On your WatchGuard firewall, it is possible to have multiple Internet connections configured.  This Multi-WAN function ensures redundancy on outbound traffic if one of your Internet connections goes down.  In recent firmware releases, WatchGuard has implemented SD-WAN capabilities as well, which allow you to specify how outbound connections are used based on performance metrics.  (You can read more about SD-WAN here.)

When implementing both Multi-WAN and SD-WAN, it is vitally important that Link Monitoring be configured.  Link Monitoring ensures the firewall can properly identify if an interface is able to pass traffic.  If Link Monitoring is not configured correctly, the firewall may not properly fail over to a backup connection.

Link Monitoring Targets

When Link Monitoring is initially configured, the firewall will simply monitor connection to the interface’s default gateway.  This does not properly identify a link failure, as the issue may be upstream from this target.  To properly utilize Link Monitoring, the recommended practice is to ensure each interface is monitoring at least two external sources.  Additionally, these sources should be different between any interfaces being tracked.  

How to Configure Link Monitoring

1. In WatchGuard Policy Manager, navigate to Network > Configuration and select the Link Monitor tab.

2. Click Add under the Monitored Interfaces box.

3. Select your external interfaces and click OK.

4. Select the first interface. By default, you will see that it is set to ping the default gateway. Click Add.

5. For each interface, JSCM Group recommends that you add one ping target and one TCP target. Please remember that these targets should be different per interface.

Link Monitoring Intervals

When setting up link monitors, you will see the option to change the probe interval.  You can use this to set how quickly you want a failover and failback to occur when monitoring interfaces.