I have three doubts that I would like some help. Basically my problems boil down to: Routing, WAN LB and NAT.
1) ECMP in FortiOS 5.4 -> Apparently the ECMP Advanced Routing option has been removed from the GUI, and in place the option "WAN STATUS CHECK", which is used only for WanLB. That's right? Is there any way to solve this via CLI by creating routes with equal cost - and using health check?
2) In other equipment (Cisco - Sonicwall) that I have worked with, I can create a "Probe" and put that probe on a static route for example.This is useful when I have for example branch_A <-> VPN <-> FWL <-> SWC <-> MPLS <-> branch_A.
So I can monitor if the MPLS link from branch_A, and in case MPLS drops, I reach via VPN.
Can I resolve this with static route and probe in Fortigate or only with dynamic routing?
3) Output NAT in WanLB, with Origin ip other than WAN interface ip.
I need it when traffic goes out over WAN1, it uses an ip pool_A. When traffic goes out on WAN2, it uses a different ip pool (pool_B); for redundant MX (With diferent IP address of the interface) for example.
1) OK... but it is bad. I have so many clients thats use fortigate for redundant link with MPLS (primary) and VPN (Secondary). This option on GUI is too more easy to use.
2) If I use link monitor, the firewall will remove all routes from the interface, not only a branch_A router to the Switch Core. I Really dont understand why FG do not use tracks/probes under static route like Cisco.. sonicwall..
3) Fortigate support answer me that this is "possible". I am trying and it does not work... =(
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.