Looking for some clarification and see if my understandings are correct.
There are several distinct types of traffic in terms of applying kill switch:
(1) Traffic Intended for specific tunnels: This traffic is routed through VPN based on defined policies.
(2) Failover Traffic: This occurs when the intended tunnel is non-operational. and Type (1) traffic becomes type (2)
(3) Traffic Not Intended for Any Tunnels: This traffic does not match any configured policies.
The tunnel level kill switch only affects type (2) failover traffic. If the tunnel level kill switch is on, this traffic is blocked. If it is off, the traffic exits through the WAN.
The global level kill switch only affects type (3) traffic. If the global kill switch is on, this traffic is blocked. If it is off, the traffic exits through the WAN.
Additionally, if a tunnel is administratively stopped, traffic that was previously classified as type (1) becomes type (3) traffic.
In Global Mode, there is only one tunnel and its associated kill switch; there is no global kill switch in this mode. So type 3 traffic can always go out to WAN.
Any thoughts?
Hi
Your understanding is basically correct.
In Global Mode, traffic from all devices and all destination addresses matches the "Policy", so there is no Type (3) traffic.
When the intended tunnel is non-operational:
- If kill switch is on, then the traffic is blocked.
- If kill switchis off (Show Failover), then the traffic exits through the WAN
Will, thank you for the correction. You are right.
Another thing I noticed: under Policy Mode, tunnel KS off, global KS on, when the tunnel is non-operational, I had expected the failover traffic to exit WAN, given that global KS is to only manage type 3 traffic. When I tested this configuration, the failover traffic is actually blocked by global KS.
In policy mode, traffic is matched based on priority.
- If traffic matches the policy of first tunnel but the tunnel is still connecting or the connection fails:
- With Kill Switch enabled → the traffic will be blocked.
- With Kill Switch disabled → the traffic will be handed over to the next tunnel in the list.
This process continues sequentially until the final “All Other Traffic” rule:
- Enabled → traffic exits via the WAN.
- Disabled → traffic is blocked.