Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Problem with failover from WAN1 to WAN2
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 01-19-2007 04:42 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with failover from WAN1 to WAN2
I have a fortigate 60 with a cable connection on WAN 1 and a backup DSL connection on WAN 2. When WAN 1 is down (as happened this week), the failover to WAN 2 is not working. Tech support provided me with some instructions on creating a firewall policy for routing all traffic from WAN 1 to WAN 2. However, I can' t seem to get this working.
Does the WAN 1 to WAN 2 route belong in the firewall? At this point, I have four VPN policies followed by an all traffic policy from internal to both WAN 1 and WAN 2, as well as the WAN1 to WAN 2 route defined.
On my first attempt at this config, I actually had the cable (primary service) connected to WAN 2 and the dsl (backup) connected to WAN 1. All works okay until I attempt to bring up the cable connection at which point I loose all connectivity. Based on the fact that all of the examples have the primary service connected to WAN 1, I have rebuilt my configuration accordingly.
Can someone help me understand what needs to be done to get the failover working?
Thanks.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Not applicable
Created on 01-20-2007 08:02 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
GeeWHIZ, have a look at this article:
http://kc.forticare.com/default.asp?id=376&Lang=1
I am no expert by any means, but I was eventually able to get my FortiGate 60 work correctly in failover mode (actually failover & load sharing mode). I believe the trick you are looking for is that you need to have two static routes defined (one for WAN1, another for WAN2) and two firewall policies (allow everything from internal to WAN1 and everything from internal to WAN2).
My two static routes are defined as:
0.0.0.0/0.0.0.0
10.231.135.73
wan2
10
and
0.0.0.0/0.0.0.0
172.16.2.85
wan1
10
where the IPs are naturally IPs assigned to me by my two internet providers.
It may not be the best setup (as I said, I am no expert), but it does work for me. If you want failover only and no load sharing, then change one of the distances (tens in the example above) to something lower - the route with the lower distance will then be considered the primary one (the other taking over only if the primary one goes down).
Oh... One More Thingâ„¢: to detect if a line is available or not, you have to set up Ping Servers, too. Go to System > Network > Interface and for both WAN1 and WAN2, enter (and enable) a correct Ping Server (use IP addresses of " gateways" your internet providers gave you).
I am using 2.80, so things may be slightly different under 3.00, but three things should still be needed: two static routes, two basic firewall policies, and Ping Server entries.
Not applicable
Created on 01-20-2007 09:52 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vondrack:
Thanks for the reply. I have read this article several times in the last few days and still seem to be missing a key piece of information. I can now get two connections established, but can' t get the failover working.
I have confirmed the 0.0.0.0/0.0.0.0 gateway-id routes for both WAN 1 (distance =10) and WAN 2 (distance=20). If I pull the plug on the WAN 1 connection and ping an external site, I get " Destination new unreachable" followed by " no reply" . I have confirmed via the Monitor that the static route for WAN 2 is being loaded when WAN 1 dies and the WAN 1 route is being reloaded when the connection is reestablished.
However, the failover never happens. The docs mention a firewall policy to permit the routing of the traffic, but I can' t seem to get this working. Can someone provide me information on creating a firewall policy with WAN 1 as the source and WAN 2 as the destination?
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to have the distance on both routes identical. Once they are the same metric, then you need to go into the CLI and set a priority on them. To do this, follow these steps:
sh router static (to get the route #s) conf router static edit X (WAN1 default route #) set priority 1 next edit Y (WAN2 default route #) set priority 2 next endOnce you have the routes correct, then you just need to have your policies to allow traffic both directions and make sure you have the ping server set up as mentioned above.
FCSE > FCNSP 2.8 > FCNSP 3.0
(Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
GeeWHIZ...
First... don' t rely on the doc in the Knowledge Center... it' s misleading and not entirely accurate... I' ve spoken with my SE and he' s looking at it.
vondrack' s set up is the same as mine, except, i only use this for failover so my static routes look like this:
Primary Internet connection:
0.0.0.0/0.0.0.0
216.141.111.1
WAN1
10
Failorver Internet connection:
0.0.0.0/0.0.0.0
67.37.15.73
WAN2
11
Make sure you set up Ping Servers for each interface. I don' t recommend the gateway addresses though. I would use an address on that is farther down the Infromation Superhighway like a DNS server or something that you know is always going to be up. And make sure that both interfaces are set to " Up" . I couldn' t get failover to work until I brought WAN2 " Up" !
Configure your policies. If want all traffic to go out over the failover connection, duplicate your Internal-to-WAN1 policies for Internal-to-WAN2. If not, you can specify traffic. For example... I use my failover for credit card processing... so if WAN1 goes down, I only allow the traffic over the failover for credit card transactions. When the primary connection comes backup, the traffic returns to normal based on my policies.
Those are the three most important pieces... Ping servers, Routes, Policies. For troubleshooting, I used traceroute and checkip.dyndns.org to verify that the failover was working.
You can change your Ping Server options too. In 3.0 build 319, it' s on the Options tab in the Network section. Change the Dead Gateway Detection values. I have the Detection Interval set to 4 seconds and the Fail-over Dectection set to 4 lost conscutive pings.
I hope that helps.
FCNSP
300 FGTs
2 FMG
2 FLG
FCNSP 300 FGTs 2 FMG 2 FLG
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brad is the best.
Ben McFortiGate - Over 200 deployed.
FCNSP Direct FortiNet FTP Link
Ben McFortiGate - Over 200 deployed. FCNSP Direct FortiNet FTP Link
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- please clarify some concepts for performance... 107 Views
- FG 81E - SD-wan rule with... 274 Views
- SD WAN SLA Performance puts WAN... 455 Views
- SSL VPN users can`t reach web... 396 Views
- Some SDWAN(BGP) routes discovered on wan... 335 Views
Labels
-
FortiGate
8,491 -
FortiClient
1,720 -
5.2
801 -
FortiManager
713 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
409 -
5.6
362 -
FortiMail
309 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
187 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.