Removing External Interface

We had two internet circuits. One for primary, one for backup / failover. We're removing our second internet circuit. I've found that if I simply remove the physical connection, traffic from trusted interfaces can't exit the primary external interface. There are a lot of historical firewall policies.

Is it possible to add a new policy at the top of the processing list that just sends all trusted interface traffic for any port type out of a specific external interface?


  • Options

    Are you utilizing SD-WAN for the primary and backup interfaces?
    How do you presently fail over when the primary interface goes down?
    If you are using SD-WAN and disconnect the backup interface all traffic should still use the primary interface of you have the policies and SD-WAN configured to do so.
    Placing an any-any policy at the top of the list to bypass all other policies sorta defeats the purpose of the firewall and is inherently insecure.

    It's usually something simple.

  • Options

    Yes - an Any packet filter, for example, with SD-WAN set on it to go out the desired WAN.

Sign In to comment.