box appears. Example: You have three Internet connections: One ISP gives you 6 Mbps, another ISP gives you 1.5 Mbps, and a third ISP gives you 768 Kbps. Convert the proportion to whole numbers: First convert the 768 Kbps to Mbps so that you use the same unit of measurement for all three lines. This is approximately.75 Mbps. Your three lines are rated at 6, 1.5, and.75 Mbps. Multiply each value by 100 to remove the decimals. Proportionally, these are equivalent: {6 : 1.5 :.75} is the same ratio as {600 : 150 : 75}. Find the greatest common divisor of the three numbers. In this case, 75 is the largest number that evenly divides all three numbers 600, 150, and 75. Divide each of the numbers by the greatest common divisor. Figure 3: Multi-WAN Round-robin Configuration dialog box 5. In the Include column, select the check boxes next to the interfaces you want to include in the Round-robin configuration. By default, all external interfaces are included. If you have more than two external interfaces you might reserve one external interface for special purpose. For example, you might want to use an external interface only for routing traffic to an application service provider, for only VPN traffic. To exclude an external interface from the round-robin, clear the check box next to that interface in Figure 3. You must include at least two interfaces. The results are 8, 2, and 1. This gives the whole-number weights to use for the example. 10 WatchGuard Fireware XTM Training

The Round-Robin Multi-WAN Method 6. To change the weight of one of the interfaces, select the interface and click Configure in Figure 3. The Round-robin Weight dialog box appears:. Figure 4: Set the weight for the interface you selected 7. In the Round-robin Weight text box shown in Figure 4, type or select a number to use for this interface s weight. 8. Click OK. Figure 5 shows two external interfaces with Round-robin weights set to 3 and 2: Figure 5: Two interfaces set to relative weights 3 and 2. When an External Interface Fails The failed external interface is removed from the Round-robin group. Fireware XTM continues to use the relative weights of the remaining interfaces to make routing decisions. 11

The Failover Multi-WAN Method When to Use It Use the Failover method: When you want to use one external interface for all traffic, and you have another ISP that you can use if the primary line goes down. If you want to reserve a WAN2 interface for special traffic, and use WAN1 for all other traffic. If the primary WAN1 connection goes down, all traffic can use WAN2 for the emergency outage. Sticky connection settings cannot be used with the Failover method. How it Works The XTM device sends all traffic through the external interface at the top of the list in the Multi-WAN Failover Configuration dialog box. If that interface is not active, the XTM device checks the next external interface in the list. The first active interface in the list is the gateway for all outgoing traffic. If the XTM device senses an Ethernet link failure, failover happens immediately. When you use the default link probe settings, an external interface can take from 45 seconds to one minute to change state from active to not active, or from not active to active. The default probe options are: Send a probe every 15 seconds Deactivate the interface after three probes in a row fail Reactivate the interface after three successful probes in a row If an external interface that was previously down becomes active again, and it is higher in your list than the currently active external interface, the XTM device immediately starts to send all new connections out the active external interface that is now highest in the list. You control how the XTM device handles any existing connections that currently use the interface that is now lower in your list. Such a connection can immediately be disconnected and routed over the new active interface, or it can use the current interface until the connection is finished. How to Configure It You use the Multi-WAN tab on the Network Configuration dialog box to configure this method. You then use additional dialog boxes to select the interfaces you want to participate in the failover and establish a failover sequence for them. For more details on configuring this method, see Exercise 2. When an External Interface Fails The failed interface is removed from the failover group. The next available interface in the Failover list assumes the highest precedence. Client connections time out and are reestablished with the new route. 12 WatchGuard Fireware XTM Training

The Interface Overflow Multi-WAN Method The Interface Overflow Multi-WAN Method When to Use It Use the Interface Overflow method when you want to restrict the maximum bandwidth that each external interface uses. When the bandwidth threshold is reached for an external interface, new connections use the next external interface in your list. You must have a Fireware XTM license with a Pro upgrade to use this multi-wan method. How it Works When you use the Interface Overflow method, you select the order you want the XTM device to send traffic through external interfaces and configure each interface with a bandwidth threshold value. The XTM device starts to send traffic through the first external interface in the Interface Overflow Configuration list. When the traffic through that interface reaches the bandwidth threshold you set for that interface, the XTM device starts to send new connections through the next interface in the list. This multi-wan method allows the amount of traffic sent over each external interface to be restricted to a specified bandwidth limit. To determine traffic volume through an interface, the XTM device examines the amount of sent (TX) and received (RX) packets and uses the higher number. When you configure the interface bandwidth threshold for each interface, you must consider the needs of your network for this interface and set the threshold value based on these needs. For example, if your ISP is asymmetric and you set your bandwidth threshold based on a large TX rate, interface overflow will not be triggered by a high RX rate. When all external interfaces reach their threshold, the XTM device uses the ECMP algorithms to find the best path. How to Configure It You use the Multi-WAN tab on the Network Configuration dialog box to configure this method. You then use an additional dialog box to configure the bandwidth threshold for each interface. For more details on configuring this method, see Exercise 1. When an External Interface Fails The failed interface is removed from the interface overflow group. Traffic goes out through the other external interfaces in the group, according to the interface overflow threshold assigned to each. 13

