I have a problem configuring something inside the Fortigate 100E (FortiOS 5.4)
We have 7 internet lines at our office and I want to bring a solution of load balancing + failover, with the following behaviour:
4 lines -> Internet
3 lines -> VoIP
I want the firewall to use exclusively those lines for that purpose, but I want both groups to be load balanced between the lines inside each group, I mean, one load balancer with 4 lines only for internet and another load balancer with 3 lines for VoIP only. I also want that if all the lines from one group go down, the other group lines are used.
Is that possible?, because once I configure the load balancer it does not allow me to configure a second load balancer.
Thanks.
I would suggest updating to 6.0.5 or even 6.2(though that's a bit new IMO). They've made a lot of changes and improvements to LLB, now called SD-WAN.
But, yes you will only have the one SD-WAN interface, and then create SLA/SD-WAN rules to push traffic out specific interfaces.
I'd wait with 6.2.0 in the production network, especially for High Availability Networks.
You can try with 5.6.9 or 6.0.5 or even 6.2.0 when you can accept some risk. SD-WAN features are different in every version, including configuration, etc. You can wait for 6.2.1 which should be released soon and there will be couple of new features as well.
I think you can achieve what you need without SD-WAN, only with ECMP + PBR. SD-WAN gives you ability to set SLA, what can be useful for VoIP
should be possible ;)
put 4 lines into WLLB/SD-WAN and set that up to do some Loadbalancing and connectivity test.
Make a Policy for internet traffic via WLLB/SD-WAN interface plus default route over it.
This gives you Loadbalancing and Failover since the connectivity test detects a dead line and will take it out as long as it is dead.
Make Policies for your (voip) traffic and a 2nd and 3rd default route for the other lines with different priorities!
Make sure those policies are BEFORE the other internet policy (because FGT is first come first serve) and make one for every traffic and internet line here!
THen traffic that hits those policies will primarily go over the 2nd default route and not over SD-WAN. If that is down it will use the one with the next higher priority. We do that e.g. for IPSec tunnel redundancy here.
Unfortunately you cannot have a 2nd WLLB/SD-WAN Interface on your FGT.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you for the answer!
I was very worried because this is the second time I work with Fortigate, but my first experience was quite surprising because in the company I was working in they had a Fortigate 100C with FortiOS 5.2 and we had 3 lines, 1 FTTH, 1 cable and 1 DSL, and the configuration I could accomplish by using load balancing was:
1 FTTH -> Internet
1 Cable -> VoIP
1 DSL -> Backup
When either FTTH or Cable went down, the firewall redirected the traffic to the Backup line.
But with the changes of 5.4, I find it a real mess to accomplish the same, because when I do the load balancing and I priorize the group of lines to go Internet and the other to go VoIP the firewall sometimes does not care and pushes the traffic of VoIP over internet lines and opposite because I can see deskphones using those lines.
Again, thanks, I will try it in the classic way, but I have to wait till weekend because in the office I'm working in there is no stop hours, only weekends :)
I could configure everything sucessfully.
I accomplished the following:
1st ECMP -> Distance 10 Priority 0 (3x Internet lines + 1x VoIP line)
2nd ECMP -> Distance 10 Priority 10 (2x Internet lines + 1x VoIP line)
I used Policy Routes to force the traffic of the VoIP line in each ECMP to go to the desired interface. I put the 1st ECMP VoIP line rule first, then the 2nd ECMP VoIP line rule, both without gateway defined (0.0.0.0), because after reading the fortinet documentation that's how Policy Routes work in order to be able to go through the subsequent ones in case Static Routes are deleted due to links being down.
I made the tests, taking out the fiber cables from one line and then putting it again and it worked flawlessly. The PBX communications changed in a matter of few seconds from one to the other and back to the first one.
Also, for this to work, I had to configure the link-monitor through the CLI, because in 5.4+ there is no option to do that through the GUI. Although I only configured the parameters srcintf and server. Do I have to add more parameters? because I saw interval / timeout / failtime / recoverytime / update-cascade-interface / update-static-route parameters that may come in handy if set up correctly.
Thank you so much for the help!
Edit 1: I saw most of the parameters of the link-monitor have defaults set. Those defaults are quite ok, so I think there's nothing more to configure around here. The only thing which I doubt to enable or disable is the update-cascade-interface. I don't know what impact would have turning it off.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.