Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: ISP Health and OSPF default advertisement
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 01-20-2011 12:24 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ISP Health and OSPF default advertisement
Hi All,
I come from Cisco background and trying to implement something similar to IP SLA and infleunce the outcome of the same to stop propagation of default route to the core switches.
Here is the set up. We have an existing Juniper SSG140 firewall, that runs OSPF with two L3 switches, so each switch learns the default route from the firewall. We have two ISPs on the firewall with IP Tracking ( similar to Cisci IP SLA) running.
Now we want to add a new firewall, so that we have some hardware redundancy as well as ISP circuits redundancy as well. This new firewall will be Fortigate 400A or similar and will terminate a new ISP connection.
So each of the firewall will be running ospf thru the LAN side interface and advertise the default route to the two Core L3 switches, with Juniper being having a higher matric / cost, so that switches will prefer the default route coming in from new Fortigate and thus normally internet bound traffic will be routed thru Fortigate.
I noticed there is a feature under interface, to specify a server IP address that can be on the internet ( something like openDNS, or Google DNS) and if that stops pinging, firewall will shut down that interface. can I implement the same feature on port 1 (LAN, trusted side) so that when ISP circuit is down, port 1 will get isolated (unless the address I specify has to be reachable thru the port 1), and thus core switches will stop receiving the ospf route thru fortigate and switchover the traffic to Juniper?
Or is there another way to achieve this failover?
Also I was looking for Cisco DNS Doctoring type of feature and looks like dnstranslation is it. But I am a bit confused as to what should be exact code to achieve? Assume inside webserver is 192.168.10.25 and mapped address on public side is 64.128.32.25. The public FQDN is webserver.test.com and windows FQDN is webserver.test.local. Because of windows domain name to be test.local, I can not simply add a local Host (A) record in internal domain controller/DNS and hence name resolution for webserver.test.com goes out and comes back as 64.128.32.25. That will make all traffic to always be looped thru firewall.
Appreciate in advance for your support.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Not applicable
Created on 01-20-2011 03:41 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do find that Fortigate supports VRRP, and so does the Juniper SSG. I can then use VRRP between the two firewalls, making Fortigate the active gateway, so hardware failure on Fortigate can be mitigated by automatic switchover to Juniper via VRRP.
Juniper has a feature to Track IP address thru an interface to trigger VRRP failover. Looks like I can do the same with Fortigate also.
Under Fortigate High Availability Handbook, VRRP Chapter, Optional Configuration settings on page 265, there is an option, Monitor the route to a destination IP address using the vrdst option. But I am not sure if this will work, since we will have a static default route in firewall pointing to ISP router, so the router to any destination IP address will still get covered by the static default route, which will thus not go down.
Please help.
Not applicable
Created on 01-21-2011 07:35 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can someone please clarify this option please?
Monitor the route to a destination IP address using the vrdst option
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a similar setup to what you are thinking of.
Fortigate has a link to ISP1, and links to our two core routers. It advertises default information originate with the default metric.
Backup Fortigate has a link to ISP2, and links to our two core routers. It advertises default information originate with a high metric (so that its route does NOT get installed into the route table on the core routers)
Both Fortigates are configured with ping testing on their WAN (ISP facing) interfaces to ping the next hop router. If the next hop router stops responding to pings, the Fortigate will stop advertising default information originate, and the core routers will reroute traffic to the backup link. Once pings to the next hop router start replying again, the Fortigate will re-advertise default information originate, and traffic will flow through the main link again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I personally don' t think that VRRP and OSPF mesh well for what you are planning on doing. Let OSPF decide when there is a hardware failure. The last thing that you need is for one router to be the VRRP master, and the other one have the default route installed on it.
By either using physical links or tuned OSPF timers, you can detect link failure in a matter of seconds. I personally use the default timers and intermediate switches because I prefer operational flexibility, and don' t mind if the Internet is down for a minute before rerouting traffic.
Not applicable
Created on 02-15-2011 07:03 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much. I did set up ospf between Juniper SSG and Fortigate 400-A last Friday using OSPF. All is working fine since then.
I was exploring using either of VRRP or OSPF and not both. Fortinet L3 support confirmed that VRRP implementation is buggy and will only be fixed in upcoming MR3. So I instead was able to set up OSPF only.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
make sure to test your ping check on the Fortigate. I ping the next hop on my Fortigates, so as it stands I can' t detect upstream issues right on the FGT device.
When I have upstream issues I currently either trust the provider' s BGP to figure it out quickly or stop default information originate manually.
If you get the ping check to work properly by pinging something on the Internet (8.8.8.8 maybe?) let me know.
Not applicable
Created on 02-15-2011 08:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I am doing 4.2.2.2 for ping check and I have tested, it works flawless. Had the ISP remove the static route on their POP router that points our Public subnet, to their CPE router at our site, for a minute. So we are good for actual issues beyond the next hop.
Thanks again.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiAP-231G intermittently goes offline. 158 Views
- SDWAN (with two ISP) 359 Views
- How to achieve zero packet loss... 508 Views
- Fortimanager: Verify state: install OK/verify... 645 Views
- Fortigate Firewall BGP received routes not... 1986 Views
Labels
-
FortiGate
8,421 -
FortiClient
1,701 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
541 -
FortiSwitch
456 -
FortiAP
454 -
6.0
416 -
FortiClient EMS
403 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
FortiWeb
197 -
5.0
196 -
IPsec
183 -
FortiNAC
174 -
FortiGuard
134 -
6.4
128 -
SD-WAN
109 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
83 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
51 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1643 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.