Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TSC_JEFF
New Contributor II

Failover ISP

Hi,

 

I have a task to double check a Fortigate's  configuration, the device is a 60F. This device has 2 WAN/ISP and obviously for failover in case the primary fails.

 

Recently, the primary did went down and all the users in the office didn't have internet connection, so was told by the onsite folks that the failover didn't kick in.

 

So I login to their Fortigate and the first thing I've check are the Network interfaces.

 

these are just sample IP's

WAN1: 76.22.33.44 /30 Static 

WAN2: 192.168.100.x /24 DHCP

Internal: 10.10.1.0 /24

 

The first thing I noticed is WAN2 which has a class C IP and instead of Static, it's set to DHCP/Dynamic. Not sure if this was set by their previous IT before we took them.

 

Below the 2 WAN/Outside interfaces is an SD-WAN Zone link which links both WAN1 and WAN2

 

The next thing I check are the Static Routes both WAN1 and WAN2 have a default routes

 

WAN1: 0.0.0.0/0   

             76.22.33.43(GW IP)

             Administrative Distance 10

             Priority 1

WAN2: 0.0.0.0/0

              Dynamic Gateway (192.168.100.1)

              Administrative Distance 20

              Priority 1

 

I don't know if the reason WAN2 is on class C ip is possibly it's connected to like a Cradlepoint/hotpspot from Verizon or AT&T or etc. 

 

I do see Admin Distance one is lower and one is higher but I might be missing something to check

I also see a policy from internal to SD-WAN link for Outbound

 

I did ping from source WAN1 and WAN2 and only WAN1 is working so not sure if this is enough to answer my question but kind of paranoid and maybe I still missed something to check

 

Thanks

Jeff

 

6 REPLIES 6
gfleming
Staff
Staff

AN SD-WAN interface is step one. You also need to define health checks and rules.

 

What version of FortiOS are you running? Here are docs for 7.0. You would do well to review them:

 

https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/431448/sd-wan-overview

Answer back here if you have any further specific questions.

Cheers,
Graham
AMAK
New Contributor III

I am also in the same boat, but I need to have fail-over and load-balancing.

 

I couldn't identify which strategy to select for Failover:

Should I select Best Quality or Lowert Cost (SLA)

Julien87
Contributor II

Hi Amak,

What do you want for your usage?

Can you explain your need?

 

Best regards,

Julien
Julien
AMAK
New Contributor III

I need to have fail-over along with load balancing, my main ISP we have 15MB, and the secondary ISP we have 8MB speed. I need to have load-balancing when they are active, and fail-over when the Main is down.

 

Julien87
Contributor II

Ok, for the implicit rule you can use mode source-dest-ip-based (Source Destination IP )

and for you sdwan rules the mode load-balance to have roundrobin beetween interface (maximize bandwith).

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/708464/maximize-bandwidth-sl... 

Julien
Julien
gfleming

All SD-WAN rules have failover built-in (as long as you have multiple interfaces selected in the rule). So if you want load balancing and failover you just use Maximize Bandwidth and that will load balance your traffic across links. If one link fails, it will inherently failover to the other one.

Cheers,
Graham
Labels
Top Kudoed Authors