Gateway Groups

Gateway groups are a set of gateways, but are treated as one entity in gateway fields of the GUI. Groups will appear in the gateway drop-downs available on, for example, firewall rule editing.

Gateway groups are managed from the Groups tab on System > Routing.

Gateway Group Options

When creating a gateway group, the following options are available:

Group Name

The name of this gateway group. The name must be less than 32 characters in length, and may only contain letters a-z, digits 0-9, and an underscore. This will be the name used to refer to this gateway group in the Gateway field in firewall rules. This field is required.

Gateway Priority

This list contains every gateway on the firewall to select which gateways will be a part of this group. The GUI will filter the list address family after the first selection.


The priority level for this gateway. The value may be from 1-5 or Never to exclude the gateway from this group.

Lower values are higher priority. For example, gateways on Tier 1 are used before gateways on Tier 2, and so on.

Gateways on the same tier are used by the firewall for load balancing when possible. Load balancing naturally performs failover as failed gateways are removed from the pool available for load balancing.

Gateways on different tiers result in failover from gateways on lower tiers to those higher tiers. For example, if Tier 1 contains only one gateway and it fails, then the next tier (Tier 2) is checked for available gateways and the firewall uses those instead, and so on.


Some firewall features which support gateway groups only support failover, not load balancing. For example, when using a gateway group for the default gateway or as a VPN endpoint, each gateway must be on a separate tier.

Virtual IP

When using a gateway group for failover in certain contexts which require binding a specific address, such as IPsec, this option controls which address on an interface is used for that purpose. For example, in an HA pair this could be a CARP VIP used as an endpoint for IPsec tunnels.

Leave it set to the default Interface Address when a specific address is not required by any use of the gateway group.

Keep Failover States

Controls the state-killing behavior for the gateway group when configured for failover. This behavior takes effect when a higher-priority gateway returns to an online state. Only affects states created by policy routing rules. This option overrides the global behavior (see Gateway Monitoring).

Keep states on gateway recovery

Policy routing states are unaffected when a higher-priority gateway returns to an online state. Connections established on failover gateways will remain on those gateways until reconnected.

Kill states on gateway recovery

States created by policy routing rules using this gateway group are killed when a higher-priority gateway returns to an online state. This option does not affect traffic from the firewall itself.

Trigger Level

Configures how the firewall manages the gateway group entries when certain types of gateway events occur.

Member Down

Marks the gateway as down only when it is completely down, past one or both of the higher thresholds configured for the gateway. This catches the worst sort of failures, when the gateway is completely unresponsive, but may miss more subtle issues with the circuit that can make it unusable long before the gateway reaches that level.

Packet Loss

Marks the gateway as down when packet loss crosses the lower alert threshold (See Advanced Gateway Settings).

High Latency

Marks the gateway as down when latency crosses the lower alert threshold (See Advanced Gateway Settings).

Packet Loss or High Latency

Marks the gateway as down for either type of alert.


Text describing the purpose of this gateway group.

Tier Priority Example


  • WANGW: Tier1

  • OPT1GW: Tier2

  • OPT3GW: Tier3

In the example above OPT1GW would be used if WANGW fails, OPT3GW will be used if both WANGW and OPT1GW fail.

Connection-Based Round-Robin Load Balancing Example


  • WANGW: Tier1

  • OPT1GW: Tier1

  • OPT3GW: Tier1

In the example above all gateways have the same Tier value. When this group is used by a firewall rule, connections matching that rule will perform connection-based round-robin load balancing between all of the gateways.


If any of the gateways fail, they are automatically removed from active usage in the group, effectively resulting in failover in addition to load balancing.