- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Failover WAN service
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Failover WAN service
Hello,
I'm using OS 5.4 on a 100D and the documentation / video support is somewhat vague when it comes to the WAN LLB configuration.
What I am trying to achieve is basically setup a failover WAN connection, WAN1 as primary and WAN2 as secondary.
It appears I can only use weighted options. So, in theory, I'll set WAN1 to 100% weight and WAN2 to 0% guessing that if WAN1 goes down WAN2 will take over.
Now the caveat, let's say I wanted to send specific traffic (VoIP) in/out WAN2 only, what would be the best solution?
Which "Load Balancing Algorithm" would be the best choice (Volume, Sessions, Spillover, Source-DestinationIP or SourceIP)?
Is the WAN LLB also aware if the WAN2 interface is down to failover to WAN1?
I have tired configuring with WAN LLB Rule to send a source address going to a destination address out the WAN2 interface and tried configuring a Policy route with the same but doesn't seem to work. When I have the above configurations set traceroute still shows traffic going out the WAN1 interface.
I have WAN1 and WAN2 configured to 2 separate ISPs
There are Static routes for each WAN interface
The WAN LLB is set to Volume with WAN1@100% and WAN2@0%
WAN LLB Rule is configured to send traffic from Source Address X to Destination Address Y and Any Protocol out WAN2 interface.
Finally, I do have some Policy Objects that basically repeat the WAN LLB Rule but selects the wan-load-balance interface as the Outgoing Interface.
Any suggestions?
Labels:
- Labels:
-
5.4
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I was stuck with the same config. If you set the weight to 0 for any wan interface,, fortigate turns down that wan interface. Even the VIP created for that interface does not work.
Work around would be to give minimum weight to that interface. For eg. 100 to wan1 and 1 to Wan2.
Solution : Change the priority for wan2 interface from cli
config system virtual-wan-link
config members
edit wan2(no.)
set priority 20
end
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much for the suggestion.
I'm going to give it a try later today.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For such cases, I haven't used any specific load-balancing method but just that the routing table has 0.0.0.0/0 twice, for primary isp interface distance 10 priority 10, for secondary distance 10 priority 20 -- in the case where I want to use both at the same time. And then, if the second ISP is not acting as backup for the first, I can use policy routes to send specific traffic through specific interface, or use the other interface eg for (some) ipsec tunnels. But if one isp internet goes down, then it depends on policy route details and other configuration if continue working or not.
For the rest of the configuration, let's say outgoing internet, I have zone called untrust and both isp's interfaces are members of that zone.
Related Posts
- SD-WAN Rule Best quality with Packet... 75 Views
- Connection from VLAN to VIP does... 218 Views
- FortiGate diag log test question 112 Views
- Internet Service Database Policy Placement 92 Views
- Captive portal issue - fails to... 184 Views
Labels
-
FortiGate
6,717 -
FortiClient
1,337 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
342 -
FortiClient EMS
273 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
82 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
61 -
FortiProxy
46 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.