Hello Everyone,
We have FortiGate 140D with OS 5.6 . We are currently depending on WAN1 port to access the internet which is microwave link. I have a new 4G device, which i would like to connect to FortiGate WAN2 but use it only for windows update downloads. I tried to connect the 4G link to WAN2 port, then suddenly all internet is disconnected from the users !! How can I use WAN2 just only for update of software?? even if its down, i don't want this traffic to go to WAN1.
Best Regards,
Alzaiem
Solved! Go to Solution.
This is a surprisingly complex topic. Here's a KB article I put together for our internal staff on the subject that explains this from a conceptual standpoint:
Setting up fortinet Fortigate firewalls for dual wan scenarios with >=2 Internet Connections
General strategy for setup:
Static default route for each wan interface[/ol][ul]same distance for each routedifferent priority for each route (lower priority wins)[/ul]
[ul]2. Link health monitor for each route. [ul]
3. Policy Route for traffic that should use the secondary interface (the one Higher priority)
[ul]
Routes specify where to send traffic.
This will generally be an interface (wan1, wan2, lan, etc) or a VPN tunnel to a remote site.
the VPN appears as a virtual interface just like an internet connection.
Routing Notes:
Each Policy route is inspected. As soon as one matches it wins and traffic goes that way
Note: If you need certain traffic to skip the priority routes, (for example forcing certain IP's to use the primary route even though there's a policy route to send that subnet via the secondary route), you can put an entry HIGHER in the list of policy routes for the IP(s) that stays "stop policy routing"
Policies specify what is done to the traffic as it passes this interfaceCheck if traffic is allowed to passby Source address, dest address, or port[/ol]
DIRECTION of traffic from the fortigate's perspective is important to understand:
In general, keep in mind that with the FortiGate we are always thinking of traffic in terms of where the traffic first originated (ie which machine asked for the traffic).
When an end user is watching a youtube video, that is controlled by a policy from LAN to WAN.the fortigate catches the outbound request for the traffic from the user and automatically associates all the inbound traffic from wan to lan with that original session.
When someone on the Internet connect to the exchange server, this is controlled by a policy from WAN to LAN.The fortigate catches the inbound request from WAN to LAN and automatically allows returning traffic from the server back to the itnernet client.
Servers that also initiate traffic to the internet and need to use a specific public IP address (Like email servers sending SMTP messages out) also need to be set up like clients, so they will also have their own LAN to WAN policy rule with a dedicated IP address (Using a IP Pool).[/ol]
Jeff Roback
you can use SD Wan and a SD Wan rules with the "Microsoft-MS.Update" internet services
more details for sdwan : http://cookbook.fortinet....net-basic-failover-56/
Thank you S1nDr3am, Loic for the advice. I will go through it and see what happens.
Best Regards,
Alzaiem
This is a surprisingly complex topic. Here's a KB article I put together for our internal staff on the subject that explains this from a conceptual standpoint:
Setting up fortinet Fortigate firewalls for dual wan scenarios with >=2 Internet Connections
General strategy for setup:
Static default route for each wan interface[/ol][ul]same distance for each routedifferent priority for each route (lower priority wins)[/ul]
[ul]2. Link health monitor for each route. [ul]
3. Policy Route for traffic that should use the secondary interface (the one Higher priority)
[ul]
Routes specify where to send traffic.
This will generally be an interface (wan1, wan2, lan, etc) or a VPN tunnel to a remote site.
the VPN appears as a virtual interface just like an internet connection.
Routing Notes:
Each Policy route is inspected. As soon as one matches it wins and traffic goes that way
Note: If you need certain traffic to skip the priority routes, (for example forcing certain IP's to use the primary route even though there's a policy route to send that subnet via the secondary route), you can put an entry HIGHER in the list of policy routes for the IP(s) that stays "stop policy routing"
Policies specify what is done to the traffic as it passes this interfaceCheck if traffic is allowed to passby Source address, dest address, or port[/ol]
DIRECTION of traffic from the fortigate's perspective is important to understand:
In general, keep in mind that with the FortiGate we are always thinking of traffic in terms of where the traffic first originated (ie which machine asked for the traffic).
When an end user is watching a youtube video, that is controlled by a policy from LAN to WAN.the fortigate catches the outbound request for the traffic from the user and automatically associates all the inbound traffic from wan to lan with that original session.
When someone on the Internet connect to the exchange server, this is controlled by a policy from WAN to LAN.The fortigate catches the inbound request from WAN to LAN and automatically allows returning traffic from the server back to the itnernet client.
Servers that also initiate traffic to the internet and need to use a specific public IP address (Like email servers sending SMTP messages out) also need to be set up like clients, so they will also have their own LAN to WAN policy rule with a dedicated IP address (Using a IP Pool).[/ol]
Jeff Roback
yeah that is the way to do without using sdwan :)
If you could use sdwan it is much easier:
- enable sdwan and add all wan to it.
