Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wsal
New Contributor III

dynamic ipool change - SNAT fort two isp

Hi. I have a sourdough.

I received public addressing from the new ISP2 operator. So far I had one network (I have my AS in bgp).

I wanted to use the address from the new operator to access the Internet. Everything works, but I see that this implementation has its drawbacks when this link stops working :

isp.jpg

 

above is a diagram of what it roughly looks like

 

So :

I have a fortigate that receives a default gateway from the edge router.

I redistribute my public SNAT ip addresses in ospf as static, adding the /32 prefix as blackhole - it works fine.

Due to the fact that I receive default gw from the edge router, I decided that I will also connect the new ISP2 operator to the edge routers - I will distribute the addressing in OSPF as above for the old connection. and on the edge router I will make PBR, if the src ip is from ISP2, I will make the next hop to ISP2.

I did that and it works ok.

i.e. I have IPPOOL, e.g. 190.10.10.10 in the fortigate - edge router connection, I have ip policy with route map if src 190.10.10.0/24, then do next hop to isp2 - and it works.

however, if isp2 has a failure, I MUST MANUALLY CHANGE the ippool to the Internet policy on ISP1.

I have a workaround, but the question is: can it be automated?

I looked at sd-wan, I use it in my warehouse where I have 2 ISPs, but somehow I don't feel that it works well with OSPF, and it doesn't change the use of a specific IPOOL SNAT.

I use many IPpools because practically every vlan goes to the Internet with its public address.

Can I create some IP SLA if my ISP connection address does not match to enable the catch all policy with ISP1's ippool?

1 REPLY 1
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors