Skip to main content
Adi45
Adi45
New Member
April 30, 2019
Question

Fortigate Blocking some IPs

  • April 30, 2019
  • 1 reply
  • 9522 views

Hi team,

I am facing a very strange issue. I configured fortigate 100E for one of my company`s client with 2 ISPs(without load balancing). Every thing works fine but some ips from LAN is blocking to get internet from WAN1 while the same hosts can reach the internet from WAN2.

I created 2 policies one LAN>WAN2 and 2nd LAN>WAN1. i want my all traffic get internet from WAN2 but some traffic passing out through WAN1. and some ips are blocking from WAN1.

LAN>WAN2 ( sources set to all ) .... while the 2nd policy is for failover. (sources set to all)

any suggestion...?????

 

 

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 30, 2019

    The problem is routing. If you have two default routes with equal cost/priority in the routing table, you don't have control which way to send out. The basic set-up for your situation is below. I haven't learned how to do the same with SD-WAN so ask somebody else if you prefer SD-WAN.

    https://cookbook.fortinet...net-basic-failover-56/

    PS. looks like they're moving cookbooks to the doc library. I hope they would be still searchable from search engines.

     

    Ashik_Sheik
    Ashik_Sheik
    New Member
    April 30, 2019

    Configure SD-WAN to achieve ur requirement  , it is enhanced version of old  WAN Link load balancer .You can have single policy and routing as well. For more information please refer below link

    https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/990932/redundant-internet-with-sd-wan 

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 30, 2019

    You've stated that you don't want to load-balance. In this case, assign a higher metric to the default route of your backup ISP. There will only be one default route now in the Routing monitor (Monitor > Routing Monitor) until ISP1 fails. Then the second, backup default route will be inserted and used.

    Even source addresses going out WAN1 and odd ones going out WAN2 is a symptom of load balancing (which uses a hash of source address and source port, and something else).

    Terms & ConditionsAccessibility statement