Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
oliverlag
New Contributor

pbr and ip sla / track for failover

Hi, 

I would like to know if it's possibile to track some reachability via a specific interface on Forti OS and based on this result make some action on a policy based route. 

 

What I need is very similar to ip sla + track + route-map + policy based route  on Cisco. 

 

What I need to reach is this: 

 

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31240&sliceId=1... 

 

but I need to make sure that if WAN2 goes down I can make the mail traffic going out on WAN1 ignoring PBR

 

 

Thanks

 

5 REPLIES 5
Jeff_FTNT
Staff
Staff

You may try use "link-monitor"  to  update static routes/shutdown interface

 

http://docs-legacy.fortin...fig_system.23.041.html

oliverlag

Jeff_FTNT wrote:

You may try use "link-monitor"  to  update static routes/shutdown interface

 

http://docs-legacy.fortin...fig_system.23.041.html

 

Hi Jeff.. that is something I know and it works well with routing, but from my test it doesn't work with policy route. 

Do you have different experience? Or any other idea? 

Thanks

 

Jeff_FTNT
Staff
Staff

You may try to bind two interfaces(to  ISP)  into one "virtual-wan-link", config "service " to force SMTP with policy routes and Load balancing.

######

config system virtual-wan-link     set status enable     set load-balance-quality-mode jitter-based         config members             edit 1                 set interface "port15"                 set gateway 1.1.1.1                 set detect-server "1.1.1.1"             next             edit 2                 set interface "port16"                 set gateway 2.2.2.2                 set detect-server "2.2.2.2"             next         end         config service             edit "smtp"                 set member 1                 set protocol 6                 set start-port 25                 set end-port 25                 set dst "all"                 set src "all"             next             edit "default"                 set member 2                 set dst "all"                 set src "all"             next         end end

 

###

 

Thanks.

oliverlag

Jeff_FTNT wrote:

You may try to bind two interfaces(to  ISP)  into one "virtual-wan-link", config "service " to force SMTP with policy routes and Load balancing.

 

 

Thanks Jeff.. I though the same as workaround but I would miss the granularity on using a specific interface for a specific service, but yes, it works, so it's a good workaround. 

Btw, I asked support and I got this answer. 

From my experience this was not working with previous releases but it looks it works now. I will test it in my lab: 

 

###### The Dead Gateway Detection (4.3 & 5.0) or Link Health Monitor (5.2) allows the FortiGate unit to ping a gateway at regular intervals to ensure it is online and working. When the gateway is not accessible, that interface is marked as down. This feature is similar to Cisco's IP SLA feature.  Policy routing takes precedence over the IP routing table. Should the link via "wan2" fails, then SMTP traffic will not much the policy route configured and will be forwarded out "wan1", if "wan1" is the only default gateway at that time. In that case, the VIP configured for the SMTP server should have the External Interface set to Any, instead of a specific interface (i.e. "wan2"), in order to support this failover. The problem with this scenario is that traffic sourced from the SMTP server will have a different IP than the one expected, when it is forwarded out "wan1" ("wan2" has already failed). Nevertheless, I believe that if you use an IP Pool in the (failover) matching firewall policy to translate the internal IP of the SMTP server to the external IP expected by the DNS server, this should allow the failover. The other SMTP failover solution is suggested on the KB article you mentioned.  ######

Hossein_Oliabak

Has anyone found a solution other than using SD-WAN?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors