- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Questions regarding two ISP's in one device
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Questions regarding two ISP's in one device
Hello!
I have some questions regarding this topics, maybe someone has solved these already? I want to use both ISP's at the same time (not that one is sleeping and inactive when the other one works) so that I can create backup tunnels and manage the firewall on both external addresses, and I configure link-monitor for switchover. Sometimes two ISP's are vlanned (I configure them so), sometimes they are in physically separate ports. Both interfaces, whether virtual or physical, belong to untrust zone which I use in policies. Routing has been done so that two default routes have equal distance but different priority -- I want that for usual traffic out always the primary will be chosen.
1. The test whether the connection works at all.
Well, I can make a port forward or backup tunnel and test it this way, but this is not any quick test. I have found that my usual approach doesn't work and that is that for ping-source I will set primary or backup external address and then ping something out. It works like that only sometimes! I mean, the ping out doesn't work for backup interface, but backup tunnel with headquarter works when I take down the primary tunnel, eg changing IP-address on the other side temporarily or something like that. In cases where pinging out doesn't work, I also can't manage Fortigate on the backup ISP's external address, but in cases where pinging out works, I can manage it. These two behaviours are somehow connected but how? I haven't noticed that it depends on software version or device model.
My tests and comparisons today confused me even more. Because when I pinged out, I watched "diag sniffer packet" output in another window and there it showed that in both cases -- where the ping actually worked and where it didn't -- the primary ISP's interface name was used!
Am I doing something wrong? I see that failovers actually work and tunnels also fail over, I've performed many tests in different environments, but just that initial test that I want to do when the connection is being set up by backup ISP, I don't yet know how exactly.
2. Is it correct that to ping (or tcp-echo or udp-echo) different servers in link-monitor configuration, then to use more than one server, the IP-addresses have to be separated by a _white space_? Or perhaps a comma? I don't want to test this in live systems and unfortunately the cli-reference assumes I know this.
3. If I add a third ISP into the configuration, how should link-monitor be configured then? Or if I want to monitor two other interfaces and use failover between those, independently of ISP interface failovers?
Labels:
- Labels:
-
5.2
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For 2., I finally got a chance to test this with a device on my table and the separation symbol is white space indeed. For example,
config system link-monitor edit "gwdetect-1" set server "<next-hop-address-by-traceroute>" "8.8.8.8" "<ISP-DNS-server>" next end
and similarly for the other one. (By the way, I entered them in another order, but Fortigate changed it so can it be that the order is not important?) I also found this from Handbook 5.2, page 1397.
But for the other one, I thought -- why should I have it similarly? Should I have any IP's at all because for example, the recoverytime parameter shows time when to go back to the first ISP. Why should I ping anything at all using backup ISP? I want to get back to the primary asap anyway and this will happen when ping succeeds through primary ISP. Is there any internal logic that may require having this? Or I am doing it just wrong?
Also, where could tcp-echo or udp-echo be useful? Are they usable in the same arp domain only? I tested tcp-echo and I got a switchover to backup ISP after the time that was set with timeout parameter.
Does anybody know how to traceroute out using the backup ISP's interface from the Fortigate device? So far I know only workarounds for this, eg using some internal server behind the Fortigate, or CLI-enabled switch, and create some special NAT policy or policy route for that.
I want to know the details :) I found some information in the FortiOS Handbook 5.2, page 2192, but that was not what I want to achieve.
Related Posts
- Question about Fortigate license 9 Views
- Dysfunctional "Monitor Wifi Login Failures", Widget 46 Views
- FortiNAC - Profiling Static IP Devices 88 Views
- Sandbox API Login: return values? 59 Views
- Remote VPN Issue 96 Views
Labels
-
FortiGate
6,494 -
FortiClient
1,297 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.