| The following steps outline instructions in order to set up a FortiGate with a pair of redundant GRE tunnels to Zscaler. In this example, the FortiGate is equipped with two ISPs on wan1 and wan2, and the objective is to have a GRE tunnel configured for both WAN ports.
- Configure the GRE tunnels on FortiGate using the following CLI commands:
config system gre-tunnel
edit "Zscaler-Primary"
set interface "wan1"
set remote-gw <Zscaler Host1>
set local-gw <wan1_IP_address>
next
edit "Zscaler-Secondary"
set interface "wan2"
set remote-gw <Zscaler Host2>
set local-gw <wan2_IP_address>
next
end
To find out about 'Zscaler Host1' and 'Zscaler Host2', and which tunnel they will be built on, see 'Locating the Hostnames and IP Addresses for ZIA Public Service Edges'.
- Configure the GRE tunnel interfaces:
config system interface
edit "Zscaler-Primary"
set ip <ip address in a /30 subnet provided by Zscaler> 255.255.255.255
set allowaccess ping
set type tunnel
set interface "wan1"
set remote-ip <x.x.x.x> 255.255.255.252
next
edit " Zscaler-Secondary"
set ip <ip address in a /30 subnet provided by Zscaler> 255.255.255.255
set allowaccess ping
set type tunnel
set interface "wan2"
set remote-ip <y.y.y.y> 255.255.255.252
next
end
- Configure the Zscaler side of the GRE tunnel by following the instructions in the Zscaler documentation.
- Verify the configuration by checking the routing table and firewall policies on FortiGate and ensuring that the GRE tunnel is up and passing traffic.
config router static
edit 1
set gateway x.x.x.x
set device "Zscaler-Primary"
set priority 10
next
edit 2
set gateway y.y.y.y
set device "Zscaler-Secondary"
set priority 20
next
end
config firewall policy
edit 5
set name "to_Zscaler1"
set srcintf "internal"
set dstintf "Zscaler-Primary"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "HTTP" "HTTPS"
set nat enable
next
edit 6
set name "to_Zscaler2"
set srcintf "internal"
set dstintf "Zscaler-Secondary"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "HTTP" "HTTPS"
set nat enable
next
end
- Configure a link monitor to detect link failures and remove the associated route(s) from the routing table. Refer to this article: Technical Tip: Link-Monitor Explained for more information.
config system link-monitor
edit "1"
set srcintf "Zscaler-Primary"
set server "8.8.8.8"
set protocol ping
next
edit "2"
set srcintf "Zscaler-Secondary"
set server "8.8.8.8"
set protocol ping
next
end
Make sure that snat-route-change is enabled under global configuration settings. Refer to this article: Technical Tip: Using 'SNAT-route-change' to update existing NAT session after routing change for more information.
config system global
set snat-route-change enable
end
To check the status of link-monitor, use the following CLI command:
diagnose sys link-monitor status
Troubleshooting steps:
- Verify ping to the remote tunnel IP is working:
execute ping-options source <IP_Address_Zscaler-Primary>
execute ping x.x.x.x
execute ping-options source <IP_Address_Zscaler-Secondary>
execute ping y.y.y.y
- Traceroute the traffic to see if it is using the GRE tunnel:
execute traceroute-options source <IP_Address_Internal_Interface>
execute traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 z.z.z.z 80.270 ms 80.956 ms 81.066 ms (here z.z.z.z should be the IP in network of Zscaler Host1 or Zscaler Host2)
|
