Network Planning for Multiple WAN Ports (IPv4 Only)
408
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Overview of the Planning Process
The areas that require planning when you use a firewall that has multiple WAN ports such as
the VPN firewall include the following:
• Inbou
nd traffic (port forwarding, port triggering)
• Ou
tbound traffic (protocol binding)
• V
irtual private networks (VPNs)
Two WAN ports can be configured on a mutually exclu
sive basis to do either of the following:
• Auto-rollover for increased reliability
• Load
balance for outgoing traffic
These various types of traffic and auto-rollover or lo
ad balancing all interact to make the
planning process more challenging:
• Inboun
d traffic. Unrequested incoming traffic can be directed to a computer on your LAN
rather than being discarded. The mechanism for making the IP address public depends
on whether the dual WAN ports are configured for auto-rollover or load balancing.
• V
irtual private networks. A virtual private network (VPN) tunnel provides a secure
communication channel either between two gateway VPN firewalls or between a remote
computer client and gateway VPN firewall. As a result, the IP address of at least one of
the tunnel endpoints needs to be known in advance in order for the other tunnel endpoint
to establish (or reestablish) the VPN tunnel.
Note: When the VPN firewall’s WAN port rolls over, the VPN tunnel closes
and needs to be reestablished using the new WAN IP address.
However, you can configure automatic IPSec VPN rollover to ensure
that an IPSec VPN tunnel is reestablished.
• Dual WAN ports in auto-rollover mode. Rollover for a VPN firewall with dual WAN ports
is different from a single WAN port gateway configuration when you specify the IP
address. Only one WAN port is active at a time, and when it rolls over, the IP address of
the active WAN port always changes. Therefore, the use of a fully qualified domain name
(FQDN) is always required, even when the IP address of each WAN port is fixed.
Figure 259.