WAN Failover

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

    WAN Failover
Other Links:
WAN Failover Description Page
WAN Failover Demo
WAN Failover Forums
WAN Failover Reports
WAN Failover FAQs

About WAN Failover

WAN Failover works in conjunction with multiple ISPs to assure that you maintain Internet connectivity if a loss of connectivity occurs on one of your WAN connections. If one of your ISP links goes down, WAN Failover will automatically route all traffic over the other WAN(s) until service is restored.

You may also consider using WAN Balancer in your network as well - it allows you to maintain an automatic distribution of traffic over multiple WAN links rather than just failing over if one goes down.

Tests are configured for each WAN which are run continuously to determine the current status of each interface. If enough test fail on a given WAN to exceed the failure threshold then the WAN is considered down and internet-bound traffic will not go out that WAN. The lowest ID active WAN is used as the current default WAN interface for internet-bound traffic.


This section reviews the different settings and configuration options available for WAN Failover.


The Status tab presents an overview of the WANs and the current test results.

  • Interface ID: The number of the interface.
  • Interface Name: The name of the interface in the NG Firewall GUI.
  • System Name: The name of the interface as seen by NG Firewall.
  • Online Status: True or False whether the WAN is online.
  • Current Tests Count: The total number of the tests ran on that interface.
  • Tests Passed: The total number of the tests ran on that interface that passed.
  • Tests Failed: The total number of the tests ran on that interface that failed.


WAN Failover must have tests set up for every WAN interface; these tests are set up on the Tests tab. Just click Add, select your interface and test type, then run the test - if it passes, go ahead and save it.

Tests is how WAN Failover determines if the given WAN interface is up or down so it is important to pick tests carefully that correlate with the status of that WAN connection. For example, pinging an ISP router is generally a good test because it will usually fail when the ISP is down but work when connectivity is good. Pinging a public site like google.com may work, but may sometimes have false positives or false negatives. Pinging the gateway may also work, but may sometimes provide false positives when the gateway is reachable but the ISP itself is offline.

The options are as follows:

  • Interface: The interface you want to set up a test for.
  • Description: A description for this test.
  • Testing Interval: Determines how often (in seconds) your specified test will be executed.
  • Timeout: The maximum amount of time that may pass without receiving a response to your test. This value should be less than the Testing Interval. You should make sure that you allow for enough time to pass if you have a poor connection to the internet, or a connection that often has long latency (delays) associated with it.
  • Failure Threshold: How many failures are acceptable during the testing period.
  • Test Type: is the specific method you will use to determine whether failover will be initiated. Test Types are explained below.

Note on DNS tests:

Warning DNS tests use all the DNS entries in the Interface WAN settings. If the DNS entries are only available on a specific WAN, for example ISP DNS only available on their network, then routes must be configured for those DNS servers. Otherwise some DNS tests will fail as the DNS is not reachable on a non-ISP WAN making NG Firewall falsely see the WAN as down.


The Reports tab provides a view of all reports and events for all traffic handled by WAN Failover.


This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries: {{#section:All_Reports|'WAN Failover'}}

The tables queried to render these reports:

Related Topics

WAN Failover FAQs

I installed and configured WAN Failover, but nothing is happening. What should I do?

Make sure each ISP's interface has is WAN Interface? checked at Config > Networking > Interfaces and has all of the required information properly entered. You'll also need to verify WAN Failover has tests set up for each WAN connection. If you're only using WAN Failover, you'll need to disconnect your primary WAN to get traffic to flow over the secondary. If you're using WAN Balancer, make sure your weights are set properly.

What tests should I use for Failover?

This is really up to you. NG Firewall provides four test methods - in each case, it sends out data packets and decides if the WAN is up or down depending on your specified Testing, Timeout and Failure Threshold intervals:

  • Ping Test: ping the specified IP address.
  • ARP Test: ARP for its gateway.
  • DNS Test: make a request to the upstream DNS server.
  • HTTP Test: make a connection to the specified domain name.

Is a ping test better than the HTTP test?

Yes and no - ping tests are simpler and more straight forward than the HTTP test, but some network operators block ping requests. In both cases, you should select IP addresses that are external to your network but relatively close to you. As the number of network hops increases, the chances of encountering a bad or slow link increases. When that happens, NG Firewall may interpret it as a network problem and report one of your WAN connections as failing.

I only have one internet connection. Why would I want WAN Failover?

With a single WAN connection, its obvious that you have no alternative if your internet connection fails. You can still monitor the uptime of your ISP with WAN Failover by defining a rule that will log service interruptions. If downtime is hurting you financially, WAN Failover can help you document it rather inexpensively.