Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Zones - members not available as src or dest ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Zones - members not available as src or dest interface
Hi
I have configured a zone with two IPSec tunnels as its member.
Both tunnels route traffic to the same remote FTG, one via an expensive link and the other via ADSL.
I would like to apply different traffic prioritisation profiles to traffic in each tunnel for one type of traffic. But, it seems that since creating the zone I can not use either member of the zone as a destination interface in a firewall policy.
Is there a way around this? I do not want to duplicate all my rules - Zones are a good solution for this.
Thanks
--
riaan
Fortigate 80c - 4.0 MR2 patch 7
-- riaan Fortigate 80c - 4.0 MR2 patch 7
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe you' ve overlooked the priorisation you can achieve by using different weights (distance/priority) on the static routes to the VPNs.
If one of the routes has a smaller distance or a lower priority then it will be preferred over the other. This is the classical failover scenario with 2 outbound interfaces (only normally you' d use it on WAN ports, not VPN ports). As Bob has pointed out, even if both VPN interfaces are members of a zone you can still set their priority independently in the Interface setup.
Of course you should additionally configure both interfaces for Dead Gateway Detection at the interface level, i.e. set ping targets. This way, if an interface fails (the tunnel goes down) the static route to it will quickly be removed from the routing table so that traffic won' t be sent to Nirwana.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem with using static routes is that my requirement is for inter-branch traffic. So, there are two static routes between CPT and JNB - one via the " BL" VPN and the other via the " DSL" VPN. The DSL VPN has a a higher weight than the BL VPN.
Are you saying I could have a route for 192.168.10.0/24 via both VPN interfaces and specific routes for 192.168.10.100/24 with different weights - where 192.168.10.100 is a VOIP PBX which I want to handle differently depending on which VPN is my default route between the branches?
How does this allow me to prioritise RDP traffic over SIP traffic when we are on the failover VPN between the branches?
PS - BL is a MPLS network between the two branches the DSL link is highly contended and inexpensive.
--
riaan
Fortigate 80c - 4.0 MR2 patch 7
-- riaan Fortigate 80c - 4.0 MR2 patch 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a quick note to say thanks for all the responses so far.
--
riaan
Fortigate 80c - 4.0 MR2 patch 7
-- riaan Fortigate 80c - 4.0 MR2 patch 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now, this is 2 pairs of shoes: preference of a (less costly) route over a backup route, and prioritisation of one service over others.
The first goal can be achieved with routes which have different weights. Of course you can specify a host route (in your case 192.168.10.100/32). If placed before the general route for that subnet it will be followed if traffic to that destination is to be routed.
The means to achieve traffic prioritisation is the traffic shaper option available in firewall policies. TS places services into 3 QoS categories (low/medium/high). You separate the services by defining specific policies. Then you are able to assign TS to them, with different QoS classes.
The FortiOS implementation is not very sophisticated IMHO but it works. As this is a tricky subject I recommend the FortiOS Handbook (and maybe the Cookbook also) for further reading.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
riaanb,
Have you considered setting an outbound bandwidth on each VPN' s respective interface? The " outbandwidth" parameter will define an absolute max rate for the Fortigate to use. Then, within your firewall policies, set the priority as either high, medium, or low and these priorities will be honored when congestion begins (thanks to the outbandwidth parameter). Without outbandwidth, Fortigate probably won' t experience congestion because its physical link speed to the DSL modem or MPLS is 100mbps or higher. As long as the Fortigate physical interfaces don' t experience congestion, they' ll pass the traffic immediately to the next device where it will either be transmitted or buffered. Your MPLS may have its own traffic prioritization capabilities and the DSL modem may offer something too but since the traffic has already been encrypted by the Fortigate, it may be hard to take advantage of those shaping options.