The Routing Table Multi-WAN Method When to Use It Use the Routing Table method when you want a quick and easy way to evenly distribute outgoing traffic among multiple external interfaces. This method is the quickest way to take advantage of load balancing more than one route to the Internet. Because the ECMP algorithm manages all connection decisions, no additional configuration is necessary after it is enabled. This multi- WAN method is based on connections, not bandwidth or load. Routes configured statically or learned from dynamic routing are used before the ECMP algorithm. Sticky connection settings cannot be used with the Routing Table method. How it Works If you have multiple active external interfaces, multiple default routes to the external network are available with the same cost (one hop). With the Routing Table method, Fireware XTM puts all the active external interfaces into one ECMP group. It uses the ECMP algorithm to decide which next-hop (path) to use to send each packet. This algorithm does not consider current byte count through the external interfaces. When you select the Routing Table method for your multi-wan configuration, the XTM device first looks at policy-based routing actions in your policies, the routes in its internal route table, and the sticky connection table to see if it should send a packet through a specific external interface. If the XTM device does not find a specified route, it selects a route based on the ECMP (equal-cost multi-path) algorithm specified in http://www.ietf.org/rfc/rfc2992.txt. How to Configure It There is only one setting: 1. From Policy Manager, select Network > Configuration. The Network Configuration dialog box appears. 2. Select the Multi-WAN tab. 3. From the Multi-WAN Configuration drop-down list, select Routing Table. Figure 6: Select the Routing Table method for multi-wan When an External Interface Fails The failed interface is removed from the ECMP group. ECMP continues to make routing decisions based on the external interfaces that remain active. 14 WatchGuard Fireware XTM Training

Before You Begin Before You Begin Necessary Equipment and Services Before you start the exercises, make sure you have these items: Management computer (See the subsequent section for configuration details.) Ethernet cables - One crossover Ethernet cable to connect your computer to the trusted interface on your student XTM device. - Two Ethernet cables to connect two external interfaces from your XTM device to the central classroom XTM device (or to a hub that connects all student XTM devices to the central XTM device). WSM version 11.x software and Fireware XTM with a Pro upgrade v 11.x software Your instructor provides this software, or you can download it from the WatchGuard web site with a valid LiveSecurity login. XTM 2 Series, 5 Series, 8 Series, or 1050 device Feature key Your instructor will provide a feature key to enable the features the XTM device must have for these exercises. You use the feature key near the end of the Quick Setup Wizard when you configure the XTM device. FTP Server Your instructor will provide you access to an FTP server for use in these exercises. Management Computer Configuration Before you begin these exercises, make sure your management computer is configured correctly. FTP Server requirement You will need to provide students with an FTP server for these exercises. This can be a local physical FTP server (a Windows or unix-based computer) or a virtual machine. If you do not have a local FTP server, you can use an FTP download site on the web. For example, ftp://ftp.freebsd.org/pub/freebsd/iso- IMAGES-i386/7.2/. Install WSM v11.x software and the Fireware XTM v11.x operating system with a Pro upgrade. You do not have to install the server components, just the WSM client software. Connect the management computer directly to the trusted interface 1 on the XTM device with a crossover Ethernet cable. Make sure your management computer has an IP address in the same subnet as the trusted interface with the correct subnet mask. Use the XTM device trusted interface IP address as the default gateway of the computer. 15

