Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

FredQin
New Contributor

SD WAN and NAT Problem

Hi All,

My fortigte is 200D, software version is FGT_200D-v6-build0163. I have a problem. I use my backup firewall to snapshot in order to express my problem, our business is 24/7, I can't do any change on our firewall that is running. Our office has two Internet dedicated lines, I want to use primary link, if our primary link is at fault then switch over to use backup line. Because some reason, we don't use interface IP as NAT IP address.
I configure to use our primary link.


We don't use Interface as NAT IP.

After I finished configuration, some of our computer went through our backup line and used Internet IP 180.1.1.3.
I tried policy route to let all host from 10.16.180.0/24 go through our primary link, but some of computer still went through our backup link.
Next, I delete the policy route and changed firewall policy as below picture.

All of our computers go through our primary link. I tried disconnecting our primary link, after that all of our computers were disconnected from the Internet, the firewall can't switch over to use backup line.

------------------------------
Fred [LastName] [Designation]
Network Engineer
[CompanyName]
[City] [State]
[Phone]
------------------------------
1 Solution
rmoussa
Contributor

Dear,

I think your problem hear is that you are using IP Pools with SDWAN. Fortigates always is choosing the first IPPools to get to the internet so the issue is with Fortigate trying to get through wan2 with the IP Pools of Wan1.
If IP Pools is a must in your configuration you should switch to manual ECMP load balancing and do not use SDWAN.

Regards

------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8

View solution in original post

Rony MoussaFortinet NSE Certified: Level 8
4 REPLIES 4
rmoussa
Contributor

Dear,

I think your problem hear is that you are using IP Pools with SDWAN. Fortigates always is choosing the first IPPools to get to the internet so the issue is with Fortigate trying to get through wan2 with the IP Pools of Wan1.
If IP Pools is a must in your configuration you should switch to manual ECMP load balancing and do not use SDWAN.

Regards

------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
Rony MoussaFortinet NSE Certified: Level 8
FredQin

Hi Rony,

Thank you. I can't find ECMP load balancing of fortios 6.0. Should I downgrade the fortios version of our firewalls?

------------------------------
Fred [LastName] [Designation]
Network Engineer
[CompanyName]
[City] [State]
[Phone]
------------------------------
rmoussa

Hi,

Its configurable via cli only.

Advanced static routing example: ECMP failover and load balancing
Fortinet remove preview
Advanced static routing example: ECMP failover and load balancing
Advanced static routing example: ECMP failover and load balancing
View this on Fortinet >


Regards

------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
Rony MoussaFortinet NSE Certified: Level 8
FredQin

Hi Rony,

Thank you. I test link monitor, it can solve my problem on SDWAN and NAT problem. Now I have a new problem. I use fortigate 200E with firmware v6.0.1 build0131 (GA) to test. By default all traffic go through port13, I use policy route to force traffic from port1 to go through port14. But it doesn't work. 

config system settings
set inspection-mode flow
set v4-ecmp-mode usage-based
#
edit "port1"
set vdom "root"
set ip 192.168.2.1 255.255.255.0
set allowaccess ping https ssh http fgfm ftm
set type physical
set device-identification enable
set role lan
set snmp-index 5
edit "port13"
set vdom "root"
set ip 10.12.172.250 255.255.255.0
set allowaccess ping
set type physical
set spillover-threshold 300
set role wan
set snmp-index 17
next
edit "port14"
set vdom "root"
set ip 10.12.168.250 255.255.255.0
set type physical
set spillover-threshold 200
set role wan
set snmp-index 18
#
config router static
edit 2
set gateway 10.12.168.1
set device "port14"
next
edit 3
set gateway 10.12.172.1
set device "port13"
next
#
config router policy
edit 2
set input-device "port1"
set src "192.168.2.0/255.255.255.0"
set dstaddr "all"
set gateway 10.12.168.1
set output-device "port14"



​​​

------------------------------
Fred [LastName] [Designation]
Network Engineer
[CompanyName]
[City] [State]
[Phone]
------------------------------