Skip to content



The Multi-WAN feature of the Crystal Eye XDR supports both ISP failover and network load balancing. These extended capabilities ensure mission-critical operations proceed during a ISP disruption enabling organizations to comply with ISO 27002:2022 frameworks control “8.14 Redundancy of Information Processing Facilities”.

Implementing automatic multi-wan failover and load balancing for mission critical systems and applications at a network level involves introducing a robust network segmentation strategy. This is recommended due to the multi-wan applications capability to implement both load balancing and failover controls on various network traffic types using Policy Based Routing (PBR) rules. Having these configurations in place helps in introducing failover and load-balancing controls throughout various network zones based on explicit business requirements. Learn how network segmentation can be achieved using the CE XDR. Explore Crystal Eye XDRs default and custom security zones.

One such explicit requirement could be not having VoIP traffic load-balanced due to the real-time nature of its traffic (as a thumb rule, it is recommended to configure the CE XDR to have the VoIP traffic go through a single link). However, other non-real time traffic can be load-balanced.

Implementation of multi-wan application features based on the nature of the network traffic through PBR rules thus makes it possible to effectively deploy a robust business continuity strategy.


The Multi-WAN application is not available by default. It can be installed from Marketplace in the left-hand navigation panel.

Video Resources

Go to Network Control > Routing > Multi-WAN crystal-eye-xdr-navigation-multiwan

Multi-WAN Configuration & Implementation

The ability of the multi-wan application to enforce load balancing and failover with Policy Based Routing (PBR) rules makes it even more important to ensure that a robust network segmentation strategy is implemented.


Learn how the Network Settings app features and Security Zones module of the Crystal Eye XDR can be used to implement network segmentation and network segregation.

Once the network is segmented and segregated as per the business operation requirements, multi-wan profiles can be created for both failover and load-balancing.

These profiles can then be assigned to Policy Based Routing (PBR) rules that can route the traffic based on the source subnet or security zone.


Multi-WAN Failover

Multi-WAN Failover profiles are assigned to the network traffic where ISP redundancy is a critical requirement. In such scenarios, when primary internet service provider is down the entire network traffic is routed to the secondary internet service provider.

In Failover mode, user can choose the priority of each outgoing link. The link with low priority will be the acting primary link for the traffic. When it goes down, the second link will take over.


As per the nature of the network traffic and network requirements the CE XDR administrator can choose one link as primary for certain traffic and the second link as primary for others.

How to configure multi-wan failover for a particular network traffic in the CE XDR network?

Let’s understand multi-wan failover configuration feature through the following scenario.

ABC Ltd is a leading Business Process Outsourcing (BPO) unit having multiple customer service departments. These business verticals are heavily dependent on its VoIP phones services mostly used by the customer service representatives and supervisors. Given the influx in business operations there is a growing need to introduce ISP redundancy strategies. After reassessing the past incidents which involved a major disruption of the business-critical VoIP services due to ISP link failure, the company is vehemently determined to have its PBX servers (which operates the VoIP services) and CCTV controllers covered by the multi-wan failover feature of the Crystal Eye XDR.

The Crystal Eye series 30 model is deployed in the network to ensure that the business operations particularly the VoIP services and the CCTVs run smoothly without ISP disruptions by turning on the Multi-WAN failover mode.

Network Topology of ABC Ltd

The PBX Servers (for VoIP services) and the CCTV controller is connected to LAN 2 interface with the IP address This interface is assigned with a custom security zone named ‘voip_cctv_zone’.


Step 1: Ensure that both your physical WAN Ports show green light in the back panel of the CE XDR.

Step 2: Go to Network Control > Infrastructure > Network Settings and ensure the following:

  • Both WAN1 and WAN2 are enabled

  • Both WAN1 and WAN2 are green

  • Create a custom zone ‘voip_cctv’ and then assign it to LAN2 interface. Learn how to create a custom zone here.



After you have created the custom zone ‘voip_cctv_zone’ in the Security Zone module of the Advanced Firewall application, go to Network Settings application and click the Edit button next to LAN2 in the screenshot above and select the custom security zone ‘voip_cctv_zone’ from the Zone dropdown. The screenshot below shows where exactly custom security zone ‘voip_cctv_zone’ can be tagged to the LAN2 interface. crystal-eye-xdr-multiwan-failover-scenario10

Step 3: Go to Network Control > Routing > Multi-WAN and click the Add Profile button.


Step 4: Enter the Profile Name as ‘failover1’, enter the Description, and select Failover from the Mode dropdown.


Step 5: Click the Add Member button to set the failover priority for WAN interfaces and then click the Add button. In our scenario, we have two WAN interfaces. Please note that, user can choose the priority of each outgoing link. The link with low priority will be the acting primary for the traffic. In the screenshot below WAN1 is given priority 1 and WAN 2 is given priority 2. Henceforth, WAN 1 will act as a primary link and WAN2 will be the secondary link.


Step 6: You will now be directed to the Multi-WAN profile dashboard where you will be able to see the failover profile created above.


