Version: 6.0 and higher
Two firewall interfaces configured in untrust zone. One for each internet service provider using ethernet0/0 and ethernet0/1.
You can setup a second internet service as a configured backup line for use during failure on the primary line. This utilizes interface backup and the track-ip features of ScreenOS 6. This will automatically do the failover during the outage. This example assumes that ethernet0/0 is the current primary interface while ethernet0/1 is the new service interface.
Setup the new service interface
Add the ip address and untrust zone to ethernet0/1 or setup the dhcp on this interface for the new carrier.
If this is a static configuration then add the second default route to the carrier provided address out ethernet0/1. On DHCP this route is added automatically.
Establish the backup and primary interfaces.
Select Primary interface ethernet0/0
Select Backup interface ethernet0/1
set interface ethernet0/0 backup interface ethernet0/1 type track-ip
Setup Track-ip Monitoring to detect failure
Create the track-ip on interface ethernet0/0. This is an internet ip address that when this interface can no longer ping it is considered down. A good choice is the service provider DNS server for this line.
Select enable track-ip
Hit Add Monitor track ip
Enter ip address to ping (Carrier DNS)
set interface ethernet0/0 monitor track-ip ip
set interface ethernet0/0 monitor track-ip ip 184.108.40.206
Look at interface list and observe that primary line is up and backup interface is down Disconnect the primary interface cable and observe the change in status on the interfaces
ScreenOS Concepts and Examples Guide
Volume 2 Fundamentals
Chapter 3 Interfaces
Configuring Backup Interfaces
Originally Posted May 22, 2011
Last Revised on May 22, 2011