VIPs with multiple WANs or external IPs

Cruz2019 · ‎12-17-2020

Hello all the community, I hope you can help me or guide me in what I intend to do or if it is possible to do it with my Fortigate 300E or if I need any additional software or hardware, my situation is the following:

Create a VIP to publish a web server name: "MY WEB SERVER" WAN interface 1 Type Static NAT External IP address / range 187.210.xx.xxx Mapped IP address / range 172.16.xx.xx

That way it works perfectly, all external requests are made through WAN 1, the problem that I have very frequently is that it falls constantly, I already have another ISP "WAN 2" what I intend is to add my WAN 2 to this same web server to that when my WAN 1 fails "MY WEB SERVER" stays online by WAN 2 until WAN 1 is re-established.

And if this is not possible with my fortigate, what options do I have to achieve more availability in external connections to my web server?

Thank you

lobstercreed · ‎12-19-2020

You haven't told us whether you own your own IP address space? Assuming you don't, that's going to be the main challenge you have to figure out. You can set up another VIP for WAN 2 just fine and point it to the same internal IP but if you have a web server at web.xyz.com and it resolves (DNS) to 187.210.xx.xxx for an internet user, how are they going to suddenly go to the IP address of your secondary WAN?

You could try round-robin DNS or some other more robust ways to do that (not something I have experience with, but I know it can be done with the right DNS infrastructure). There's still no way it will be seamless for a given user who was connected via WAN 1 when it went down unless you own your own address space and can advertise via BGP.

Cruz2019 · ‎02-26-2021

I have a group of public addresses that my SIP gives me, both from WAN 1 and WAN2,
the main objective is to have something similar to SDWAN but for incoming connections to my web server.
It had occurred to me to create 2 VIPs with the same internal IP address, only change the external IP address to that of my second ISP, 
but I don't know if the failover really works and that my web server is always available unless my 2 ISPs fall off.

emnoc · ‎02-26-2021

RR DNS and or F5-GTM or similar is what you want & if you need a transparent failover. You could build some auto-event script that could disable the VIP and remove the DNS-FQDN but that has nothing todo with fortios per-se.

If you do a script you could push out changes to dns db.zone file and even remove the vip from a vipgroup if you so desire

e.g

config firewall vipgrp edit "web-server_groupo128" set uuid f27ca5f6-7875-51eb-74a4-63cc50cf6169 set comments "web-ops IT core"

set member VIP1290 VIP1892

end

Our dns-server has a RR-DNS FQDN to VIP1290 and VIP1892 external-ip. So if our monitor find problems with ISP2, we send a call to our dns-server API and deleted that ip_address from the A record. We have various triggers like high latency and packet-lost that we use to determine if dns updates are sent to extract and delete a A record entry.

example with low ttls of 15secs

www.example.com. 15 IN A 192.0.2.1 #( isp1 wan1 VIP1290 public-address )

15 IN A 192.0.2.22 #( isp2 wan2 VIP1892 public-address )

So if pings to isp2 are bad , we delete that entry from our db.zone file.

We haven't gotten around to removing a vip from a vipgrp via the fortios API, but that could be done also as optional and if you want to do maintenance for example.

I believe other DNS supplier like godaddy also has the means to do the same thing with sending dns-updates via an API call. We went the above route since the price for a F5-GTM was a little outside of the budget. BTW a F5-GTM does all of the same internally from application health check.

just my 2cts opinion

Now that I think about it, if your hosting the zone fortigate you might be able to do the same thing and remove|add the A record in via API calls.....I might look into that if I get bored

Ken Felix

PCNSE

NSE

StrongSwan