FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
The article describes different WAN scenarios and how to implement them into the FortiGate in a simple scenario. This concept can be adopted even when deploying more than 2 internet lines or routing several lines to different Internet lines.
1. PPPoE/DHCP connections have distance 5 by default. This setting can be changed under CLI: config system interface edit wan1 set mode pppoe/dhcp set distance 5 next end
2. Static connections have distance 10 by default.
3. Distance keeps the route active in the routing table (if it is set to a higher number than the other static routes, it will be deleted from the routing table).
get ro info ro dat S 10.72.0.0/22 [10/0] via 220.127.116.11, to_lab inactive S *> 0.0.0.0/0 [2/0] via 10.108.19.254, port1
* indicates it is active and learnt. No star means the route is inactive.
to_lab has a distance of 10 and priority 0.
port1 has a distance of 2 and priority 0.
4. Priority keeps the entry active in the routing table (lower priority means the route is preferred, higher priority means the route is not preferred).
get ro info ro dat S *> 0.0.0.0/0 [2/0] via 10.108.19.254, port1 *> [2/0] via 10.108.239.254, ppp0, [10/0]
Both routes are active and learnt because they both have same distance, but second entry has a priority of 10.
5. Policy routes can route traffic out independently of the routing table only if the gateway is defined. If the gateway is not defined it will rely on the existing routes in the routing table.
config router policy edit 1 set input-device "port4" set gateway 10.108.19.254 ----> gateway set next end
6. Policy routes only help route the traffic in a more specific way (source, destination, protocol) and they are applied prior to static routes when traffic matches.
I. "WAN Link Load Balancing"(only in v5.2) II. "Link Health Monitor"(v5.2) III. "ECMP Load Balancing"(v5.0)
I. Location in the GUI: System -> Network -> WAN Link Load Balancing.
Starting with v5.2 Internet links can be combined into a virtual interface which offers redundancy and load balancing for all links, called "WAN Link Load Balancing". This is when all the lines should be used in the same time and perform load balancing based on the following options:
a) Source IP based.
The FortiGate unit load balances sessions among ECMP routes based on the source IP address of the sessions to be load balanced. This is the default load balancing method. No configuration changes are required to support source IP load balancing.
b) Weighted Round Robin (also called weight-based).
The FortiGate unit load balances sessions among ECMP routes based on weights added to ECMP routes. More traffic is directed to routes with higher weights. After selecting weight-based, weights must be added to static routes.
The FortiGate unit distributes sessions among ECMP routes based on how busy the FortiGate interfaces added to the routes are. After selecting spill-over you add route Spillover Thresholds to interfaces added to ECMP routes. The FortiGate unit sends all ECMP-routed sessions to the lowest numbered interface until the bandwidth being processed by this interface reaches its spillover threshold. The FortiGate unit then spills additional sessions over to the next lowest numbered interface. The Spillover Thresholds range is 0-2097000 KBps.
d) Source-Destination IP based.
The FortiGate unit load balances sessions among ECMP routes based on both the source and destination IP addresses of the sessions to be load balanced. This is required particularly for L3 link aggregation hashing.
e) Measured-Volume based.
The FortiGate can actively measure the volume of traffic sent to each WAN link and distribute new sessions to balance the traffic volume to each link using a simple ratio calculation. This interface can be selected in Static route to create a route for Internet with dst 0.0.0.0/0.0.0.0, but also in the firewall policies to allow traffic from LAN -> outside.
II. Location in the GUI: System -> Router -> Static -> Settings.
This feature checks the capability of a WAN port to reach Internet by configuring "Health Check". An external ping server is mandatory to set. In case a WAN is unable to ping the external server, the FortiGate interprets this line is down and it fails over to the other one configured below/above. This features is also called "gateway detection".
III. Location in the GUI: System -> Router -> Static -> Settings.
This feature is identical in functionality as the one described above. The only difference is that:
1. Redundancy only:
- either different distance or priority of the WANs (lowest distance/priority will be the active line). - identical policies for both internet lines. - must configure "Link Health Monitor" or "ECMP Load Balancing".
2. Load sharing only:
- same distance and priority on both WANs. - identical policies for both WANs. - additional policy routes to route traffic based on protocol via certain Internet line.
3. Redundancy and load sharing:
- same distance and priority on both WANs - identical policies for both WANs - must configure "Link Health Monitor" or "ECMP Load Balancing" for v5.0 - in v5.2 with "WAN Link Load Balancing" configuration provides Redundancy and Load sharing. In terms of policies, only one policy is needed from lan to wan-load-balance.
4. No redundancy nor load sharing:
- in the scenario where lan1 has to be routed via WAN1 and lan2 via WAN2, both Internet lines must same distance and priority, policy routes must be in place (source lan1 via wan1 and lan2 via wan2) and policies from lan1 -> WAN1 and lan2 -> WAN2.