EMEA Partners XTM Network Training This training material is currently unofficial and may not be redistributed unless cleared by Product Training and Publishing. Carlo Alvarez Technical Trainer - APAC WatchGuard Training
Agenda Traffic Management and Quality of Service (QoS) VLAN Basic (Trusted/Optional, External) Advanced (FireCluster with devices on different locations) Routing on XTM Devices Static Dynamic (BGP, OSPF, RIP) Enhanced Net Failover Public IP Address subnet behind XTM (DMZ with Public IP) Tunnel Switching Manual Managed Special Scenario – Advanced BOVPN Test Case BOVPN with dual active gateways on both ends, load-sharing/failover WatchGuard Training WatchGuard Training
Traffic Management and QoS WatchGuard Training
Traffic Management and QoS Guarantee or limit bandwidth Control the rate at which the XTM device sends packets to the network Prioritize when to send packets to the network Disabled by default. To enable, WatchGuard Training WatchGuard Training
TM - Guaranteed Bandwidth The minimum amount of bandwidth allocated to a specific policy or group of policies at any given time Bandwidth is measured as outgoing with respect to an interface When max is set to 0 it can go as high as the line speed depending on the utilization of the link WatchGuard Training WatchGuard Training
TM - Restricted Bandwidth The maximum amount of bandwidth a specific policy or group of policies can only use at any given time Bandwidth is measured as outgoing with respect to an interface When minimum is set to 0 it means there is no reserved bandwidth for the policy or group of policies WatchGuard Training WatchGuard Training
TM – Helpful Hints The total amount of guaranteed bandwidth for all used Traffic Management Actions must not exceed the line speed of the corresponding interface/s. All host using the same policy with TM Action in effect will share the allocated bandwidth when restricted. Always note the traffic direction when implementing TM Action. WatchGuard Training WatchGuard Training
Quality of Service (QoS) Marking Types IP Precedence (aka Class of Service) Differentiated Service Code Point (DSCP) Marking Methods Preserve Assign Clear WatchGuard Training WatchGuard Training
QoS – Interface Settings The default interface settings applied to all traffic passing through it. WatchGuard Training WatchGuard Training
QoS – Policy Override Supersedes the QoS settings on the interface where the traffic allowed in this policy is going to pass through. WatchGuard Training WatchGuard Training
VLAN WatchGuard Training
Not So Basic VLAN Trunks Allowing VLANs 10 and 20 STP VLAN 10 VLAN 20 WatchGuard Training WatchGuard Training
Not So Basic VLAN – Use Case Customer requires redundancy on the LAN. Have at least two managed switch that supports Spanning Tree Protocol (STP). Zones are segregated into VLANs. WatchGuard Training WatchGuard Training
VLAN Switches and FireCluster ISP-1 ISP-2 Trunk VLAN 10 – External-1 VLAN 20 – External-2 VLAN 30 – Trusted VLAN 40 – FireCluster IF WatchGuard Training WatchGuard Training
VLAN Switches and FireCluster – Use Case Customer has Head Office and a DR Site but would opt to buy only one XTM each sites. Recommended to have two private lines (TRUNK) from different providers to ensure redundancy at all times. Internet lines from two ISPs are terminated one at each ends. WatchGuard Training WatchGuard Training
Routing Protocols on XTM Devices WatchGuard Training
Static Routing WatchGuard Training
Static Routing on a Point-to-Point Link Static Route to: 10.0.30.0/24 Next Hop (Gateway) is: 192.168.100.2 Static Route to: 10.0.20.0/24 Next Hop (Gateway) is: 192.168.100.1 Point-to-Point Link 192.168.100.0/30 To reach 10.0.30.0/24 from this network To reach 10.0.20.0/24 from this network WatchGuard Training WatchGuard Training
Static Routing on a Multi-Hop Link Note that Static Routes must be correctly and consistently defined on the Firebox/XTM devices and routers in between First, Static Route to: 10.0.30.0/24 Next Hop (Gateway) is: 192.168.1.2 First, Static Route to: 10.0.20.0/24 Next Hop (Gateway) is: 192.168.5.254 Then, Static Route to: 10.0.30.0/24 Next Hop (Gateway) is: 172.16.0.2 Finally, Static Route to: 10.0.30.0/24 Next Hop (Gateway) is: 192.168.5.253 Finally, Static Route to: 10.0.20.0/24 Next Hop (Gateway) is: 192.168.1.1 Then, Static Route to: 10.0.20.0/24 Next Hop (Gateway) is: 172.16.0.1 Multi-Hop Link To reach 10.0.30.0/24 from this network To reach 10.0.20.0/24 from this network WatchGuard Training WatchGuard Training
Dynamic Routing WatchGuard Training
Dynamic Routing Tips: To establish Dynamic Routing both ends must be able to reach the interface they are trying to peer with Point-to-Point links are no issue since the opposite interface is of the same directly connected subnet For Multi-Hop links such as MPLS it is a must to establish routes first to the peering interfaces before Dynamic Routing can be established WatchGuard Training WatchGuard Training
Common Cause of Inconsistency WatchGuard Training WatchGuard Training
Dynamic Routing on a Multi-Hop Link First, Static Route to: 192.168.5.252/30 Next Hop (Gateway) is: 192.168.1.2 First, Static Route to: 192.168.1.0/30 Next Hop (Gateway) is: 192.168.5.254 Then, Static Route to: 192.168.1.0/30 Next Hop (Gateway) is: 172.16.0.1 Similarly this XTM does not know how to reach the other remote peering interface Then, Static Route to: 192.168.5.252/30 Next Hop (Gateway) is: 172.16.0.2 Initially this Firebox does not know how to reach the remote peering interface We need to let this Firebox know how to get to 192.168.5.253 Likewise this XTM must know return to 192.168.1.1 Peering Interfaces WatchGuard Training WatchGuard Training
