Hello,
I am switching from really old Watchguard firewalls to an new Fortigate platform across my company.
I have a question about recommendations for a 100D configuration.
My past setup I ran two separate physical firewalls, one for LAN and the other for VoIP (using multiple ISPs with external IP blocks). Each firewall used opposite ISPs as primary WAN1 links with failover to WAN2. Meaning LAN on FW1 used ISP1 as primary (with failover to ISP2) and VoIP on FW2 used ISP2 as primary (with failover to ISP1).
My goal is to replace the existing setup with the 100D for both LAN and VoIP (with an external VoIP hosted provider).
How would you recommend configuring the 100D to achieve this requirement?
Would it be best to separate the ports into two groups (ports 1-8 LAN and 9-16 VoIP) and isolate traffic from each other?
Could I then setup group1 to use WAN1 with failover to WAN2 and group2 to use WAN2 with failover to WAN1?
Which is the best way to separate the two port groups?
Would it be better to setup VDOMs in this scenario?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
In playing around with configuration options, I came up with this layout which might achieve my goal but I would like to hear some feed back from the community.
Using FortiOS 5.4
I setup the FTG100D with 3 VDOMs (root, VDOM1 and VDOM2)
I then assigned 4 interfaces to each VDOM1 and VOM2.
Next I configured ISP1 and ISP2 to interface1 and interface2 on VDOM1.
Then configured IPS2 and ISP1 to interface 1 and interface2 on VDOM2.
(Basically setting up VDOM1 to use ISP1 as primary and VDOM2 to use ISP2 as primary.)
To setup failover, from what I understand and could be wrong, I used the WAN LLB configuration to link the two ISPs.
The WAN LLB is setup so the primary ISP (in a Volume Load Balancing Algorithm) with a weight on 9.5 (95%) and secondary ISP with a weight of 0.5 (5%).
VDOM2 WAN LLB is setup the reverse of VDOM1.
Does this sound overkill from a configuration stand point?
Is there a better way to have failover?
Should I use VLANs or something else to separate the networks?
Thanks
Overkill ??????? ....yes, no make it hell yes.
Why can't you just use standard Weighted-LB or pure ECMP? or virtual-wan interface that combines ISP1 and ISP2 wan links into a seamless WAN link.
I think it's overkill, but draw a topo diagram explain the inside lan interfaces.
PCNSE
NSE
StrongSwan
My primary traffic goal is to give VoIP traffic highest priority and isolated from any LAN noise and service interruption due to LAN usage.
In the past I have just kept two separate physical firewalls (one of LAN and one for VoIP) with the LAN using ISP1 (failover to ISP2) and VoIP firewall using ISP2 (failover to ISP1).
I'm new to combining NGFW and UTM services on one device and thus a little nervous about the configuration.
My understanding is the load balancing could potentially drop VoIP calls to our hosted VoIP provider if the routing changes during a SIP session.
If the traffic shapers can perform as advertised then I could use the another option liked Weighted-LB or virtual wan interface.
From a service standpoint, wouldn't it be best to keep the LAN traffic separated from the VoIP? I'm willing to try other configurations but would need some recommendations. Again, I think my end goal is to keep the two networks from interfering with eachother, LAN use ISP1 with failover to ISP2, VoIP use ISP2 with failover to ISP1 and setting VoIP/SIP traffic to highest priority. What would you recommend to achieve this goal?
Thanks again for your feedback!
Why not? A VDOM basically is a separate FGT instance. If you want it that way, go for it.
The only thing I'd change is the 5% in LLB - why not 100/0?
Don't forget to set up ping servers in the respective ISP networks, if available.
Is there another recommendation I should consider?
Thanks again for the input.
I thought I would give the groups another try...
Here is what I would like to do in Fortigate OS 5.4:
WAN1 = LAN traffic and Failover to WAN2 WAN2 = VOIP traffic and Failover to WAN1
All the documentation I can find is based on Fortigate OS 5.2 or less.
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1711 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.