I have 2 Fortigate 601E. X1 has our private IP range and X2 has our public IP range.
Each of these is connected to 2 separate ISPs. So I cannot run full HA. I run vrrp on X1 and X2 interfaces.
I have put the vrrp of both X1 and X2 in the same group. This way if X1 fails over, X2 will fail over as well.
I run full BGP with each ISP and announce my public IP.
I prepend the inbound via Fortigate2 to make sure that all the internet traffic comes to fortigate1. Outbound traffic will take fortigate1 because of VRRP.
Now the question,
1. When X1/X2 fails over, I want to failover the incoming traffic from the internet to ISP2 on Fortigate 2. Otherwise, the incoming traffic will hit Fortigate1 and get blackholed. Outbound traffic won't have an issue because of vrrp.
2. What is the best design to accommodate a situation where Fortigate1 reboots and comes back in 2-3 minutes? (Should I keep Fortigate2 as master even when Fortigate1 comes up? This again will cause an issue with BGP failover, as internet routing for my public IP will take some time to failover to Fortigate2.)
3. What is the best design to make sure to accommodate the situation where the master ISP goes down?
4. Do you run iBGP between the FortiGate over my own private subnet or my own public subnet?
Your rather complicated design is not quite easy to answer with the little information you have.
I try to answer you questions:
This is only possible with RIPE IP-Range and Dual-Homed BGP. Do you have an RIPE-Range?
In your situation, I always try to wire both ISPs to both FortiGates. Either directly from the ISP router to both firewalls or via a switch stack and VLANs. This way I can simply use an active-pasive cluster or if there are two datacenters, two A-P clusters with session sync in between.
See point 2
What is your idea behind iBPG?
- Have you found a solution? Then give your helper a "Like" and mark the solution.
I hope the attached diagram represents the infra better.
In short, I own my own /24 public subnet and my own ASN. This is a very small site for us. So getting another router on the edge is not worth spending the money on.
1. This is only possible with RIPE IP-Range and Dual-Homed BGP. Do you have a RIPE-Range? -> Yes, I own a RIPE-provided public IP and ASN. -> Not all the ISPs will give you 2 links(If that is what you meant by dual-homed)
2. In your situation, I always try to wire both ISPs to both FortiGates. Either directly from the ISP router to both firewalls or via a switch stack and VLANs. This way I can simply use an active-passive cluster or if there are two data centers, two A-P clusters with session sync in between. -> This is the ideal design if I can spend money on another pair of switches. Unfortunately, the location is not too big to spend money on 2 additional switches.
4. What is your idea behind iBGP?
-> If the outbound traffic can reach a location faster via ISP2.
I agree with @scan888. The problem OP has is 600E series has only two 10G ports. If both LAN and WAN sides need to be 10G, adding the 2nd WAN to each unit is not possible. Need a higher model.
iBGP is for when LAN side is on FGT1 while WAN side is FGT2 then outgoing traffic comes in FGT1 then routed to FGT2 over an interconnect between them to let it go out to WAN from FGT2. But the FGT2 sees the return route directly through LAN since the VRRP and drop the traffic with "return path check fail".
Thank you All. The solution that I think fits the best is the redundant interface between the firewall and the switch.
1. Firewall-1 connects to SW1 and SW2 and we make it a redundant port. Thus you will have a private redundant interface as well as a public redundant interface. This will resolve the black hole routing issue.
2. iBGP is not required in this situation, as the outbound is needed to use only one link at a time. A floating static route will suffice.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.