I have 2 buildings that are close enough to each other to be connected by an ethernet cable.
Both buildings have their own fortigate. One building is the police department, and for obvious reasons, they need redundant internet as failover in case the primary internet connection goes down. I called support to help me set up the other fortigate as a secondary internet connection, but they have (as yet) been unable to configure it correctly even though the tech was adamant that it was doable and spent over an hour remoted in with me configuring and testing.
Has anyone else had this scenario, and were they able to make it work. In my head, it doesn't seem like such a difficult task. Just set up a link monitor, give that monitor the 2nd port as the failover, then configure the port to talk to the other fortinet, then on the other side set up that port to pass all traffic directly to the WAN link. This is pretty much what we did, but we couldn't get it to work (well, HE couldn't get it to work, I sat by and just watched and took notes). He is calling back today after taking my configs and modeling in the lab, but if anyone has already done this, I'd love to know how you did it and what needed to be set up on both ends.
A few Notes:
these fortigates are on different subnets, they do have a site to site vpn set up (but of course that will fail the minute the link goes down as it's IP based).
I don't have any rules in place blocking any traffic between the two right now, and the tech set everything up with the two lan ports having their own private subnet to talk to eachother, which they do (I.E. arp sees the other mac on both sides, but they won't respond to ping)k
that's all I can think of right now, if anyone has any answers or needs more info. just ask. I'm not a fortinet guru, but I'm relet
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @AmesIT,
So if WAN goes down, you want internet traffic to go through another FortiGate? Through directly Ethernet connection? That should be a simple configuration. If it doesn't work, you need to collect debug flow to see why. https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Regards,
On my understanding, your connection is something like this.
Building B have primary ISP and you want all traffic to failover to FTT_Building_A when building B ISP went down.
The configuration should consist of:
FGT A:
1. Firewall policy from Port2 going to WAN. Treat FGT_A Port2 as another LAN network.
FGT B:
** Follow configuration stated on below guide
https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/360563/dual-internet-connect...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Detailed-Guide-on-dual-WAN-setup-for-targe...
1. Configure static default route going to WAN and Port2.Port2 will be set with higher priority.
*** Distance should be the same.
config router static
edit 0
set dst 0.0.0.0/0
set priority 1
set gateway <Gateway IP provided by ISP>
set device "WAN"
next
edit 0
set dst 0.0.0.0/0
set gateway 192.168.2.1
set priority 10
set device "port2"
next
end
Reference: https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-an...
2. Configure Link-Monitor. You should monitor the WAN interface.
3. Configure firewall policy. One for traffic from Building B LAN to WAN . Another firewall policy from Building B LAN to Port2.
4. Enable "snat-route-change"
config system global
set snat-route-change enable
end
Reference : https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Routing-Changes-and-SNAT-snat-route-...
If failover is not successful even after this configuration, please follow the troubleshooting steps provided on above comment by hbac.
my net work same but i went lan B connect Lan A (DMZ domain DC and exchange server 2019) only no internet
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.