Add a failover group

A failover group is a sequence of IPsec connections. If the primary connection fails, the next active connection in the group automatically takes over.

During a connection failure, the firewall checks the health of the primary connection every 60 seconds. When the primary connection is restored, the secondary connection falls back to its original position in the group.

Members of a failover group:

  • A connection can only be a member of one group.
  • Only active connections participate in failover.
  • You can't delete connections when they're part of a failover group.
  • Remote access connections can't be part of a failover group.

How connections and settings work:

  • Established connections disconnect when you add them to a failover group.
  • Once a connection is added to a failover group, dead peer detection is turned off, and key negotiation tries are set to 3 in the corresponding IPsec policy. XG Firewall uses the failover condition to check if the remote network is available.
  • Once a connection is removed from the group, XG Firewall uses the dead peer detection and key negotiation tries specified in the corresponding policy.

To add a failover group, do as follows:

  1. Go to VPN > IPsec connections.
  2. Scroll to Failover group and click Add.
  3. Enter a name.
  4. Select at least two connections.
    If the primary connection fails, the next active connection in the group automatically takes over.
    Note The IP address of the remote ID must be the same for all connections in the group.
  5. Optional Select Mail notification to receive connection failure notifications.
  6. Optional Select Automatic failback to automatically fail back to the primary IPsec connection when it's restored.
  7. Specify the failover condition.

    The firewall considers a connection as failed if the failover condition is met. Based on your selection, you must allow access to one of the following on both the firewalls:

    • Ping: Allow Ping/Ping6 over the WAN zone on Administration > Device access.
    • TCP port 22: Allow SSH over the VPN zone on Administration > Device access. We don't recommend allowing WAN access over SSH to ensure security.
    • TCP over other ports: Create a firewall rule to allow incoming and outgoing packets.
  8. Click Save.

Click the status button to activate the group and establish the primary connection.