Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
New Contributor II

how to configure redudant link in fortigate firewall

Hi All,

 

Yesterday I set up a lab and tried to check whether the redundant link working fine or not. but it is not working. If the primary link goes down then all the traffic is being dropped at ISP end not moving towards another ISP which is TCL.

Let me tell you what I did in this lab on the FortiGate firewall.

1. Created one default route on firewall 0.0.0.0/0, Gateway 192.168.99.1, metric - 10.

2. Created second default route on firewall 0.0.0.0/0 Gateway 192.168.98.1, metric - 11.

3. Created separate policy for each ISP..

Then I tried to ping from LAN 8.8.8.8, it is working but whenever the primary link goes down then it doesn't work.

Please see the below diagram which will you understand easily.

 

redundant link_1.jpg

down.JPG

 

Could you please make me why it is now working and what should I do If I want to have the redundant link in this lab?

your response will be more beneficial for me thank you in advance from my side.

 

Thank you,

Umesh

 

 

 

2 REPLIES 2
seshuganesh
Staff
Staff

Hi Team,

 

Please try in this way, configure first default route with admin distance 1 and priority 10 and second default route with admin distance 1 and priority 11. So if primary link fails secondary link comes to picture.

You must have firewall policy with outgoing interface as both interfaces, so that when the traffic is going through secondary link, traffic will be allowed by firewall policy.

 

Toshi_Esumi
Esteemed Contributor II

I'm assuming you meant AD(admin distance) by metric, and there are SNAT from internal ports (port3, 10) to external ports (port1, 2). Also assumed you disconnected port1 from the switch.

Check your global config

set snat-route-change enable

Without enabling it, SNAT session for your continuous ping never change to the new outgoing interface.

 

But you better configured link-monitor through port1 to ping like 8.8.8.8 to detect & remove the default route. Otherwise, it won't failover when a problem occurs on the other side of the switch.

 

Toshi