Hi,
I would like to know if it's possibile to track some reachability via a specific interface on Forti OS and based on this result make some action on a policy based route.
What I need is very similar to ip sla + track + route-map + policy based route on Cisco.
What I need to reach is this:
but I need to make sure that if WAN2 goes down I can make the mail traffic going out on WAN1 ignoring PBR
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You may try use "link-monitor" to update static routes/shutdown interface
Jeff_FTNT wrote:You may try use "link-monitor" to update static routes/shutdown interface
http://docs-legacy.fortin...fig_system.23.041.html
Hi Jeff.. that is something I know and it works well with routing, but from my test it doesn't work with policy route.
Do you have different experience? Or any other idea?
Thanks
You may try to bind two interfaces(to ISP) into one "virtual-wan-link", config "service " to force SMTP with policy routes and Load balancing.
######
config system virtual-wan-link set status enable set load-balance-quality-mode jitter-based config members edit 1 set interface "port15" set gateway 1.1.1.1 set detect-server "1.1.1.1" next edit 2 set interface "port16" set gateway 2.2.2.2 set detect-server "2.2.2.2" next end config service edit "smtp" set member 1 set protocol 6 set start-port 25 set end-port 25 set dst "all" set src "all" next edit "default" set member 2 set dst "all" set src "all" next end end
###
Thanks.
Jeff_FTNT wrote:You may try to bind two interfaces(to ISP) into one "virtual-wan-link", config "service " to force SMTP with policy routes and Load balancing.
Thanks Jeff.. I though the same as workaround but I would miss the granularity on using a specific interface for a specific service, but yes, it works, so it's a good workaround.
Btw, I asked support and I got this answer.
From my experience this was not working with previous releases but it looks it works now. I will test it in my lab:
###### The Dead Gateway Detection (4.3 & 5.0) or Link Health Monitor (5.2) allows the FortiGate unit to ping a gateway at regular intervals to ensure it is online and working. When the gateway is not accessible, that interface is marked as down. This feature is similar to Cisco's IP SLA feature. Policy routing takes precedence over the IP routing table. Should the link via "wan2" fails, then SMTP traffic will not much the policy route configured and will be forwarded out "wan1", if "wan1" is the only default gateway at that time. In that case, the VIP configured for the SMTP server should have the External Interface set to Any, instead of a specific interface (i.e. "wan2"), in order to support this failover. The problem with this scenario is that traffic sourced from the SMTP server will have a different IP than the one expected, when it is forwarded out "wan1" ("wan2" has already failed). Nevertheless, I believe that if you use an IP Pool in the (failover) matching firewall policy to translate the internal IP of the SMTP server to the external IP expected by the DNS server, this should allow the failover. The other SMTP failover solution is suggested on the KB article you mentioned. ######
Has anyone found a solution other than using SD-WAN?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.