Hello all,
I am seeking some advice. I have two different clients with dual WAN setups and I believe that I am running the redundancy incorrectly. I have essentially the same question for both setups so I will just describe one.
I have 2 Fortigate 40Cs setup in HA with WAN1 running off of a DSL connection and WAN2 going through our VOIP internet connection (also DSL, but separate from the main connection). I have the priority and distance set higher for WAN2 and everything seemed to work well. Although I must admit I didn't really believe that the setup was complete. The failover from WAN1 to WAN2 works perfectly if the WAN1 modem was powered down or physically disconnected from WAN1. In this case all traffic would be routed through WAN2. When WAN1 would come back up everything would route through WAN1.
The issue I ran into which I'm sure most of you probably already see is that if the internet for WAN1 died, without the device going down or being removed (ie, if I were to unplug the phone cable from the DSL modem but leave the modem on and connected to WAN1) the firewall wouldn't fail over to WAN2.
Obviously I need to implement some form of ping test via the Fortigate to accomplish what I need. My issue is that it seems to me that for me to do this I need to implement health link monitor which necessarily requires WAN link load balancing (running 5.2.7 right now btw) But, I think there should be an easier way and that's where you come in! It looks like in order to set up WAN link load balancing I would essentially have to start over with all of the policies on these devices. Plus I don't really want the load balancing feature. In my research (and a bit from memory as I have been working with Fortigates on and off for quite a few years) I recall that something like this was at one point much easier with the gwdetect command. But, that is no longer available?
What I am really hoping someone will tell me is that there are some commands that will run a ping test via WAN1 that will bring the interface down when it fails. That would solve my problems.
Thanks in advance for your assistance!
- Mike Page
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
For your case , you may just set up link-monitor
As before, it is called Ping server detect.With link-monitor, when the server detect fail , the routes on "wan1" will be deleted, traffic will go to "wan2".
It support 4 protocol Ping/tcp-echo/udp-echo/http
#####
config system link-monitor edit "1" set srcintf "wan1" set server "www.google.com" set gateway-ip 172.18.5.1 next end dia sys link-monitor status Link Monitor: 1 Status: die Create time: Thu Jul 14 10:27:56 2016 Source interface: port9 (20) Gateway: 172.18.5.1 Interval: 5, Timeout 1 Fail times: 2/5 Send times: 2 Peer: www.google.com(172.217.1.196) protocol: ping, state: die Latency(recent/average): 0.00/0.00 ms Jitter: 0.00 Recovery times(0/5) Continuous sending times after the first recovery time 0 Packet sent: 0 Packet received: 0
For your case , you may just set up link-monitor
As before, it is called Ping server detect.With link-monitor, when the server detect fail , the routes on "wan1" will be deleted, traffic will go to "wan2".
It support 4 protocol Ping/tcp-echo/udp-echo/http
#####
config system link-monitor edit "1" set srcintf "wan1" set server "www.google.com" set gateway-ip 172.18.5.1 next end dia sys link-monitor status Link Monitor: 1 Status: die Create time: Thu Jul 14 10:27:56 2016 Source interface: port9 (20) Gateway: 172.18.5.1 Interval: 5, Timeout 1 Fail times: 2/5 Send times: 2 Peer: www.google.com(172.217.1.196) protocol: ping, state: die Latency(recent/average): 0.00/0.00 ms Jitter: 0.00 Recovery times(0/5) Continuous sending times after the first recovery time 0 Packet sent: 0 Packet received: 0
Excellent. Thanks for the quick reply. I figured it had to be something relatively simple.
I have added that in and will test it this weekend. I will update the thread with the results.
Don't forget to duplicate the policies from LAN to the other (fail-over) WAN port. You will need 2 default routes as well, the failover one with higher priority (FortiOS: "priority" == "cost").
+1 to what EDE said.
I have switched to using zones to help assist with issues like that when dealing with multiple outbound interfaces for policy like this.
Mike Pruett
Thanks to Jeff and everyone else for your assistance.
The commands Jeff recommended were exactly what I was looking for. I tested this past weekend by disconnecting the phone cable going to the DSL modem, leaving the modem up, and the firewall failed properly to WAN2. WAN1 then came back up automatically when the phone cable was plugged back in.
Thanks!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.