Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jtfinley
Contributor

Created on ‎06-12-2014 01:32 PM

Route out another location Internet

I have multiple locations (3) each having Internet. Each location is connected (dark fiber) at layer 2 and VLAN' d. I' ve take a Fortigate port at each location and placed it in this layer 2 network. Each location can communicate to one another fine. My goal is to detect Internet failure & exit out another location for Internet. For the life of me, I cannot get this working. Using a PBR to isolate one PC for testing. Sniffing traffic doesn' t show anything passing happening. The PBR GATEWAY is set to the IP of the next Fortigate
2427
0 Kudos
7 REPLIES 7
Carl_Wallmark
Valued Contributor

Created on ‎06-12-2014 10:55 PM

Hi, Try this: Create 3 static routes (0.0.0.0/0.0.0.0) with same metric but different priority on each FG. First route is pointing out to the internet. The two others are pointing to another FG. Create Dead Gateway Detection and ping something on the internet and the internet through the two FGs. Also be sure to create firewall rules. This will remove the routes when the ping failes and redirect to the next fortigate. I did this last week at a client, worked perfect.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
1194
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎06-12-2014 11:49 PM

I' ve taken another approach and by using OSPF in our intra-domain. A default 0.0.0.0/0 is being redistributed by the edge router into edge-firewalls. The same edge-firewalls pass this E1 -type route internally. As soon as we loose the default ( very likely in our ATT managed-services ) the traffic is redirected to next preference default route. Very transparent, no dead-gateway detect or fall-back issues, and it provides multi-path access.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1194
0 Kudos
Carl_Wallmark
Valued Contributor

Created on ‎06-13-2014 12:39 AM

Nice! But how do you detect a failure outside your network ?

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
1194
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎06-13-2014 01:56 AM

ATT drops the default when either interface is down, the ip-icmp SLA fails, or the edge router or firewall fails. We have SNAT enable on all interface ( WAN uplink ). When we have any ATT failures which is like almost every week :( , our clients are redirected out one of the other 3 edge-firewalls. Sometime we don' t even notice the redirect on failure.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1194
0 Kudos
ede_pfau
Esteemed Contributor III

Created on ‎06-13-2014 03:31 AM

If you already have a routing protocol active emnoc' s solution is nifty. But for smaller setups redundant default routes plus DGD works just as good. You don' t even have to give the default routes the same distance; if you don' t you won' t see them in the R.T. but they will kick in if the current def.rt. fails. And to simplify the policy table, you can put all ports which lead to the internet into a zone and only have one set of policies ' internal' -> ' WANzone' .

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
1194
0 Kudos
jtfinley
Contributor
In response to ede_pfau

Created on ‎06-13-2014 11:45 AM

And to simplify the policy table, you can put all ports which lead to the internet into a zone and only have one set of policies ' internal' -> ' WANzone' .
I' m in favor of static routing to lessen complexity... Any idea why my PBR is not working just to test?
1194
0 Kudos
Carl_Wallmark
Valued Contributor

Created on ‎06-14-2014 10:48 AM

Can you show us the PBR configuration and the firewall policys ?

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
1194
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.