Don' t forget to inspect the default priority that' s used unless explicitly defined. Some releases defaulted to HIGH whereas I think 4.3 defaults to MEDIUM. I tend to set the default traffic to LOW so that I can selectively enable other traffic to be medium or high.
config system global
set tos-based-priority low
end
Using the above technique with specific " outbandwidth" parameters for each of your VPN interfaces, you might still be able to use zones as long you' re not concerned with an interface-specific bandwidth rate for each policy. High/Medium/Low should be honored as congestion occurs. Don' t forget to set " outbandwidth" somewhat below the true outbound speed so that traffic doesn' t build up in the DSL modem' s buffers, thus creating latency.
Additionally, you may want to consider the " monitor-phase1" parameter for your DSL vpn phase1 interface. This tells the Fortigate to only activate the secondary tunnel if the primary tunnel has failed and -- this is the best part IMHO -- it automatically tears down the backup tunnel when the primary is restored. Otherwise, if both are active simultaneously, you may find that the slower DSL tunnel is used more than you think. Sessions don' t " fail back" to the primary unless the backup link dies. It' s quite possible that others may disagree with the use of " monitor-phase1" but it' s been very useful and reliable in my experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A good explanation around the subject " traffic shaping" , where Traffic Shaper, ToS, " outbandwidth" all belong to. To really take advantage of it I still recommend reading up the relevant documentation to get a picture of how these details work together.
The " monitor-phase1" parameter was introduced when interface-based VPNs came up (IMHO) and it' s the way to go for failover tunnels.
Consider the case when streams of traffic go across a tunnel like a prolonged RDP session, or SNMP: the routing engine will only take a decision when the first packet of a session has to be routed. Once in the routing table, no more lookups are done (for efficiency).
Say the FGT already uses a backup VPN tunnel. If in the meantime the primary tunnel comes up again a ' better' route is entered into the routing table, but existing sessions still will follow the old path across the backup tunnel. This will only change when either the session times out or the backup path goes down.
With the " monitor-phase1" parameter set the state of the monitored tunnel is checked periodically and the tunnel is torn down if the primary is up again.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the great tips Ede and Nothingel.
I have defined outbandwidth - but I suspect that this is something that is easy to miss, not much is made of it in the documentation, it is treated as an optional step.
Nothingel, the devices on my LAN does not use TOS to set priority thus I have not changed anything from the default regarding that. Does this affect Fortigate' s High/Medium/Low prioritisation? I thought it was an either or situation - either use TOS or use H/M/L in firewall policies.
Thanks for the tip re: monitor_phase1. I have implemented this now.
--
riaan
Fortigate 80c - 4.0 MR2 patch 7
--
riaan
Fortigate 80c - 4.0 MR2 patch 7
-- riaan Fortigate 80c - 4.0 MR2 patch 7
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortigate VM Double NAT issue in... 100 Views
- Help to create a handler with... 128 Views
- FTG dhcp server 257 Views
- FortiNAC Registration Portal Bypassed When Using... 145 Views
- How to Drop known external traffic... 148 Views
Labels
-
FortiGate
8,080 -
FortiClient
1,622 -
5.2
801 -
FortiManager
682 -
5.4
639 -
FortiAnalyzer
518 -
FortiAP
427 -
FortiSwitch
426 -
6.0
416 -
FortiClient EMS
365 -
5.6
362 -
FortiMail
301 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
189 -
SSL-VPN
178 -
FortiNAC
163 -
IPsec
154 -
6.4
128 -
FortiGuard
125 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
94 -
SD-WAN
89 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
70 -
4.0MR3
64 -
Firewall policy
58 -
FortiProxy
53 -
FortiEDR
50 -
Fortivoice
49 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
41 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
35 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
26 -
FortiConverter
25 -
Authentication
25 -
FortiWAN
24 -
RADIUS
24 -
FortiLink
24 -
FortiGate v5.2
23 -
VDOM
23 -
Application control
21 -
Web profile
21 -
Virtual IP
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
Traffic shaping
17 -
FortiMonitor
16 -
FortiPAM
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
System settings
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
RMA Information and Announcements
8 -
IPS signature
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Security profile
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1517 | |
| 1013 | |
| 749 | |
| 443 | |
| 209 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.