Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Having problem splitting traffic.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having problem splitting traffic.
I have FG100D with 2 running ISP.
Task 1:
I would like to split the smtp traffic going out from wan1 and internet traffic going out on wan2. How should I split it.
Task 2 (if possible):
If task 1 is working I would like to do fail-over. Example like if wan1 ISP down it fail-over to wan2 including smtp traffic and if wan2 ISP down it fail-over to wan1 including internet traffic.
Is the above tasks possible to do?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
task #1 is simple with PBR ( policy based routing )
config router policy
edit 1
set src 1.1.1.1 255.255.255.255
set protocol 25
set gateway 192.168.1.1
set output-device " wan1"
next
end
the src would be your SMTP server and the next-hop gateway and interface need to be defined
Task#2 is also simple
You have host of option, but installing a 2nd route called a floating route would be the best option. Then use a next-hop gateway detect ( aka ping server )
config router static
edit 1
set device " wan2"
set gateway 192.168.2.1
set priority 50
next
edit 2
set device " wan2"
set gateway 192.168.2.1
set priority 100
next
You should follow the kb on fail-over , redundant ISP, , ECMP & ping-server.
http://docs-legacy.fortinet.com/cb/html/FOS_Cookbook/Install_advanced/cb_install-dual-internet.html
You will find most topics have been discussed with design scenarios. The kb on fortinet site are useful but the search method can be frustrating. Always review the KB and DOCs. They also started throwing up howto videos.
I hope this helps & enjoy your time on this forum.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@emnoc:
edit 2 should be " wan1" , the second default route to the second WAN interface.
And regarding failover: all true for static routing but...not for PBR. Policy routes won' t obey the routing metrics, they are always followed before routing table lookup. That' s where the FortiOS PBR has it' s limitations: if your PBR points SMTP traffic to WAN1 and WAN1 fails, SMTP traffic will go to Nirvana.
(Hopefully, you prove me wrong.)
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also think the PBR will not work for the failover process.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dead Gateway Detection would remove the policy route. You don' t need to specify a gateway for the PBR as this can be taken from the routing table (for the matching PBR egress interface).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a question close to this...
We have a Fortinet in an MPLS cloud, with VOIP phones leaving the Fortinet and terminating in the MPLS, and a secondary ISP attached to WAN2.
If the internet at the head of the MPLS goes down, but the MPLS itself stays up, and I am pinging an external IP, the failover will happen to WAN2, but will the failover allow the VOIP phones to continue to function across WAN1, or will it stop all traffic?
We are a little stuck getting failover to occur for just their internet traffic, but leave all the traffic needing to go into the MPLS to stay running across WAN1.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The failover will prevent wan1 to route any traffic if the ping server is dead.
We have two different interfaces with different addressing behind the same ISP, maybe you could think about it. We are able to manage failover for different interfaces also with both linked to the same provider.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ECMP with DPD will work this out. DPD is meant to protect against logical failures (the interface may be physically up, but cannot process traffic). following articles may provide more details with examples:
http://kb.fortinet.com/kb/viewContent.do?externalId=100137
Mohammad
Mohammad Al-Zard
Mohammad Al-Zard
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me ask :
do you have 2 ISP with two different pools if public IP ?
if you talk about smtp traffic - do you mean outgoing traffic or incoming ?
If you have your own smtp server and 2 different public IP you can set 2 MX records in DNS.
Dominik Weglarz, IT System Engineer
Dominik Weglarz, IT System Engineer
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it' s possible. Since you have 2 ISPs, I imagine you received 2 independent public IP pools/addresses.
You BGP advertise one prefix via ISP1 and the other one via ISP2.
Both BGP neighbors will advertise the default gateway to your FGT with ECMP (Equal Cost Multiple Path) applied and same distance, so you have to make sure different priority settings are applied on them.
Whichever default has the lowest value in the priority field will be used as the primary route.
You can then create a policy to force SMTP via ISP2 only even though the different priority will be used for everything else, e.g
config router policy
edit 1
set input-device " LAN_port1"
set protocol 6
set start-port 25
set end-port 25
set output-device " WAN2"
next
end
That may create asymmetric routing and the firewall will drop the response due to RPF (reverse past forwarding) check and with error " reverse path check fail, drop" , but it' s just a guess, because the source IP of the packets are coming from will be the one that' s advertised via ISP2, the response should go back the same way.
You can configure the firewall though to enable asymmetric routing if that happens, but be aware that by doing this you are reducing the security level of your firewall since spoofed packets can now more easily traverse the firewall.
Unfortunately the solution still won' t help during failover, you will manually have to change the policy routes to point at the working ISP, since you are forcing SMTP traffic through the secondary route.
The DNS MX should have 2 records, 1 for the preferred IP via ISP2 and the 2nd points at the secondary IP via ISP2, so that should take care of the automatic failover.
What I would suggest is to stage and test it first to make sure it behaves as you expect it.
Also you may want to look at the new " virtual WAN" interface feature in FortiOS 5.2
It helps with some of the config to reduce the number of policies, etc. but the failover still need to be manually taken care of.
Using a virtual WAN link for redundant Internet connections
http://docs.fortinet.com/d/fortigate-using-a-virtual-wan-link-for-redundant-internet-connections
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,720 -
FortiClient
1,768 -
5.2
801 -
FortiManager
732 -
5.4
639 -
FortiAnalyzer
560 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
319 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
Fortiweb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
80 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1720 | |
| 1093 | |
| 752 | |
| 447 | |
| 234 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.