Greetings,
we moved the firmware to 5.0.10 from 5.0 and then to 5.2.2. Internet wasn't working on 5.2.2, hence downgraded back to 5.0.10. ALl seem to work fine except that the internet is very slow. Have a 100 mb connection, however getting very close to 1mb hardly.
Have two wan lines, Wan1 leased line for email traffic and wan2 ( adsl) for internet. Fortigate is connected to a ASA and from asa via switch the internet network.
Any advice on what needs to be checked is highly appreciated.
have tried connecting separately to a laptop from the line and speed is ok. also did a diag deviceinfo command on wan2 for adsl and didn't see any packet errors in the output result.
checked the routing policy. seems the fortigate is taking only single route and that is to the leased line only. The adsl is not being used at all. How can I detect adsl route on the firewall and set the distance and priority .
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Good to see some one using diag debug flow .
For starters can we get the following outputs?
get router policy
get router info kernel
get router info routing-table all
But basically you can set the route priority of two like routes via the cli
config router static edit 1 set device wan1 set gateway 111.111.111.11 set dst 10.0.0.0 24 set priority 10 next edit 2 set device wan2 set gateway 111.111.111.11 set dst 10.0.0.0 24 set priority 15 end The later would not be active in the route table. The get router kernel will quickly show the priorities get router info kernel | grep -v prio=0
Thanks and has been corrected
PCNSE
NSE
StrongSwan
You've got to set the distance parameter on both routes equal, e.g. to 10.
This way, both default routes will show up in the Routing Monitor and thus usable.
For the ADSL line (wan2) I assume that wan2 is configured for PPPoE. Then the distance (and priority) parameters are set in the interface setup, not with the routes.
You can always check both distance and priority in the Routing Monitor (enable the Priority column to show in the Column setup). Of course, if the route is not active you cannot see and compare it.
Next, set the priority of the preferred WAN line lower than on the less preferred line ("priority" in Fortinet speak means "cost"). Thus, all traffic will prefer only one default route.
Now with wan2 having a lower priority there will be no traffic using wan1 voluntarily. That's OK. To force traffic out one interface even in contradiction to static routes you need to create a Policy Route for this traffic. In your case, email traffic is using special "well known" ports on TCP (for POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS). Get these and configure Policy Routes specifying this traffic to leave on wan1.
That's all.
hi, the traffic is going through wan1 and wan2 is not being utilized at all. did a diag debug flow and packet sniffer to confirm. how can I rectify this.this is what I did :
Unplugged wan1, wan2 static route gets automatically added and shows distance of 0, 0. and when I plug back wan1, the distance is 1 and priority is 0, .how can I make the distance same for both and change the wan2 to lower priority and wan1 to higher. and have the policy based route used.
all internet traffic gets natted to x.x.44.249 and should go tto wan2. that's the policy route. and everything else should go to wan1. however not working
Good to see some one using diag debug flow .
For starters can we get the following outputs?
get router policy
get router info kernel
get router info routing-table all
But basically you can set the route priority of two like routes via the cli
config router static edit 1 set device wan1 set gateway 111.111.111.11 set dst 10.0.0.0 24 set priority 10 next edit 2 set device wan2 set gateway 111.111.111.11 set dst 10.0.0.0 24 set priority 15 end The later would not be active in the route table. The get router kernel will quickly show the priorities get router info kernel | grep -v prio=0
Thanks and has been corrected
PCNSE
NSE
StrongSwan
No technical complaints with the substance of your post, emnoc - just a literary nag pointing out a typo:
you mean 'next' instead of 'end' to modify sequential route entries.
Aside from that, follow what emnoc says! (that's always good advice)
Good to see some one using diag debug flow .
For starters can we get the following outputs?
get router policy
get router info kernel
get router info routing-table all
But basically you can set the route priority of two like routes via the cli
config router static edit 1 set device wan1 set gateway 111.111.111.11 set dst 10.0.0.0 24 set priority 10 end edit 2 set device wan2 set gateway 111.111.111.11 set dst 10.0.0.0 24 set priority 15 end The later would not be active in the route table. The get router kernel will quickly show the priorities get router info kernel | grep -v prio=0
Regards, Chris McMullan Fortinet Ottawa
You've got to set the distance parameter on both routes equal, e.g. to 10.
This way, both default routes will show up in the Routing Monitor and thus usable.
For the ADSL line (wan2) I assume that wan2 is configured for PPPoE. Then the distance (and priority) parameters are set in the interface setup, not with the routes.
You can always check both distance and priority in the Routing Monitor (enable the Priority column to show in the Column setup). Of course, if the route is not active you cannot see and compare it.
Next, set the priority of the preferred WAN line lower than on the less preferred line ("priority" in Fortinet speak means "cost"). Thus, all traffic will prefer only one default route.
Now with wan2 having a lower priority there will be no traffic using wan1 voluntarily. That's OK. To force traffic out one interface even in contradiction to static routes you need to create a Policy Route for this traffic. In your case, email traffic is using special "well known" ports on TCP (for POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS). Get these and configure Policy Routes specifying this traffic to leave on wan1.
That's all.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.