Hi,
I have a task to double check a Fortigate's configuration, the device is a 60F. This device has 2 WAN/ISP and obviously for failover in case the primary fails.
Recently, the primary did went down and all the users in the office didn't have internet connection, so was told by the onsite folks that the failover didn't kick in.
So I login to their Fortigate and the first thing I've check are the Network interfaces.
these are just sample IP's
WAN1: 76.22.33.44 /30 Static
WAN2: 192.168.100.x /24 DHCP
Internal: 10.10.1.0 /24
The first thing I noticed is WAN2 which has a class C IP and instead of Static, it's set to DHCP/Dynamic. Not sure if this was set by their previous IT before we took them.
Below the 2 WAN/Outside interfaces is an SD-WAN Zone link which links both WAN1 and WAN2
The next thing I check are the Static Routes both WAN1 and WAN2 have a default routes
WAN1: 0.0.0.0/0
76.22.33.43(GW IP)
Administrative Distance 10
Priority 1
WAN2: 0.0.0.0/0
Dynamic Gateway (192.168.100.1)
Administrative Distance 20
Priority 1
I don't know if the reason WAN2 is on class C ip is possibly it's connected to like a Cradlepoint/hotpspot from Verizon or AT&T or etc.
I do see Admin Distance one is lower and one is higher but I might be missing something to check
I also see a policy from internal to SD-WAN link for Outbound
I did ping from source WAN1 and WAN2 and only WAN1 is working so not sure if this is enough to answer my question but kind of paranoid and maybe I still missed something to check
Thanks
Jeff
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
AN SD-WAN interface is step one. You also need to define health checks and rules.
What version of FortiOS are you running? Here are docs for 7.0. You would do well to review them:
https://docs.fortinet.com/document/fortigate/7.0.9/administration-guide/431448/sd-wan-overview
Answer back here if you have any further specific questions.
I am also in the same boat, but I need to have fail-over and load-balancing.
I couldn't identify which strategy to select for Failover:
Should I select Best Quality or Lowert Cost (SLA)
Hi Amak,
What do you want for your usage?
Can you explain your need?
Best regards,
I need to have fail-over along with load balancing, my main ISP we have 15MB, and the secondary ISP we have 8MB speed. I need to have load-balancing when they are active, and fail-over when the Main is down.
Ok, for the implicit rule you can use mode source-dest-ip-based (Source Destination IP )
and for you sdwan rules the mode load-balance to have roundrobin beetween interface (maximize bandwith).
All SD-WAN rules have failover built-in (as long as you have multiple interfaces selected in the rule). So if you want load balancing and failover you just use Maximize Bandwidth and that will load balance your traffic across links. If one link fails, it will inherently failover to the other one.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1502 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.