Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
capricorn80
New Contributor II

FortiGate Backup WAN and policy route

Hi!

 

I am in process of configuring backup as show in below link. 

 

https://cookbook.fortinet.com/redundant-internet-basic-failover-56/

 

Most of traffic is going out via WAN1 but I have policy route as well that says that all the traffic going to destination X,Y,Z should go out via WAN2 and it works fine

 

 

I was reading help site -> https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/Interfaces/Dual%20Interne...

and its mentioned that when the second link is configured as failover then it will nor route or response any traffic.Does this mean that if I configure my Dual WAN then my Policy routing will stop working??

 

"When you have dual WAN interfaces that are configured to provide failover, you might not be able to connect to the backup WAN interface because the FortiGate unit may not route traffic (even responses) out of the backup interface. The FortiGate unit performs a reverse path lookup to prevent spoofed traffic. If an entry cannot be found in the routing table that sends the return traffic out the same interface, the incoming traffic is dropped."

1 REPLY 1
Toshi_Esumi
Esteemed Contributor III

I need to test, or you can do it yourself in a maintenance window, to tell exact behavior for each fail-over case with policy route. But a general idea is "policy route sticks" regardless the circuit status. If you want to route to wan2 for specific destinations, not any other parameters, you should just use static routes.

As in the doc link-monitor can remove static routes when wan2 connection go down, but not any policy routes. So when wan2 connection goes down, those policy route destinations wouldn't fail-over to wan1.

 

The note in the doc means the packets would be dropped if it's initiated from outside and coming in wan2 but the routing decision tells it that the returning packet should go out to wan1, so called asymmetric routing. Setting the same distance routes to both wan1 and wan1 but with different "priority" would mitigate the situation. If you have dial-up VPNs coming in this FGT you should consider the option. 

Labels
Top Kudoed Authors