Firewall Configuration If your XTM device is not yet configured, run the Quick Setup Wizard and select mixed routing mode. Mixed routing mode has these defaults: In the exercises, your external interface and trusted interface IP addresses are determined by your student number. Replace the X in the exercises with your student number. Your instructor will assign student numbers at the beginning of class. The external Interface 0 is configured and enabled with a static IP address. Your instructor will tell you what IP address to assign to the external interface. The trusted Interface 1 is configured and enabled with IP address 10.0.1.1/24. Your instructor will give you an IP address to use for the trusted interface and for your management computer. None of the other interfaces are configured (they are all set to Disabled). The configuration file you open in Policy Manager includes five policies: FTP, Ping, DNS, WatchGuard, and Outgoing. Bandwidth Available at Each External Interface In general, this training module does not discuss traffic management. However, you should know the available upstream and downstream caps that your ISP puts on your Internet connection for each external interface. You must know these values to: Make accurate threshold limits for the Interface Overflow method. If you set threshold limits too low, you might not use the full available bandwidth before traffic flows over to another external interface. If you set threshold limits too high, the other external interfaces might never be used (traffic from an external interface might never flow over to another interface because the threshold is never reached). Correctly set the relative weights for the Round-robin method. You can more effectively balance the outgoing traffic between external interfaces when you know how much bandwidth each ISP allocates. Physically Connecting your Devices Because these exercises are designed for a classroom environment, the external interfaces of all student XTM devices should be connected to two network segments. All the student XTM devices should be connected to the instructor XTM device. 16 WatchGuard Fireware XTM Training

Exercises Exercises Exercise 1: Demonstrate the Interface Overflow Multi-WAN Method and Sticky Connections 1. When to Use the Interface Overflow Method The Interface Overflow method lets you use one WAN for outgoing connections until the bandwidth for that interface goes above a threshold that you set. Then outgoing connections use another external interface. When the bandwidth use through the first interface falls below the threshold, new connections use that interface again. 2. Network Topology This exercise shows how to configure the XTM device to use two Internet connections using the Interface Overflow method. Figure 7shows how your equipment is connected. Suggested design for student number and IP address assignments: Student numbers should be assigned in multiples of 10 (Student 10, Student 20, Student 30, and so on). The student number determines the last octet of the external interface IP address and the third octet of the trusted interface IP address. The network topology diagram follows this pattern as it shows student 10. Thus, the IP addresses for the external interfaces are 100.100.100.10/24 and 50.50.50.10/24; and the trusted interface IP address is 10.0.10.1/ 24. This arrangement keeps each student s trusted network address scheme unique (because each uses a different Class C subnet) and lets each student have 10 available IP addresses on an external interface. The suggested classroom setup also gives flexibility when, for example, you do training on static NAT or in some other situation where each student needs more than one IP address assigned to the external interface. It also prevents routing conflicts when, for example, students make Branch Office VPN tunnels between their trusted networks. Figure 7: Network topology for Exercise 1. Each student XTM device has two external interfaces. 17

3. Configure the XTM Device Triggering the Interface Overflow: This exercise asks students to do an FTP download to trigger interface overflow and cause new connections to go out a different interface. In a typical classroom where 100 MB Ethernet connects all devices, the FTP download may finish too fast to show new connections start using the secondary connection. Configure the Main External Interface 1. From Policy Manager select Network > Configuration. The Network Configuration dialog box appears. We suggest you use an extremely large file if the download is done in the classroom. If you use a 400-600 MB ISO image of a CD, for example, the download should be long enough to give the students time to see new connections spill over to the other external interface. Another alternative is to have the students download a file from the internet instead of getting it from your server in the same classroom. Downloading a large file using typical internet access speeds should give the students enough time to demonstrate the overflow. Figure 8: Network Configuration dialog box 2. Double-click Interface 0 to configure it. Configure the General tab as shown. Figure 9: Interface 0 configuration 3. Type a name for the interface in the Interface Name (Alias) text box. For this example we call Interface 0 Main-Internet. 4. (Optional) Type an interface description if desired. We use Primary WAN. 5. From the Interface Type drop-down box select External. 6. Select Use Static IP. 7. In the IP Address text box, type 100.100.100.X/24. Replace the X in the IP address with the student number your instructor gives you. In Figure 3, we show the configuration for Student 10. For example, if you are Student 30, the IP address you type in Step 7 is 100.100.100.30/24 18 WatchGuard Fireware XTM Training

Exercises 8. In the Default Gateway text box, type 100.100.100.1 9. Click OK to return to the main Network Configuration dialog box. Configure the Second WAN Interface 1. Double-click Interface 3 to configure it. Configure the General tab as shown. Figure 10: Interface 3 configuration 2. (Optional) Type a name for the interface in the Interface Name (Alias) text box. For this example we call Interface 3 Secondary-Internet. 3. (Optional) Type an interface description. We use Backup WAN. 4. From the Interface Type drop-down list, select External. 5. Select Use Static IP. 6. In the IP Address text box, type 50.50.50.X/24. Replace the X in the IP address with the student number your instructor gives you. In Figure 10 we show the configuration for Student 10. For example, if you are Student 40, the IP address you type in Step 15 is 50.50.50.40/24. 7. In the Default Gateway text box, type 50.50.50.1. 8. Click OK to return to the main Network Configuration dialog box. 19

