Description

This article describes how to use Failover sequence feature to get connected to a different PoP for the IPsec Instance.

Scope

FortiSASE.

Solution

In general, PoP selection is done based on eDNS/DNS lookup; however, there can be scenarios in which the resolved IP of the PoP may not be connected due to network or service-related issues.

By using the Failover sequence, the user can connect to a different PoP. This feature needs to be enabled on the required Endpoint profile.

Configuration:

To get the URL of each PoP, navigate to Network -> Proxy configuration:

Under Endpoint management -> Endpoint Profile -> Profile (select the one associated with the users) -> Advanced setting -> Failover sequence (default disabled).

By default, the TURBO URL will be listed. Select the (+) to add more gateway IP/FQDN. The order of connection is set as 'top to bottom'.

This sequence can be changed by manually rearranging the PoP sequence.

Once saved, the config will be pushed to the end user FortiClient as below.

Test:

The client is getting connected to Pune PoP by default.

Introducing a network issue to simulate the use case, a timeout notification to the Turbo URL is visible, and the user will be automatically connected to the secondary gateway.

The user is now connected to Bangalore PoP