I'm testing 5.4GA on a 500D (I like the new UI so far and it seems stable but I have yet to put it under load). I'm trying to determine the pros/cons of using the WAN LLB feature (Interfaces...WAN LLB) vs creating a "Redundant" interface composed of two physical ones directly from the Interfaces menu. Docs focus and mention how to use the WAN LLB and their various modes but no mention of the "Redundant" option via the Interface menu. Anyone have experience with that?
Right now our production 500D is running 5.2.3 and we use a single WAN connection with VIPs to map external IPs to internal hosts/services. I've setup my Fortinet's this way for years and it works great.
I now have a 1Gbps primary and 100Mbps backup connection as of today. I'd like to set them both up so that failover is somewhat automatic or at least only requires me to login and flip a switch in the event of an outage. WAN interfaces would be comprised of a Redundant or WAN LLB interface so I don't need multiple rules for each ISP. I have not explored yet how multiple WAN IPs impact setting up a VIP (or if that is even possible). Do you end up with two external IPs mapping to one internal? I understand that I would need to update DNS in the event of an outage for any Internet clients to be able to resolve the backup IPs. Goal is not to load balance. Only to have the 100Mb connection available so an outage of primary would be recoverable by simply enabling that interface and updating some DNS records.
Next step would be BGP I assume but I'm not at that level yet.
Depending on exactly how you want things to work, and what version of FortiOS you're using...
If you want the 100Mbps link to be used only if the 1000Mbps link fails:
Set the distance value on the route to the gateway on your 100Mbps link to be a higher number than the distance value on the route to the gateway on the 1000Mbps link.
Set the distance value the same on both routes and adjust the priority field on the 100Mbps link to be a higher value than the priority on the route to the 1000Mbps gateway.
If you want to be able to sometimes use the 100Mbps link for selected traffic e.g. guest WiFi access, whilst letting everything else go out the 1000Mbps link, you will need to configure the distance and priority values on both routes to be the same, then use a policy route to selectively route the WiFi traffic out the 100Mbps link interface.
Make sure you have dead gateway detection enabled.
From trial and error: using 2 routes with same distance with higher priority on the secondary link results in slight loss when failing over, and no loss at all when failing back. When using higher distance, same priority on the secondary link, there was slight loss failing over, and slight loss again when failing back.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.