Hi!
I am in process of configuring backup as show in below link.
https://cookbook.fortinet.com/redundant-internet-basic-failover-56/
Most of traffic is going out via WAN1 but I have policy route as well that says that all the traffic going to destination X,Y,Z should go out via WAN2 and it works fine
I was reading help site -> https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-networking/Interfaces/Dual%20Interne...
and its mentioned that when the second link is configured as failover then it will nor route or response any traffic.Does this mean that if I configure my Dual WAN then my Policy routing will stop working??
"When you have dual WAN interfaces that are configured to provide failover, you might not be able to connect to the backup WAN interface because the FortiGate unit may not route traffic (even responses) out of the backup interface. The FortiGate unit performs a reverse path lookup to prevent spoofed traffic. If an entry cannot be found in the routing table that sends the return traffic out the same interface, the incoming traffic is dropped."
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I need to test, or you can do it yourself in a maintenance window, to tell exact behavior for each fail-over case with policy route. But a general idea is "policy route sticks" regardless the circuit status. If you want to route to wan2 for specific destinations, not any other parameters, you should just use static routes.
As in the doc link-monitor can remove static routes when wan2 connection go down, but not any policy routes. So when wan2 connection goes down, those policy route destinations wouldn't fail-over to wan1.
The note in the doc means the packets would be dropped if it's initiated from outside and coming in wan2 but the routing decision tells it that the returning packet should go out to wan1, so called asymmetric routing. Setting the same distance routes to both wan1 and wan1 but with different "priority" would mitigate the situation. If you have dial-up VPNs coming in this FGT you should consider the option.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.