How to dictate which external interface for subscription services?

CraigS

How can I define which external interface the WG subscription services (WebBlocker, DNSWatch, etc.) use? It appears that the services use the lowest numbered external interface, so when the Internet went down on that port, users were getting WebBlocker deny messages because the service was not accessible. In the case of another outage, I'd like to quickly define which external port to utilize for the services. Multi-WAN is set to routing mode.

We were running 12.11.2 at the time, but have since updated to 12.11.3

james.carson

Hi @CraigS

If you want to set this up by policy, you'd need to expose the any-from-firebox rule and set rules above that rule to handle traffic to those servers. You'd need to set an SD-WAN action on that policy so it knows where to send the traffic in each scenerio.

Webblocker uses: rp.cloud.threatseeker.com
DNSWatch: The front panel of either the WebUI or Firebox System manager shows what resolvers your firewall is using.
Other subscription services are downloaded from services.watchguard.com.

That said, if the interface shows as [Failed] (meaning that the link-monitor was unable to ping the link-monitor ping target), subscription service traffic should fail over to the next lowest-numbered external interface. Additionally, using the Failover setting in multi-WAN allows other traffic to do the same.

Before you make any policy changes, please check to make sure the link-monitor ping target for each of your interfaces is something other than the default gateway of that interface. The default gateway will almost always be the ISP device at the next hop in the network, and this will usually respond to pings even if your Internet connection is down.

CraigS

Thank you James. Knowing that the link-monitor should alert the internal services to fail over, I'll target that one as a solution first. It was decided not to go to fail-over for various reasons, but perhaps now is the time to revisit it.