- create some sdwan rule for ms update (like written before)
- create a second rule for all other traffic (needed because the rest would match the loadblanacer rule without it and that would cause it to use both wan - you don't need it if you do not mind other traffic using wan2 too and only want to force ms update to use only wan2)
- create a policy for traffic to the internet that has sdwan as destination interface
- create a default route with sdwan as interface
Optionally: create some health check on sd-wan to have failover if one link is gone.
Then ms update will use wan2 as long as it works and failover to wan1 if wan2 is gone or offline.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you S1nDr3am for the advice. I will go through it and see what happens.
Best Regards,
Alzaiem
S1nDr3am ➥ Approval Pending loic Bronze Member Total Posts : 22Scores: 2Reward points: 0Joined: 4/5/2006Location: FranceStatus: online[/ul] Re: How to Direct Specific Traffic to Specific WAN? 46 minutes ago (permalink) 0 you can use SD Wan and a SD Wan rules with the "Microsoft-MS.Update" internet services more details for sdwan : http://cookbook.fortinet....net-basic-failover-56/ Answer Helpful Report AbuseForward Quote #3 alzaiem Quick Reply: (Open Full Version) Paragraph Font Family Font Size Path: p Submit Post Home » All Forums » [link=https://forum.fortinet.com/tt.aspx?forumid=119][Other FortiGate and FortiOS Topics][/link] » Routing and Transparent Mode » How to Direct Specific Traffic to Specific WAN? Jump to: Jump to - - - - - - - - - - [FortiGate / FortiOS UTM features] - - - - AntiVirus - - - - Application Control - - - - Data Leak Prevention (DLP) - - - - Email filtering (AntiSPAM) - - - - Former Content Management Forum - - - - Intrusion Detection & Prevention - - - - Web Filtering [Fortinet Beta Programs] - - - - Beta Message Board [Fortinet Services] - - - - FortiCloud IOC [Other FortiGate and FortiOS Topics] - - - - Firewall - - - - Log & Report - - - - Miscellaneous -- FortiOS and FortiGate - - - - New Features -- FortiOS - - - - Routing and Transparent Mode - - - - System settings - - - - User and Authentication - - - - VPN [Other Fortinet Products] - - - - AscenLink - - - - Coyote Point - - - - FortiADC - - - - FortiAnalyzer - - - - FortiAP - - - - FortiAuthenticator - - - - FortiBalancer - - - - FortiBridge - - - - FortiCache - - - - FortiCamera & FortiRecorder - - - - FortiCarrier - - - - FortiCASB - - - - FortiClient - - - - FortiCloud - - - - FortiConnect - - - - FortiController - - - - FortiConverter - - - - FortiCore - - - - FortiDB - - - - FortiDDOS - - - - FortiDirector - - - - FortiDNS - - - - FortiExplorer - - - - FortiExtender - - - - FortiFone - - - - FortiGuard - - - - FortiHypervisor - - - - FortiMail - - - - FortiManager - - - - FortiMoM - - - - FortiMonitor - - - - FortiPlanner - - - - FortiPortal - - - - FortiPresence - - - - FortiRPS - - - - FortiSandbox - - - - FortiScan - - - - FortiSIEM - - - - FortiSwitch - - - - FortiTester - - - - FortiToken - - - - FortiTap - - - - FortiVoice - - - - FortiWAN - - - - FortiWeb - - - - FortiWiFi - - - - Wireless Infrastructure (FortiWLC, FortiWLM, Meru) [Forum Information & Miscellaneous Topics] - - - - Forum News - - - - Ideas for Forum Site - - - - Fortinet Cookbook - - - - Knowledge Base - - - - Technical -- non-FortiOS - - - - Miscellaneous -- non-technical © 2018 APG vNext Commercial Version 5.5 Latest Posts Re: How to Direct Specific Traffic to Specific WAN? FortiCloud - General Data Protection Regulation (GDPR) compliant Re: Impossible to connect to VPN: Permission denied (-455) How to Direct Specific Traffic to Specific WAN? Re: FortiSandbox sizing Site to Site Tunnel is up, no traffic Re: FortiSandbox sizing Re: LAG/LACP between stacked Fortiswitches Re: FortiOS 5.2.13 is out! Re: FortiSandbox sizing [/ul] Active Posts FortiSandbox sizing LAG/LACP between stacked Fortiswitches FortiOS 5.2.13 is out! How to enable user auth for Explicit Web Proxy in 5.6? FortiAPs down after Fortigate update different tunnel Problem with policies and ICMP. Can Fortigate download an IP Dynamic Block List that we define? ASA and PIX Cannot add a FG 5.4.8 to FM 5.6.2 [/ul] All FAQs There is no record available at this moment[/ul] S1nDr3amNOTE: The Metric field refers to what weight this Route should have, with lower being a higher priority. In this example we've chosen 10.
[/ul]Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.