Fail Over or Load Balancing and or Link Bonding? 60B WAN1, WAN2, PCMCIA

load balancing on the fortigates is done by one of two methods; 1. Bending of traffic via multiple links based on any one (or more) matching of; Source IP/Subnet, Dest IP/Subnet, Traffic Type or Service (dest port). - So, you could have web traffic using wan1 for example, and everything else on wan2 2. ECMP - this is basically round robin based on the source Address, so internal machines would use alternate links based on whether there IP is an even or odd number. Fortinets do support modems and having them as backup links or load balancing, but it can get quite complicated. Would recommend you get technical advice of your reseller to ensure it will work as you want it to too. I personally do not have much experience with dialup backup connections, but i know it came be sticky to set up. have a look at this thread for more info on ECMP; http://support.fortinet.com/forum/tm.asp?m=41080&appid=&p=&mpage=1&key=load%2Cbalancing&language=single&tmode=&smode=&s=#41125

this might also be useful; http://kc.forticare.com/default.asp?id=376&SID=&Lang=1

I opened a ticket anyway and got this... Basically it was a real kick in the rear for me! Not what I wanted to hear. Link Aggregation is only applies for FG800 and higher. 60B can only really Load Balance for WAN1 and WAN2 PCMCIA is only for backup... PCMCIA interface has no DDNS and can NOT accept inbound connections. This REALLY blows since you can not even access a SSL VPN or the firewall Admin page! Does not do much good when I have internal mail servers that need to be kept alive. Well… thanks for nothing Fortinet! =) I should have probably read into it before buying the firewall, but the PCMCIA interface was the only reason I upgraded to the 60B. I could have kept my 60 and saved a few bucks. I hope you are reading this and allow for the features I want in future firmware releases.

I am surprised it cannot accept incoming connections, that sounds odd to me. I would check this with your local fortinet techie if i was you. I find that hard to believe too, but suspect they meant because it doesnt support DDNS it cannot have incoming connections, which is actually wrong. So i wouldnt give up on it yet, as this might just be a misinterpretation. As even though the unit doesnt support DDNS, their is nothing stopping you having a DDNS client software app running on an internal server, that will update the DDNS with the external IP its coming from.

UKWizard, You are so correct... I could just run DDNS softwre client on a computer that always stays on in my office... Would you feel comfortable installing that on a SBS 2003 server or pick a different computer? I try not to install too many things on our main server. I still have not played with the PCMCIA card... I was asking these questions so I know that to expect. I didnt want to sign a 1-2 year contract with my phone company only to find out I dont like the way it works. Anyone else know if PCMCIA card can accept incomming connections?

We are talking about the modem interface... I am looking at this 3G card like a standard WAN1 internet connection... Using DDNS software on a computer... I can get an IP address for the Modem Interface, and want to connect to it.

Looks like you can not edit the modem network Interface... even after enabling it I dont get an edit icon. (I dont have a PCMCIA card tho... I dont know if that makes a difference) From the firewall I can see why you cant have DDNS. But this is solved with a software client. Regardless of Standalone or Redundant... it looks like I can create a policy from Modem to Internal. Also looks like I can select SSL VPN. So from this info... I dont see why I cant receive an incoming connection from Modem to Internal. I just hope these policys are not in place just for backup/failover. I really need to get a AirCard and play with this.

Actually now i think about this, in the UK our 3G cards get a private IP provided by the ISP' s, NOT a public IP. So unless you have some sort of agreement with your ISP you wouldnt be able to receive incoming connections because of the NAT. You need to have some technical conversations with your future provider BEFORE you buy one. else you could be stuffed when it comes to incoming, even if the fortigate does support it.

UK, thats a valid point you have there too.. Come to think of it, I have a Palm Treo 750 phone with a 3G data plan. I can DUN it to my PC for internet teathering... Ill try obtaining an IP address and trying to connect to my laptop using my phones data plan. This should tell me if the ISP can receive an incomming connection; I assume the aircard would work the exact same way. I will try to ping or RDP to my laptop; and see what happens. I will report back after I try it.

I know for a fact that Sprint offers EVDO cards with a public static IP. Virtual IPs work via the modem interface when you do so. Also, with MR6 you can establish an IPSEC VPN and then use the vpn interface IP as a management IP if you need to manage the device externally. In some of my restaurants, that was the only way to get an Internet connection and still be able to manage them with the FM. I' ve actually moved away from the pcmcia cards now that I' ve discovered a company called Accell Networks. It' s still a cellular data card, but the latency and throughput is significantly better. Some of my restaurants that use this are in the 3 - 5 Mb range for speed. Static IPs if you wish and it gives you an Ethernet hand off so you don' t have to do workarounds.