- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate and WAN interfaces
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate and WAN interfaces
hello,
I have questions regarding SD-WAN Config.
I have two WAN interface from two different ISP (ISP1 (as main, subnet 176.x.x.x) and ISP2 (as backup, 96.x.x.x subnet). They are combined in SDWAN, ant there is SLA which check if ISP1 is OK, if not switch to ISP2.
Question 1
When ISP1 is down, all incomming connections to our services will be down quickly, or sessions must expire to allow new sessions to be up again using ISP2 ?? If yes, how long it takes in default ?
From ISP1 we bought IP public pool (88.x.x.x), and this pool is regitered in RIPE for us, and our partners can use these IPs to access to our services in DMZ, but when ISP1 is down, no possible for our partners to connect.
Question 2.
If his pool is registerd for us shouldn't be possible to connect from outside by ISP2 to our resoures???
Thanks
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SD-WAN (Software-Defined Wide Area Network) is a great technology for managing multiple WAN connections, providing path selection, and ensuring application performance. Let's answer your questions:
Question 1: When the primary WAN link (ISP1) goes down, the SD-WAN solution will detect the failure (usually very quickly, within seconds) and will switch over to the secondary WAN link (ISP2) based on the SLA you've configured. Existing sessions may be dropped or interrupted depending on how the SD-WAN solution handles failover, but new sessions will begin utilizing ISP2. How long this takes in default varies by vendor and specific SD-WAN solution, but it's typically in the range of seconds.
However, the challenge here is for incoming connections, especially when DNS or other mechanisms are pointing to your public IP address pool from ISP1. Even if SD-WAN switches the outbound traffic to ISP2, incoming traffic still tries to reach you via ISP1 unless there are some changes in DNS or routing to accommodate the new path.
Question 2: Just because an IP pool (e.g., 88.x.x.x) is registered for you in RIPE doesn't mean it's automatically routable via ISP2. The routing of that IP pool on the global internet depends on BGP advertisements. When you work with ISP1, they advertise your IP range to the rest of the internet. If ISP1 goes down, those BGP advertisements will be withdrawn, and the IP range becomes unreachable.
To make the 88.x.x.x pool reachable via ISP2 when ISP1 is down, you'd need a few things:
- BGP Setup with Both ISPs: You'll need to set up BGP peering with both ISPs and have the capability to advertise the 88.x.x.x range to both ISPs.
- ASN: If you don't already have one, you'd need your Autonomous System Number (ASN). With your ASN, you can announce your IP space via BGP to both ISPs.
- BGP Configuration: You'd need to design and configure BGP in such a way that ISP1 is the preferred path for the 88.x.x.x range, and ISP2 is the backup. This can be achieved using BGP attributes like AS path prepending, MED (Multi Exit Discriminator), etc.
- ISP Agreement: Both ISPs must agree to allow you to advertise the IP space. Not all ISPs will allow you to advertise IP space that isn't directly allocated by them.
If you don't have BGP and these mechanisms in place, then even if ISP1 goes down, the internet will still try to route traffic destined for the 88.x.x.x range via ISP1, and it will be unreachable.
It's a bit complex but achievable with the right setup. If you're looking to implement this, consider consulting with a network professional familiar with BGP and multi-homing setups.
Siddhanth Poojary
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SD-WAN (Software-Defined Wide Area Network) is a great technology for managing multiple WAN connections, providing path selection, and ensuring application performance. Let's answer your questions:
Question 1: When the primary WAN link (ISP1) goes down, the SD-WAN solution will detect the failure (usually very quickly, within seconds) and will switch over to the secondary WAN link (ISP2) based on the SLA you've configured. Existing sessions may be dropped or interrupted depending on how the SD-WAN solution handles failover, but new sessions will begin utilizing ISP2. How long this takes in default varies by vendor and specific SD-WAN solution, but it's typically in the range of seconds.
However, the challenge here is for incoming connections, especially when DNS or other mechanisms are pointing to your public IP address pool from ISP1. Even if SD-WAN switches the outbound traffic to ISP2, incoming traffic still tries to reach you via ISP1 unless there are some changes in DNS or routing to accommodate the new path.
Question 2: Just because an IP pool (e.g., 88.x.x.x) is registered for you in RIPE doesn't mean it's automatically routable via ISP2. The routing of that IP pool on the global internet depends on BGP advertisements. When you work with ISP1, they advertise your IP range to the rest of the internet. If ISP1 goes down, those BGP advertisements will be withdrawn, and the IP range becomes unreachable.
To make the 88.x.x.x pool reachable via ISP2 when ISP1 is down, you'd need a few things:
- BGP Setup with Both ISPs: You'll need to set up BGP peering with both ISPs and have the capability to advertise the 88.x.x.x range to both ISPs.
- ASN: If you don't already have one, you'd need your Autonomous System Number (ASN). With your ASN, you can announce your IP space via BGP to both ISPs.
- BGP Configuration: You'd need to design and configure BGP in such a way that ISP1 is the preferred path for the 88.x.x.x range, and ISP2 is the backup. This can be achieved using BGP attributes like AS path prepending, MED (Multi Exit Discriminator), etc.
- ISP Agreement: Both ISPs must agree to allow you to advertise the IP space. Not all ISPs will allow you to advertise IP space that isn't directly allocated by them.
If you don't have BGP and these mechanisms in place, then even if ISP1 goes down, the internet will still try to route traffic destined for the 88.x.x.x range via ISP1, and it will be unreachable.
It's a bit complex but achievable with the right setup. If you're looking to implement this, consider consulting with a network professional familiar with BGP and multi-homing setups.
Siddhanth Poojary
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Related Posts
- Fortigate send UDP 8014 packets on... 41 Views
- Buy second hand Fortigate 8xE 110 Views
- FG 60F fails to proceed CoA... 121 Views
- L2 vpn over Internet with Fortigate... 85 Views
- FortiNAC not responding to PA connections 177 Views
Labels
-
FortiGate
6,566 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
IP address management - IPAM
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Schedule
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Web rating
1 -
FortiManager-VM
1 -
Email filter profile
1 -
Multicast routing
1 -
Internet Service Database
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.