Hello,
I have this issue not so common, so I will explain first the scenario:
- It is a Fortigate 100E with firmware version 5.6.6
- We have 2 different ISP connected to WAN1 and WAN2
- There is a kind of load balance by content, just with policy routes
- SD-Wan is not configured
- There are rules for WAN1 and rules for WAN2
- There are static routes and policy routes for WAN1 and WAN2
Now, we need to add another 2 ISPs in different interfaces (example: Port2 and Port3)
We need that everyone, like now, use the current settings (Without any change at all)
But we need to make a load balance between Port2 and Port3 just for some IPs (Just some IPs to go out through Port2 or Port3)
If I create a SD-Wan, I have the following issues:
- I can not create a static route because it is not allowed to create static routes for SD-Wan and not SD-Wan interfaces
- I can not create a policy route because it does not allow me to select the SD-Wan as the destination interface.
I could add another device to make the load balance but it is preferred to make it work with the current hardware.
Any Idea?
Regards,
Damián
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you are not balancing multiple interfaces pseudo randomly pointing default routes to all of them and instead setting some specific destination groups to go specific interfaces, that's regularly not called as load-balancing. It's just specific routing toward multiple internet interfaces. You can keep doing it in the same way regardless the number of interfaces.
But even with SD-WAN, you can do the same with default routes going to all member interfaces. Despite your statement, you can set specific (static) routes toward one of SD-WAN member interfaces if you really want. But you can limit the member interfaces, like specifying only one, in the SD-WAN rule (GUI, in CLI it's called "config service" under "config sys virtual-wan-link") to limit where to go for specific destinations, sources, protocol, etc. just like policy routes, while all other traffic can be "load-balanced".
As a matter of fact an FTNT SE called those rules as "policy routes" when he explained SD-WAN in a tech refresher seminar.
The hardest part is to remove all references for the member interfaces in the current config to form SD-WAN interface. It's almost equivalent to configure from scratch.
I think I got it
This sould be everything through 1 SD-Wan with multiple WANs using SD-WAN rules, or through different interfaces using policy routes or static routes + firewall policies.
Thanks a lot
By the way, it's possible to go hybrid as well; some members in SD-WAN and others independent.
How can I do this if I cannot create rutes?
The fortigate does not allow to me to create rutes with the SD-Wan (static or policy)
For static routes, you might need to go to CLI and disable SD-WAN routing for the specific route.
config router static
edit N
set virtual-wan-link disable
next
end
For general policies, you just need to allow it toward the SD-WAN. Then in the rule, you can specify the interface(s) in the preference. I hope this is the same with 5.6. Mine is 6.0.7. If not, you might need to upgrade yours. With 6.2, they added more visibility of the statistics on SD-WAN members in GUI.
I just checked mine and found "virtual-wan-link diable" was by default when you create a new static route in CLI.
I recommend you play around only with the new ISP interfaces so that you can see what you can do and what you can't.
toshiesumi wrote:Can you load balance two ISP circuits on a single device with SDWAN interface when each ISP gives you 4 addresses to use for resources? I have a remote site that I need to get 2 circuits installed for primary and backup.I just checked mine and found "virtual-wan-link diable" was by default when you create a new static route in CLI.
I recommend you play around only with the new ISP interfaces so that you can see what you can do and what you can't.
Those additional IPs (say IPs from ISP1) wouldn't work well if you route packets sourced with the IPs toward the different ISP (ISP2) especially when ISP1's circuit is down. Because the super subnet the ISP1 owns, which includes those IPs, is advertised from ISP1 to eventually ISP2 over the Internet. ISP2 would route returning traffic destined to those IPs toward ISP1, never route back to your circuit.
In addition, when ISP1's circuit is still up but your SD-WAN might decide using ISP2 circuit to send some specific traffic out, then gets the replies from ISP1's circuit. This is so-called "asymmetric routing", which the FGT will block.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.