Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kknuckles
New Contributor

WAN Failover Best Practice - New Failover Connection

I have a FG200D and we are getting ready to receive a new Cradlepoint 3G/4G router for failover of the main office only. The plan is to connect it to WAN2. My question is this: Would it be better to use WAN LLB and set a sky high priority like 99 for WAN1 and 1 for WAN2, or would it be better to use two static routes and weight them accordingly?

 

I mainly want to make sure WAN2 isn't going to be used unless WAN1 is absolutely down. I don't mind a small amount of traffic for health check but we are only allotted so much data per month on the fail over service without overage charges.

 

I've seen multiple posts about this and read multiple articles, but couldn't really determine the best method from those. I've only known FortiOS 5.4, which apparently isn't the favorite for this setup since most of the failover documentation still references 5.2.

 

Opinions and thoughts welcomed and thanks in advance.

 

Kevin

Thank you for your time,

 

Kevin W. Knuckles

Thank you for your time, Kevin W. Knuckles
4 Solutions
neonbit
Valued Contributor

The default deep peer detection for the IPSEC tunnels is to send a packet every 20 seconds, and if 3 of them fail then it will deem it dead, ie your IPSEC will stay up for 60 seconds. You can change the dpd parameters (via cli) if you want it to fail over faster. The below config will make it fail over in 9 seconds

 

config vpn ipsec phase1-interface

edit <vpn name>

set dpd-retrycount 3

set dpd-retryinterval 3

end

View solution in original post

btp

Sure - but why not use the policy route approach that lies in the SDWAN logic?

-- Bjørn Tore

View solution in original post

-- Bjørn Tore
btp

Sure - «SD-WAN» in Fortinet World is an acronym for path selection. Not really SD-WAN, imho..

-- Bjørn Tore

View solution in original post

-- Bjørn Tore
btp

That’s the main idea with Fortinet’s SD-WAN offering - path selection. We use this to use one of two fibers - and mobile backup if the sh*t hits the fan.. for many spokes.

-- Bjørn Tore

View solution in original post

-- Bjørn Tore
36 REPLIES 36
SecurityPlus

Does SD-WAN in FortiOS version 6.4 offer the option to do what in prior versions of FortiOS required config system link-monitor?

 

We have situations that we want all traffic to go out the WAN1 link unless the primary WAN link fails, has high packet loss, or high ping time.

btp

That’s the main idea with Fortinet’s SD-WAN offering - path selection. We use this to use one of two fibers - and mobile backup if the sh*t hits the fan.. for many spokes.

-- Bjørn Tore

-- Bjørn Tore
SecurityPlus

So can all your traffic be made to use the fiber connections when they are working and only use the mobile backup (cellular) connection during outages?

btp

Indeed. If you like I can show you some configs - but there are plenty both cookbooks and docs.

-- Bjørn Tore

-- Bjørn Tore
sw2090

could you show some config?

 

I cannot achieve that goal with sd-wan.

 

The easiest way would be to not have the failover link participiate in sd-wan. Howeder Fortinet chose to block that way because you would need a second default route for that and FortiOS does not allow this when you use sd-wan.

This also would requeire a second internet policy but I would be ok with that.

 

If I use sd-wan I can only chose between doing loadbalancing and have it use the fallback link if all others are unusable or no loadbalancing but only least cost or something like that which can stuff up my wan links and then thus use the failover. In this case one would have to create sd-wan rules but in sd-wan rules you do not have the loadblanacing algorithms like volume or spill over (as the explicit rule has them) available.

 

 

So is there any way to have a group of WANs do sd-wan for internet and if that ain't availale (and only then) failover to annothr wan?

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
btp

I use 4 interfaces - IPSEC-1 and 2, and 4G-1 and 2. IPSEC-1 primary, IPSEC-2 secondary etc.

config system virtual-wan-link
    set status enable
    config members
        edit 1
            set interface "4G-1"
            set cost 50 ## not sure if needed
        next
        edit 2
            set interface "4G-2"
            set cost 50 ## not sure if needed
        next
        edit 3
            set interface "IPSEC-1"
            next
        edit 4
            set interface "IPSEC-2"
        next
    end
    config health-check
        edit "HUB"
            set server "172.18.50.1" ## the IP I want to check against
            set interval 5000
            set failtime 4
            set recoverytime 4
            set members 3 4 ## keeps ping-check away from 4G-interfaces
        next
    end
    config service
        edit 1
            set name "Failover"
            set mode priority
            set dst "all"
            set src "all"
            set health-check "HUB"
            set priority-members 3 4 1 2 ## the priority list
        next
    end
end

 

In my firewall policies I use the whole SD-WAN as src/dst;

 

config firewall policy
    edit 1
        set srcintf "virtual-wan-link"  ## strangely enough not autocompleted.. 
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set fsso disable
    next

..etc

-- Bjørn Tore

-- Bjørn Tore
fcb
Contributor

This has been something of confusion for me on SDWAN - you wrote below the srcint is "virtual-wan-link" and dstinf is "internal" - I would have expected those to be turned around (Internal -> Virtual-Wan-Link) but coming inbound like you show, how does a VIP come into play with SDWAN and connections form outside world to inside? Both interfaces are defined in the

 

config firewall policy
    edit 1
         set srcintf "virtual-wan-link"  ## strangely enough not autocompleted.. 
         set dstintf "internal"
         set srcaddr "all"
         set dstaddr "all"
         set action accept
         set schedule "always"
         set service "ALL"
         set logtraffic all
         set fsso disable
     next


Here is mine as it sits for a NAT that we have coming into a web server - It's just odd to me that we define the actual interface on the VIP but when creating the rule it's SDWAN or Virtual-WAN-Link - Why? Is there any advantage there?

config firewall policy     edit 170         set name "sdwan-isp1>test.https"         set uuid 911efb1a-e1f8-51ea-c42b-8c75aadf33bd         set srcintf "virtual-wan-link"         set dstintf "int.dmz.ems"         set srcaddr "geo.united.states"         set dstaddr "vip.sdwan-isp1.smtp"         set action accept         set schedule "always"         set service "HTTPS"         set fsso disable     next

end

 

 

               
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors