Hi
i have wan1 as my primary interface. I want to add a check that will set the interface down if theres any problem with it reaching internet. In that case i want wan2 to be the primary one.
How do i configure a check that will set wan1 in admin down?
thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's CLI only beyond 5.2
config system link-monitor
edit 1
set srcintf wan1
set server 8.8.8.8 - or whatever you want to constantly ping
If it fails it removes the route so your wan2 route will become the default. There are other values to define if you want, but i believe the above is the minimum to get it working.
It's CLI only beyond 5.2
config system link-monitor
edit 1
set srcintf wan1
set server 8.8.8.8 - or whatever you want to constantly ping
If it fails it removes the route so your wan2 route will become the default. There are other values to define if you want, but i believe the above is the minimum to get it working.
gateway-ip is the gateway of the ISP right? is it required for link-monitor or it can stay on 0.0.0.0 since i already have gateway defined on static route.
nordik24 wrote:Hi
i have wan1 as my primary interface. I want to add a check that will set the interface down if theres any problem with it reaching internet. In that case i want wan2 to be the primary one.
How do i configure a check that will set wan1 in admin down?
thanks
You can take a look at the feature of SD-Wan which offer health-check and load-balance between your two Wan links.
thanks for the clarification
Probably the easiest way is to use the built in Loadbalancer (wan-link-load-blanace WLLB).
Set some ping check for availability (in 5.4 or greater this can all be done in webinterface, not sure about older versions though).
You could set WLLB to do volume based balancing with 100% of traffic on wan1 and none on wan2. This will then route all traffic to the internet via wan1 except if the ping check reports wan1 down. In this very case WLLB will automatically use wan2 instead.
This works fine here on over 16 FortiGates.
It however will not affect VPN Tunnels. If you want VPN Fallback you will have to have redundant tunnels on each wans and at least priority based routing. This is how I do this here with our ipsec Tunnels. There es one for every lan from every FGT to our FGT and priority based routing for the subnets going over those.
If then one wan on one side is down that tunnel will drop and it will switch to the second route over the second tunnel within a second.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Bumping this thread for some clarification.
Not using SD WAN or WLLB just dual ISP with individual static route and priority to enforce priority Setup is identical to this https://cookbook.fortinet.com/redundant-internet-basic-failover-56/ but i didn't proceed on item no. 4 wondering if there is non cli way of doing this since i'm on new firmware. FortiGate 301E v5.6.4 build1575 (GA)
Bumping this thread for some clarification. Not using SD WAN or WLLB just dual ISP with individual static route and priority to enforce primary and backup. Setup is identical to this https://cookbook.fortinet.com/redundant-internet-basic-failover-56/ but i didn't proceed on item no. 4 wondering if there is non cli way of doing this since i'm on new firmware. FortiGate 301E v5.6.4 build1575 (GA)
Had an outage on primary today and secondary didn't kicked in so i'm assuming this is the missing piece? During my testing i physically unplugged the primary and the backup kicked in.
Yes, you need a link-monitor for it to work properly.
When i check "config system link-monitor" settings it is empty, is that normal? that i need to supply every single line on wan interface on this link monitor properties? Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.