Configure the Multi-WAN Method 1. Select the Multi-WAN tab. 2. From the Multi-WAN Configuration drop-down list, select Interface Overflow. Figure 11: Select the Interface Overflow method 3. Click Configure. The Multi-WAN Interface Overflow Configuration dialog box appears. Figure 12: Interface Overflow Configuration dialog box 4. Select interface 0 (Main-Internet) and click Configure to configure its threshold. Note that the window in Figure 13 keeps values only in increments of 100 Kbps. For example, if you type 256 Kbps here, Policy Manager changes it to 200 Kbps. The Interface Overflow Threshold dialog box appears. Figure 13: Configure the interface overflow threshold for the primary WAN 20 WatchGuard Fireware XTM Training

Exercises 5. From the right drop-down list, select Kbps. In the text box, set the threshold for this interface to 200 Kbps. This is not meant to show a real-world Internet connection. We set this to a low value to demonstrate the Interface Overflow method. Remember also that Fireware XTM does not use the overflow threshold value as a cap to throttle available bandwidth. The threshold is only a trigger to start sending new connections out a different external interface. Throughput can exceed the overflow threshold you set for an external interface, but Fireware XTM does not send new outgoing connections through the interface until current throughput for the interface goes below the overflow threshold. Figure 14: The Interface Overflow Configuration dialog box should look like this 6. Make sure that interface 0 is at the top. If it is not, select the 0 (Main-Internet) interface and click Move Up to move it to the top. 7. Click OK twice to return to the main area of Policy Manager. Enable Logging of Allowed Packets For the Ftp and Outgoing Policies By default, the XTM device sends log messages only for denied packets. To see what interface the XTM device uses to send outgoing connections, enable the logging of allowed packets for the FTP and Outgoing policies. You do not need to configure anything on the Link Monitor tab or the Advanced tab for this exercise. 1. Right-click the FTP policy and select Modify Policy to edit it. You can also double-click a policy to modify it. Figure 15: Right-click or double-click a policy to modify it 21

2. Select the Properties tab and click Logging. Figure 16: Click Logging on the Properties tab of the policy 3. Select the Send Log Message check box to enable logging of allowed packets that the XTM device sends through this policy, and then click OK. Figure 17: Enable logging of allowed packets for this policy 22 WatchGuard Fireware XTM Training

Exercises 4. Click OK on the Properties tab. Figure 18: Click OK to return to the main Policy Manager view 5. Repeat Steps 1 4 to enable logging of allowed packets for the Outgoing policy. 6. Make sure Policy Manager uses the Details view. If Policy Manager has large icons, right-click anywhere in the main Policy Manager window and select Details View. You can also switch views using the View menu. Select View and then select Large Icons or Details. Figure 19: Switch to Details View 23

7. Note that the Action column shows an icon for policies that have logging enabled. Position the mouse over the action column to see a description of what each icon represents. Figure 20: The Action column shows which policies have logging enabled 8. Click and save this configuration to the XTM device. Or, select File > Save > To Firebox. Important! When the FTP download starts, you must visit a new web site quickly to see the XTM device change the interface it uses for outgoing connections. If you wait too long and the FTP transfer finishes, the rate of traffic through the main external interface falls below the threshold and the interface becomes available for new connections again. Before you begin, think of some sites you can use that you have not been to before, so you can quickly demonstrate the Interface Overflow behavior when the FTP transfer starts. 4. Demonstrate It How the Demonstration Works First you browse several web sites and see the connections go out the Main- Internet interface. You start an FTP download of a large file to use up the allotted 2 Mbps on the Main-Internet interface, Interface 0. When the throughput for the Main-Internet interface reaches the Interface Overflow threshold, you observe that new outgoing connections use the Secondary-Internet interface, Interface 3. You see some connections continue to use the Main-Internet interface even though the Interface Overflow threshold is reached for that interface, because the connections are sticky. 24 WatchGuard Fireware XTM Training

