Gateway groups are a set of gateways, but are treated as one entity in gateway fields of the GUI. Groups will appear in the gateway drop-downs available on, for example, firewall rule editing.
Gateway groups are managed from the Groups tab on System > Routing.
Gateway Group Options¶
When creating a gateway group, the following options are available:
- Group Name
The name of this gateway group. The name must be less than 32 characters in length, and may only contain letters a-z, digits 0-9, and an underscore. This will be the name used to refer to this gateway group in the Gateway field in firewall rules. This field is required.
- Gateway Priority
This list contains every gateway on the firewall to select which gateways will be a part of this group. The GUI will filter the list address family after the first selection.
The priority level for this gateway. The value may be from 1-5 or Never to exclude the gateway from this group.
Lower values are higher priority. For example, gateways on Tier 1 are used before gateways on Tier 2, and so on.
Gateways on the same tier are used by the firewall for load balancing when possible. Load balancing naturally performs failover as failed gateways are removed from the pool available for load balancing.
Gateways on different tiers result in failover from gateways on lower tiers to those higher tiers. For example, if Tier 1 contains only one gateway and it fails, then the next tier (Tier 2) is checked for available gateways and the firewall uses those instead, and so on.
Some firewall features which support gateway groups only support failover, not load balancing. For example, when using a gateway group for the default gateway or as a VPN endpoint, each gateway must be on a separate tier.
- Virtual IP
When using a gateway group for failover in certain contexts which require binding a specific address, such as IPsec, this option controls which address on an interface is used for that purpose. For example, in an HA pair this could be a CARP VIP used as an endpoint for IPsec tunnels.
Leave it set to the default Interface Address when a specific address is not required by any use of the gateway group.
- Trigger Level
Configures how the firewall manages the gateway group entries when certain types of gateway events occur.
- Member Down
Marks the gateway as down only when it is completely down, past one or both of the higher thresholds configured for the gateway. This catches the worst sort of failures, when the gateway is completely unresponsive, but may miss more subtle issues with the circuit that can make it unusable long before the gateway reaches that level.
- Packet Loss
Marks the gateway as down when packet loss crosses the lower alert threshold (See Advanced Gateway Settings).
- High Latency
Marks the gateway as down when latency crosses the lower alert threshold (See Advanced Gateway Settings).
- Packet Loss or High Latency
Marks the gateway as down for either type of alert.
Text describing the purpose of this gateway group.
Tier Priority Example¶
In the example above OPT1GW would be used if WANGW fails, OPT3GW will be used if both WANGW and OPT1GW fail.
Connection-Based Round-Robin Load Balancing Example¶
In the example above all gateways have the same Tier value. When this group is used by a firewall rule, connections matching that rule will perform connection-based round-robin load balancing between all of the gateways.
If any of the gateways fail, they are automatically removed from active usage in the group, effectively resulting in failover in addition to load balancing.