We have now successfully created a Multi-WAN failover profile. As per our scenario, multi-WAN failover is required to provide ISP redundancy to the PBX servers and the CCTV Controllers in LAN2 interface which has a custom zone (voip_cctv_zone) assigned to it.

Let’s create a Policy Based Routing (PBR) Rule and assign the multi-wan failover profile to it.

Step 7: Go to Security Configuration > Advance Firewall application > Traffic Rules and click the Traffic Rules tab.


Step 8: You will now see the Add New Traffic Rule pop-up. Enter the following

  1. Description: failover1
  2. Protocol: Any
  3. Source Zone: voip_cctv zone (This is the custom zone that we created in step 2)
  4. Destination Zone: WAN Zone
  5. Action: multi-wan > failover1 profile (failover 1 is the profile that we created in Step 4, Step 5 and Step 6)


You will now see the policy-based routing (PBR) rule in the traffic rules dashboard. crystal-eye-xdr-multiwan-failover-scenario9

Multi-WAN Load Balancing

Multi-WAN Load Balancing feature of the Crystal Eye XDR provides the capability to balance outgoing traffic across multiple WAN links using Policy Based Routing (PBR) rules. Multi-WAN load balancing profiles are created and then assigned to specific outgoing traffic to increase throughput and ensure redundancy.

How to configure multi-wan load balancing for outgoing network traffic in the CE XDR network?

Let’s learn how the multi-wan load balancing feature can be deployed in a network with the help of a scenario where we have WAN1 ISP link with 3Gbps speed and WAN2 ISP Link with 1Gbps speed.


Please consider the scenario below as an extension of the failover features discussed in the Muti-WAN Failover section.

After the Multi-WAN failover features has been successfully implemented by ABC Ltd, the infrastructure team has now decided to implement load balancing on the rest of the outgoing traffic.

The overall network has been divided into 4 network security zones namely, voip_cctv zone, customer_service zone, sales_forecast zone, and hr_dept zone. These network security zones have been segregated based on the organizational departments.


Know how to create security zones in the Crystal Eye network here.

The PBX server and cctv controller is deployed in voip_cctv zone which has already been aligned with the multi-wan failover profile. The outgoing traffic from network security zones such as customer_service zone, sales_forecast zone, and hr_dept zone will now be load balanced in the ratio of 80:20. Here, 80% of the outgoing traffic will be routed from the WAN1 link (which has a speed of 3Gbps) and 20% outgoing traffic will be routed from the WAN2 link (which has a speed of 1 Gbps).

Network Topology:


To execute the above-mentioned scenario, we will first create a multi-wan load balancing profile and assign 80% weightage to WAN 1 interface and 20% weightage to WAN 2 interface.

We will then assign this profile to the outgoing network traffic of the following network security zones.

  1. customer_service zone

  2. sales_forecast zone, and

  3. hr_dept zone.

Step 1: Go to Network Control > Routing > Multi-WAN


Step 2: You will be directed to the Multi-wan app page. Click the Add Profile button in the Multi-WAN section.


Step 3: You will be directed to the Add Profile page. Enter and select the following.

  • Profile Name: loadbalance (You may give a profile name of your choice)
  • Description: loadbalance (You may give a profile description of your choice)
  • Mode: select ‘Load Balance’.


Step 4: Click the Add Member button. Select WAN1 from the Interface dropdown and enter 80% as the traffic weightage.


Step 5: Now re-click the Add Member button. Select WAN2 from the Interface dropdown, enter 20% weightage for the traffic and click the Add button.



You will now see the load balancing profile in the Multi-WAN profiles dashboard. crystal-eye-xdr-multiwan-loadbalancing-scenario7

We have now successfully created a Multi-WAN load balancing profile. As per our scenario, we need to load balance the outgoing traffic originating from customer_service zone, sales_forecast zone, and hr_dept zone such that 80% of the traffic is routed through WAN1 and the remaining 20% traffic is routed through WAN2.

Let’s create a Policy Based Routing (PBR) Rule using the traffic rules feature of the Advanced Firewall application and assign the multi-wan failover profile to it.

Step 6: Go to Security Configuration > Advanced Firewall application > click the Traffic Rules tab > Click the Add button.


Step 7: You will see Add New Traffic Rule pop-up. Enter and select the following

  • Enter the Description: networkloadbalance (you may choose a suitable description as per your requirements)
  • Select the Protocol: Any
  • Select the Source Zones: customer_service zone, sales_forecast zone, and hr_dept zone (Create these custom security zones using the Advanced Firewall app. Learn how to create custom security zones here. Once you create these custom security zones, they will appear in the source zones dropdown).
  • Select the Destination Zones: WAN Zone (This is a default security zone and will appear in the destination zone dropdown)
  • Select the Target: MULTIWAN
  • Select Multiwan Profile: failover1 (This the profile that we created in Step 2, Step 3, Step 4, Step 5)



You will now see the PBR rule added to the Traffic Rule dashboard of the Advanced Firewall application. crystal-eye-xdr-multiwan-loadbalancing-scenario10