Exercises Verify that Outgoing HTTP Connections Use the Correct Interface To make sure that your outgoing HTTP connections use the correct interface, you connect to Firebox System Manager and then browse the Internet. 1. Connect to Firebox System Manager and select the Traffic Monitor tab. Figure 21: The Traffic Monitor tab of Firebox System Manager 2. Use your web browser to visit several web sites and see if your connections use the correct interface. 3. Watch Traffic Monitor to see log messages that show outgoing connections using the Main-Internet interface. You see messages like this in Traffic Monitor: Allow 10.0.10.2 206.253.208.100 http/tcp 2892 80 1-Trusted 0-Main-Internet allowed, mss not exceeding 1460, idle timeout=43205 sec 48 128 (Outgoing-00) rt="mwan" src_ip_nat="100.100.100.10" src_port_nat="10119" The rt= MWAN message means that Fireware XTM decided which external interface to use based only on the multi-wan method in use. Start the FTP Transfer to Trigger the Interface Overflow Do not start any file downloads in Step 2. A large file download can trigger the Interface Overflow threshold before you are ready to observe it. The FTP transfer in the next section will trigger the interface overflow. About the Traffic Monitor log messages: The log messages show new connections that go out through packet filter policies. Proxy policies do not give the same log messages. If the students do not see the rt= MWAN and rt= sticky parts of these messages, make sure they use only packet filter policies, not policies that use a proxy. 1. Use Internet Explorer or an FTP client to connect to the FTP server. The subsequent steps show how to use Internet Explorer 6.0 as an FTP client. If the instructor has configured a local FTP server, in the Internet Explorer address bar, type ftp://50.50.50.2. If a local FTP server is not available, the instructor will provide instructions to connect to an FTP server on the Internet. 2. The FTP server should allow anonymous access (it is not necessary to give a user name and password). If this is the case, you see a large file listed. If anonymous FTP access is not allowed, your instructor will give you credentials to log in. Figure 22: Internet Explorer as an FTP client 25

3. Click the Folders icon in the Internet Explorer toolbar. A list of local folders appears. Figure 23: Display the list of local folders using the Folders icon in the toolbar 4. Drag the file to the Desktop icon at the left to copy the file to your desktop. Figure 24: Drag the file to the Desktop icon on the left The download starts. 26 WatchGuard Fireware XTM Training

Exercises Browse to Sites and See Which Interface is Used 1. Browse to a web site you visited less than three minutes ago. 2. Go to the Traffic Monitor tab of Firebox System Manager. 3. Find the Sticky Connections log message for the connection to this site. Look for a log message similar to this, with rt= STICKY in the message: Allow 10.0.10.2 206.253.208.100 http/tcp 2892 80 1-Trusted 0-Main-Internet allowed, mss not exceeding 1460, idle timeout=43205 sec 48 128 (Outgoing-00) rt="sticky" src_ip_nat="100.100.100.10" src_port_nat="10145" This connection uses the primary external interface Main-Internet, even though this interface reached the threshold. This is because it matches an entry in the Sticky Connections table. 4. Go to a web site you have not visited before. 5. On the Traffic Monitor tab, find the log message for this new connection. The log message will be similar to the following message, and will include the text rt= MWAN. Allow 10.0.10.2 66.35.250.150 http/tcp 2892 80 1-Trusted 3- Secondary-Internet allowed, mss not exceeding 1460, idle timeout=43205 sec 48 128 (Outgoing-00) rt="mwan" src_ip_nat="50.50.50.10" src_port_nat="10163" This connection switched to the Secondary-Internet interface, because the Main-Internet interface reached the Interface Overflow threshold. 6. After the FTP transfer finishes, go back to the web site you visited in Step 3 (if it was less than three minutes ago) and press Ctrl-F5 on your keyboard to force all content on the page to reload. This is the site you visited that went through the Secondary-Internet connection, shown in the log message in Step 5. 7. On the Traffic Monitor tab, find the log messages for this connection. Verify that it still uses the Secondary-Internet interface. It still uses the Secondary-Internet interface because it matches an entry in the sticky connections table. 8. Go to a web site you have not visited in the last three minutes. 9. On the Traffic Monitor tab, find the log messages for this connection. Verify that new connections now use the Main-Internet interface. New connections start to use the Main-Internet interface because the throughput for that interface is below the Interface Overflow threshold. New connections that match an entry in the sticky connections table use the same external interface for the sticky timeout period. This is true even if current throughput for the interface is over the Interface Overflow threshold. When the throughput for the Main-Internet connection exceeds the Interface Overflow threshold, new connections use the Secondary-Internet interface. The sample log messages are from the Student 10 XTM device. (Note that the src_ip_nat IP addresses have 10 in the last octet.) 27

