Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

Connecting the FVS124G to the Internet

4-17

202-10085-01, March 2005

•

Test Period—DNS query is sent periodically after every test period. The minimum test

period is 30 seconds.

•

Maximum Failures—The WAN interface is considered down after the configured number

of DNS queries have failed to elicit a DNS reply from the configured DNS server. The

minimum number of failed DNS queries is four. The rollover link is brought up after this.

The minimum time to roll over after the primary WAN interface fails is two minutes (i.e., 30

second minimum test period times a minimum of four tests).

2.

Once a rollover occurs, an alert will be generated (see

“Getting E-Mail Notifications of Event

Logs and Alerts” on page 6-30

). You should then get the failed WAN interface restored and

then force traffic back on the original primary WAN interface by reapplying the WAN Mode

menu shown in

Figure 4-6

.

Load Balancing (and Protocol Binding) Setup

Perform the following steps to configure the dual WAN ports for load balancing and protocol

binding on outbound traffic:

1.

Select Load Balancing on the screen shown in

Figure 4-6

to invoke the WAN Mode Load

Balancing screen shown in

Figure 4-7

.

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

4-18

Connecting the FVS124G to the Internet

202-10085-01, March 2005

Figure 4-7:

WAN Mode screen for load balancing and protocol binding

Fill out the screen using the following parameter definitions:

•

Detection of WAN failure—WAN failure is detected using DNS queries to the DNS

server. For each WAN interface, DNS queries are sent to the configured DNS server. If the

DNS replies are not received, the corresponding WAN interface is considered down.

–

ISP DNS Server—In this case, DNS queries are sent to the DNS server configured on

the WAN ISP pages (see

“Step 3: Configure the Internet Connections to Your ISPs

(Required)” on page 4-8

).

–

Public DNS Server—The user is also given an option to enter any Public DNS server.

DNS queries are sent to this server through the WAN interface being monitored.

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

Connecting the FVS124G to the Internet

4-19

202-10085-01, March 2005

•

Test Period—DNS query is sent periodically after every test period. The minimum test

period is 30 seconds.

•

Maximum Failures—The WAN interface is considered down after the configured number

of DNS queries have failed to elicit a DNS reply from the configured DNS server. The

minimum number of failed DNS queries is four.

The minimum time for a WAN interface to be classified as having failed is two minutes (i.e.,

30 second minimum test period times a minimum of four tests). All traffic then stops on that

WAN port. Traffic that is not bound by protocol to the failed WAN port is then sent to the

working WAN port. If the total traffic on the working WAN port exceeds its bandwidth, then

congestion occurs.

Once a WAN interface fails, an alert will be generated (see

“Getting E-Mail Notifications of

Event Logs and Alerts” on page 6-30

). You must then get the failed WAN interface restored

before it can carry traffic again by reapplying the WAN Mode menu shown in

Figure 4-10

.

2.

Click

Add

in the appropriate WAN interface section of the WAN Mode Load Balancing screen

to invoke the WAN Mode Protocol Bonding screen (if protocol binding is needed). Fill out the

screen using the following parameter definitions:

•

Service—Select the desired Services or applications to be covered by this rule. If the

desired service or application does not appear in the list, you must define it using the

Services menu (see

“Services-Based Rules” on page 6-4

).

•

Source Network—These settings determine which computers on your network are

affected by this rule. Select the desired options:

–

Any—All PCs and devices on your LAN.

–

Single address—Enter the required address and the rule will be applied to that

particular PC.

–

Address range —If this option is selected, you must enter the start and finish fields.

–

Groups—Select the Group you wish this rule to apply to. You can use the Network

Database screen to assign PCs to Groups.

•

Destination Network—These settings determine which Internet locations are covered by

the rule, based on their IP address. Select the desired option:

–

Any—All Internet IP address are covered by this rule.

–

Single address—Enter the required address in the start fields.

–

Address range—If this option is selected, you must enter the start and finish fields.

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

4-20

Connecting the FVS124G to the Internet

202-10085-01, March 2005

Step 5: Configure Dynamic DNS (If Needed)

If your network has a permanently assigned IP address, you can register a domain name and have

that name linked with your IP address by public Domain Name Servers (DNS). However, if your

Internet account uses a dynamically assigned IP address, you will not know in advance what your

IP address will be, and the address can change frequently. In this case, you can use a commercial

dynamic DNS service, which allows you to register an extension to its domain, and restores DNS

requests for the resulting FQDN to your frequently-changing IP address.

which will allow you to register your domain to their IP address, and will forward traffic directed

to your domain to your frequently-changing IP address.

•

For rollover mode, you are going to need a fully qualified domain name to implement features

such as exposed hosts and virtual private networks regardless of whether you have a fixed or

dynamic IP address.

•

For load balancing mode, you may still need a fully qualified domain name either for

convenience or if you have a dynamic IP address.

The firewall contains a client that can connect to a dynamic DNS service provider. To use this

feature, you must select a service provider and obtain an account with them. After you have

configured your account information in the firewall, whenever your ISP-assigned IP address

changes, your firewall will automatically contact your dynamic DNS service provider, log in to

your account, and register your new IP address.

Perform the following steps to configure Dynamic DNS:

1.

If you haven’t already, log in to the firewall at its default LAN address of

with its default user name of

admin

, default password of

password

, or using whatever

password and LAN address you have chosen for the firewall.

2.

From the Main Menu of the browser interface, under WAN Setup, click on Dynamic DNS.

a.

Rollover Mode

: You will get the screen shown in

Figure 4-8

with

AUTO_ROLLOVER

shown in the pulldown.

b.

Load Balancing Mode

: Select

WAN1

or

WAN2

in the pulldown shown in

Figure 4-8

to

invoke the appropriate WAN interface to program.

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

Connecting the FVS124G to the Internet

4-21

202-10085-01, March 2005

Figure 4-8:

Dynamic DNS screens

Dynamic DNS screen for rollover mode

Dynamic DNS screens for load balancing mode