Test if the Peering Interfaces are Reachable Use the Diagnostic Task to do an Extended Ping This is an extended ping from the Firebox, Source address is 192.168.1.1 and Destination Address is 192.168.5.253 If both interfaces are reachable from the opposite ends you are now ready to define your Dynamic Routing WatchGuard Training WatchGuard Training
Configure Dynamic Routing WatchGuard Training
Which Dynamic Routing Protocol to use? Open Shortest Path First (OSPF) is Link-State Routing Protocol and is commonly used for Point-to-Point links. Border Gateway Protocol (BGP) and Routing Information Protocol (RIP) are examples of Distance-Vector Routing Protocol. RIP rely only on link cost while BGP prioritize preference over link cost. BGP is commonly used for multi-hop links WatchGuard Training WatchGuard Training
Configure RIP (using Point-to-Point link) Firebox XTM WatchGuard Training WatchGuard Training
Configure RIP (using Point-to-Point link) Manually add the RIP Policy WatchGuard Training WatchGuard Training
Configure OSPF (using Point-to-Point link) Firebox XTM Passive Interface command means you are not going to listen to OSPF advertisements in this interface WatchGuard Training WatchGuard Training
Configure OSPF (using Point-to-Point link) Manually add the OSPF Policy WatchGuard Training WatchGuard Training
Configure BGP (using Multi-Hop link) Firebox XTM Use Private AS Number for Internal BGP, no need to register for a Public AS Number. No need to add BGP Policy on Policy Manager. WatchGuard Training WatchGuard Training
Enhanced Net Failover Feature Launched in XTM Version 11.3.1 Routes internal traffic over to BOVPN when internal link becomes unavailable Works only between Firebox or XTM devices on both ends Works in conjunction with Static Routing or Dynamic Routing Internal link can be a simple Leased Line (or Fiber Optic) or connectivity through MPLS Network WatchGuard Training WatchGuard Training
Static Routing vs. Dynamic Routing WatchGuard Training
When used with Enhanced Net Failover, Static Routing Dynamic Routing Advantage Works in a FireCluster environment Failover is triggered automatically Disadvantage Failover has to be triggered manually by removing the static routes on both ends FireCluster does not support Dynamic Routing therefore does not work in such environment WatchGuard Training WatchGuard Training
Enhanced Net Failover Requirements WatchGuard Training
This Feature Requires: BOVPN skills Firebox or XTM devices on both ends When used with Dynamic Routing the device should be at least an XTM 2 Series Static or Dynamic Routing on the Firebox or XTM devices Spare Interface for the Internal Routing on each ends WatchGuard Training WatchGuard Training
Configure Branch Office VPN WatchGuard Training
Configure BOVPN Configure BOVPN just like any regular BOVPN Go to VPN VPN Settings… Ready to test Failover from the chosen routing protocol to BOVPN WatchGuard Training WatchGuard Training
Additional Tips Failover from Dynamic Routing to BOVPN takes about 150 seconds. (Hope this gets improved in future releases). When using Static Routing, you must remove the static routes manually on both devices. This is because you can still reach the interface IP Address (ex. Ping) even if you unplug the cable. This forces the Firebox/XTM to route the subnet since it assumes that the next hop which is on the same subnet of the interface IP Address is still reachable. There are cases where you will need to add static routes on multiple routers in between about the target subnets on each side. Make sure you are pointing to the right direction on your next hops. Most MPLS network doesn’t require static routes in between especially if they are using iBGP and redistributes routes to their Virtual Routing and Forwarding (VRF). WatchGuard Training WatchGuard Training
Public IP Address subnet behind XTM (DMZ with Public IP) WatchGuard Training
Public IP Address subnet behind XTM Internet Public IP Address subnet behind XTM The appropriate example of Mixed Routed Mode (Routing + NAT) Static Route must be present in the Router for subnet 206.197.101.0/24 with next hop to 202.80.78.2 Router 202.80.78.1/30 202.80.78.2/30 206.197.101.0/24 192.168.1.0/24 WatchGuard Training WatchGuard Training
Public IP Address subnet behind XTM – Policy NAT has no bearing on the inbound and outbound policies For inbound policies the destination address is the IP address or Hostname of the target host or server WatchGuard Training WatchGuard Training
Tunnel Switching WatchGuard Training
Tunnel Switching Overview The traffic is passed from the trusted network of Remote Office A to the trusted network of Remote Office B without creating a third BOVPN tunnel between the two remote offices. Useful when you require control of network security at the Central Office. Policies can be applied to traffic between the two tunnels at the Central Office WatchGuard Training WatchGuard Training
Tunnel Switching – Remote Office and Group Central Office Announces Remote A’s subnet to Remote B as Local Subnet on the Tunnel Routes creating sort of a Group A. WatchGuard Training WatchGuard Training
Tunnel Switching – Remote Office and Group Central Office Announces Remote B’s subnet to Remote A as Local Subnet on the Tunnel Routes creating sort of a Group B. WatchGuard Training WatchGuard Training
THANK YOU! WatchGuard Training