Exercise 2: Demonstrate the Failover Multi-WAN Method and Policy-Based Routing This exercise demonstrates what happens when an external interface that uses the Failover Multi-WAN method fails. 1. When to Use the Failover Method Failover gives stability to your organization s outgoing connections. Use the Failover method when you have more than one Internet connection that you can use. If the primary line goes down, connections flow through the backup line. 2. Network Topology The physical setup is the same as for Exercise 1. Figure 25 shows how your equipment is connected. Figure 25: The network topology for Exercise 2 is the same as for Exercise 1. 28 WatchGuard Fireware XTM Training

Exercises 3. Configure the XTM device Configure the External Interfaces The configuration of the main and secondary external interfaces is the same as for Exercise 1. If you have completed Exercise 1, proceed to the next section. If you have not completed Exercise 1, you must do so before you can proceed. In the section 3. Configure the XTM Device, on page 18, complete Steps 1 17 of Exercise 1. Configure the Multi-WAN Method 1. In the Network Configuration dialog box, select the Multi-WAN tab. 2. From the Multi-WAN Configuration drop-down list, select Failover. Figure 26: Select the Failover Multi-WAN method 3. Click Configure. The Multi-WAN Failover Configuration dialog box appears. Figure 27: The Multi-WAN Failover Configuration dialog box 4. Make sure that Interface 0 is at the top of the Interfaces list. If it is not, select 0 (Main-Internet) and click Move Up to move it to the top of the list. 5. Click OK. 29

Configure Link Monitor Target For the Main-internet Interface It is not necessary to configure a link monitor target for the Secondary-Internet connection. When you do not configure link monitor targets for an external interface, the XTM device monitors the health of the interface by sending ICMP requests to the interface s default gateway. In a real-world installation, you would normally select public sites for the link monitor targets, based on a record of superior uptime. 1. On the Link Monitor tab, in the External Interfaces list, select Main-Internet and configure monitor targets for this external interface. 2. Set the ping target: - Select the Ping check box. - From the Ping drop-down list, select IP Address. - In the Ping text box, type the IP address of the instructor s FTP server: 50.50.50.2. Figure 28: Ping target for monitoring the Main-Internet interface 3. Click OK. Enable Logging of Allowed Packets For Policies If you previously completed Exercise 1, you enabled logging of allowed packets for the Outgoing and FTP policies. Now we will use the same procedure to enable logging of allowed packets for the Ping and Outgoing policies. 1. Right-click or double-click the Ping policy and select Modify Policy to edit it. The Edit Policy Properties dialog box appears. 2. Select the Properties tab and click Logging. The Logging and Notification dialog box appears. 3. Select the Send log message check box to enable logging of allowed packets that the XTM device sends through this policy. 4. Click OK. The Logging and Notification dialog box closes and the Edit Policy Properties dialog box appears. 5. Click OK. The Edit Policy Properties dialog box closes and Policy Manager appears. 6. Right-click or double-click the Outgoing policy and select Modify Policy to edit it. The Edit Policy Properties dialog box appears. 7. Select the Properties tab and click Logging. The Logging and Notification dialog box appears. 8. Select the Send log message check box to enable logging of allowed packets that the XTM device sends through this policy. 9. Click OK. The Logging and Notification dialog box closes and the Edit Policy Properties dialog box appears. 30 WatchGuard Fireware XTM Training

Exercises 10. Click OK. 11. Make sure Policy Manager uses the Details view. If Policy Manager has large icons, right-click anywhere in the main Policy Manager window and select Details View. You can also switch views using the View menu. Select View and then select Large Icons or Details. Figure 29: Switch to Details View 12. Note that the Action column shows a Log icon for each policy that has logging enabled. Figure 30: The Action column shows which policies have logging enabled 13. Click and save this configuration to the XTM device. Or, select File > Save > To Firebox. 31

Enable Policy-based Routing For the Ping Policy 1. Double-click the Ping policy to edit it. 2. On the Policy tab, select the Use policy-based routing check box and configure as shown. Figure 31: Enable policy-based routing for the Ping policy Do not enable failover in Step 4. This lets you see what happens when the policy-routing interface is not available. 3. From the Use policy-based routing drop-down list, select Main-Internet. 4. Do not select the Failover check box. 5. Click OK. 6. Click and save this configuration to the XTM device. Or, select File > Save > To Firebox. 32 WatchGuard Fireware XTM Training

