Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dustin
New Contributor III

100D config recommendation

Hello,

 

I am switching from really old Watchguard firewalls to an new Fortigate platform across my company.

 

I have a question about recommendations for a 100D configuration.

 

My past setup I ran two separate physical firewalls, one for LAN and the other for VoIP (using multiple ISPs with external IP blocks). Each firewall used opposite ISPs as primary WAN1 links with failover to WAN2. Meaning LAN on FW1 used ISP1 as primary (with failover to ISP2) and VoIP on FW2 used ISP2 as primary (with failover to ISP1).

 

My goal is to replace the existing setup with the 100D for both LAN and VoIP (with an external VoIP hosted provider).

 

How would you recommend configuring the 100D to achieve this requirement?

 

Would it be best to separate the ports into two groups (ports 1-8 LAN and 9-16 VoIP) and isolate traffic from each other?

Could I then setup group1 to use WAN1 with failover to WAN2 and group2 to use WAN2 with failover to WAN1?

Which is the best way to separate the two port groups?

Would it be better to setup VDOMs in this scenario?

 

Thanks

6 REPLIES 6
Dustin
New Contributor III

In playing around with configuration options, I came up with this layout which might achieve my goal but I would like to hear some feed back from the community.

 

Using FortiOS 5.4

I setup the FTG100D with 3 VDOMs (root, VDOM1 and VDOM2)

I then assigned 4 interfaces to each VDOM1 and VOM2.

Next I configured ISP1 and ISP2 to interface1 and interface2 on VDOM1.

Then configured IPS2 and ISP1 to interface 1 and interface2 on VDOM2.

(Basically setting up VDOM1 to use ISP1 as primary and VDOM2 to use ISP2 as primary.)

To setup failover, from what I understand and could be wrong, I used the WAN LLB configuration to link the two ISPs.

The WAN LLB is setup so the primary ISP (in a Volume Load Balancing Algorithm) with a weight on 9.5 (95%) and secondary ISP with a weight of 0.5 (5%).

VDOM2 WAN LLB is setup the reverse of VDOM1.

 

Does this sound overkill from a configuration stand point?

Is there a better way to have failover?

Should I use VLANs or something else to separate the networks?

 

Thanks

emnoc
Esteemed Contributor III

Overkill ??????? ....yes, no make it hell yes.

 

Why can't you just use standard Weighted-LB or pure ECMP? or virtual-wan interface that combines ISP1 and ISP2 wan links into a seamless WAN link.

 

I think it's overkill, but draw a topo diagram explain the inside lan interfaces.

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Dustin
New Contributor III

My primary traffic goal is to give VoIP traffic highest priority and isolated from any LAN noise and service interruption due to LAN usage.

 

In the past I have just kept two separate physical firewalls (one of LAN and one for VoIP) with the LAN using ISP1 (failover to ISP2) and VoIP firewall using ISP2 (failover to ISP1).

 

I'm new to combining NGFW and UTM services on one device and thus a little nervous about the configuration.

 

My understanding is the load balancing could potentially drop VoIP calls to our hosted VoIP provider if the routing changes during a SIP session.

 

If the traffic shapers can perform as advertised then I could use the another option liked Weighted-LB or virtual wan interface. 

 

From a service standpoint, wouldn't it be best to keep the LAN traffic separated from the VoIP? I'm willing to try other configurations but would need some recommendations. Again, I think my end goal is to keep the two networks from interfering with eachother, LAN use ISP1 with failover to ISP2, VoIP use ISP2 with failover to ISP1 and setting VoIP/SIP traffic to highest priority. What would you recommend to achieve this goal?

 

Thanks again for your feedback!

ede_pfau
Esteemed Contributor III

Why not? A VDOM basically is a separate FGT instance. If you want it that way, go for it.

The only thing I'd change is the 5% in LLB - why not 100/0?

 

Don't forget to set up ping servers in the respective ISP networks, if available.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Dustin
New Contributor III

Is there another recommendation I should consider?

 

Thanks again for the input.

Dustin
New Contributor III

I thought I would give the groups another try...

 

Here is what I would like to do in Fortigate OS 5.4:

 

WAN1 = LAN traffic and Failover to WAN2 WAN2 = VOIP traffic and Failover to WAN1

 

All the documentation I can find is based on Fortigate OS 5.2 or less.

 

Thanks

Labels
Top Kudoed Authors