Exercises Enable Policy-based Routing For the Outgoing Policy 1. Double-click the Outgoing policy to edit it. 2. On the Policy tab, select the Use policy-based routing check box and configure as shown. Figure 32: Enable policy-based routing for the Outgoing policy 3. From the Use policy-based routing drop-down list, select Main-Internet. 4. Select the Failover check box. 5. Click OK. Click and save this configuration to the XTM device. Or, select File > Save > To Firebox. Do not enable failover in Step 4. This lets you see what happens when the policy-routing interface is not available. 33

4. Demonstrate It How the Demonstration Works First, you browse to several web sites using HTTP and HTTPS, and see the connections that go out the Main-Internet interface. Ping some external IP addresses to see the XTM device send the echo requests through the Main-Internet interface with the policy-based routing you enabled for the Ping policy. Your instructor will cause your XTM device Main-Internet interface to fail by causing pings to the link monitor target to fail. After the failover event, browse some web sites again to see the connections go out the Secondary-Internet interface. Your pings to external locations will fail, because you did not enable failover for the Ping policy s policy-based routing. Verify Outgoing Connections Use the Correct Interface To make sure that your outgoing connections use the correct interface, connect to Firebox System Manager and then browse the Internet. 1. Open WSM and connect to your XTM device. 2. Select the XTM device and click. Firebox System Manager appears. 3. Select the Traffic Monitor tab to begin monitoring traffic. 4. Use your browser to connect to some web sites. Visit several sites with HTTP and HTTPS addresses. 5. Watch Traffic Monitor to see log messages that show the outgoing connections using the Main-Internet interface. Log messages like this appear in Traffic Monitor: The rt= MWAN message indicates that Fireware XTM decided which external interface to use based only on the Multi-WAN method in use. The PRO in the log message for Step 6 stands for Policy Routing Object. It signifies that the connection matches a policy that uses policy-based routing. Allow 10.0.10.2 206.253.208.100 http/tcp 2892 443 1-Trusted 0-Main-Internet allowed, mss not exceeding 1460, idle timeout=43205 sec 48 128 (Outgoing-00) rt="mwan" src_ip_nat="100.100.100.10" src_port_nat="10119" 6. Ping some sites external to the XTM device. Log messages show that the echo requests go out the Secondary-Internet interface. Log messages like this appear: Allow 10.0.10.2 64.233.167.99 icmp-echo 1-Trusted 0-Main- Internet allowed 60 128 (Ping-00) rt="pro" src_ip_nat="100.100.100.10" The instructor causes ICMP requests to your link monitor target to fail. A log message like this appears in Traffic Monitor: monitord No response from WAN Ping Target 100.0.254.2 on eth0 Remember that the number of failed probes is configurable. Three is the default. After three probes fail, the XTM device sees that the Main-Internet interface is not available to send traffic. A log message like this appears: Target Probing on gateway 100.100.100.1 (gateway on eth0) failed 34 WatchGuard Fireware XTM Training

Exercises 7. Browse to more web sites. Outgoing connections now use the Secondary- Internet interface. Log messages like this appear in Traffic Monitor: Allow 10.0.10.2 206.253.208.100 http/tcp 2892 443 1-Trusted 3-Secondary-Internet allowed, mss not exceeding 1460, idle timeout=43205 sec 48 128 (Outgoing-00) rt="mwan" src_ip_nat="50.50.50.10" src_port_nat="10119" 8. Send pings again to the external network. The XTM device drops the packets. Log messages like this appear in Traffic Monitor: Deny 10.0.10.2 64.233.167.99 icmp-echo 1-Trusted 0- Secondary-Internet all gateways in policy routing are down, drop this packet 60 128 (internal policy) This message appears when failover is not enabled for the Ping policy s policy-based routing. If you enable failover for policybased routing in Figure 31, the ping is allowed through the other interface. 35

Frequently Asked Questions Which Multi-WAN features require a Fireware XTM license with a Pro upgrade? There are two licensing options for the OS on the XTM device: Fireware XTM and Fireware XTM with a Pro upgrade. A standard Fireware XTM license does not include some multi-wan functions. A Fireware XTM license with a Pro upgrade gives all the multi-wan functions that the OS offers. These multi-wan functions are available only if you have a Pro upgrade to the Fireware XTM license: Policy-based routing The Interface Overflow multi-wan method Weighted Round-robin Note You can use the Round-robin multi-wan method, but you cannot assign weights to the interfaces if you do not have a Fireware XTM license with a Pro upgrade. If you have a Fireware XTM license, all external interfaces that participate in the Round-robin have equal weight of 1. If all external interfaces have a Round-robin weight of 1, what is the difference between the Round-robin method and the Routing Table method? Round-robin distributes outgoing connections based on bandwidth. Thus, if you set the weight for each external interface to 1 in Round-robin mode, the algorithm attempts to equalize the amount of bits per second sent through each interface. Compare this to the Routing Table method. The Routing Table uses ECMP to distribute outgoing connections based on the number of connections. The Routing Table method attempts to equalize the number of connections going out each interface. It does not consider the amount of bandwidth sent through each interface. 36 WatchGuard Fireware XTM Training

Appendix Appendix How Fireware XTM Makes Multi-WAN Routing Decisions For Outbound Traffic When a computer behind the XTM device on a trusted or optional network attempts to send traffic to the external network, the XTM device must make three main decisions: Whether the traffic is allowed out Whether an external interface is available to send the traffic Through which external interface to send the traffic To make these decisions, the XTM device considers these questions: 1. Does the packet match the From and To lists in a policy? - If No drop the packet and send a log message with the reason Unhandled Internal Packet. - If Yes continue. 2. What is the disposition of the policy? - If Deny drop the packet and send a log message (if logging is enabled for the policy) with the policy name as the reason. - If Block same as Deny, and put the source on the XTM device Autoblocked Sites list. - If Allow continue. 3. Does the policy use policy-based routing? - If Yes send the traffic through the indicated external interface If Failover is enabled for policy-based routing, the first interface in the list that is active is selected. If none of the policy-based routing interfaces for this policy are available, the packet is dropped and a log message with the reason all gateways are down is sent, this packet (internal policy) is dropped. - If No continue. 4. Check the XTM device kernel routing table. Is there a specific route (a route that is not a default route) that matches the traffic s source and destination? - If Yes use the gateway for that route. - If No continue. 5. How many default routes are in the kernel routing table? - If Zero (the kernel routing table has no default route) drop the packet; all external interfaces are down. - If Exactly One default route in the routing table use the gateway interface for this default route to send the packet out. - If there is more than one default route in the routing table continue. 6. Does the traffic match an entry in the sticky connections hash table? - If Yes send the traffic using the sticky interface. - If No continue. 37

Load-balancing interface groups pertain only to the Round-robin, Failover, and Interface Overflow multi-wan methods. A loadbalancing interface group includes all the interfaces you specify to participate in the Round-robin, Failover, or Interface Overflow configuration. 7. Do the interface aliases in the policy s To list contain all the members of a load balancing interface group? - If Yes use the specified multi-wan routing method: weighted Roundrobin, Failover, or Interface Overflow. - If No use the Equal Cost Multi-Path (ECMP) routing method to send the packet. The following flow chart diagram is split on two pages. It shows how the XTM device decides which interface to use to send an outgoing connection. The notes that follow the diagram correspond to the numbered Earth icons in the diagram. Multi-WAN Routing Decision Flow Chart 38 WatchGuard Fireware XTM Training

Appendix 39

Diagram Notes 1. A specific route is a route that is not a default route. A default route has destination 0.0.0.0. 2. You can see the XTM device Kernel IP routing table on the Status Report tab of Firebox System Manager. 3. You can see which external interfaces are up with XTM device System Manager. View the Status Report tab of Firebox System Manager for current interface status. 4. The [source IP address / destination IP address] pair of each outgoing connection is combined to make a unique hash value. The hash value for an outgoing connection is put in the sticky connections hash table, and the table entry is associated with the external interface used to send the outgoing traffic. If the [source IP / destination IP] hash of an outgoing connection matches an entry in the hash table, the external interface associated with that entry in the table is used for that connection. A timer counts down for each entry in the table. The time for a table entry starts with the value specified in your configuration for sticky connections. When a new outgoing connection matches an entry in the hash table, the time for that table entry is reset to the full time for sticky connections and the timer starts again. When the timer for an entry in the hash table reaches zero, the entry is purged from the table. 5. A load balancing interface group is the group of interfaces you include when you click Configure at the top of the Multi-WAN tab in Policy Manager. You can exclude any external interface from participating in the multi-wan method that you use. Load balancing interface groups apply only to the Round-robin, Failover, and Interface Overflow methods. The Routing Table method does not use the load balancing interface group because the ECMP (equal-cost multi-path) routing algorithm manages all routing decisions. TRAINING www.watchguard.com/training training@watchguard.com COPYRIGHT 2011 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, LiveSecurity, and spamblocker are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries.