Sorry new to Fortigate and trying to work out a problem.
I have a situation, two extenal WANs, both different IP scopes. I have a requirement that if our primay link drops can the public IPs of the primary WAN still be accessible via WAN2 and then through the firewall to the primary WAN interface. We have public facing servers that use NAT, all of the public IPs for them are on the primary WAN. But of course if the primary drops none of these are accessible even though external traffic can still get to WAN2.
how about to access those servers actually via some FQDN like serverA.yourdomain.com where DNS record will contain A records for both your WAN IP addresses?
So servers will be accessible via two different VIP settings and one of IPs will work eventually.
As you are probably not going to be able to affect routing of your public IPs and how they are reachable from public internet, unless you have some sort of dynamic routing with your ISPs and so things like BGP / AS etc.
then explore BGP and dynamic routing, so subnets assigned to you (your AS - Autonomous System) will be always reachable via dynamically changing routes based on some pre-set metrics. It might be somehow doable if both WAN connections are from one provider (I doubt that) so that provider might be willing and able to make some static routes with some priorities and maybe health-checks like ping servers. Something like to our SDWAN. But I'm not sure.
If those WAN connections are from different providers then I do not see much of other options here besides some dynamic routing and so some form of BGP.
Both links from the same provider and they are prepared to run BGP for us.
If I have a server public IP 22.214.171.124 on WAN1 and private 10.10.10.10 I still need to be able to route traffic from our WAN2 (lets say 126.96.36.199) circuit to the public IP of the siad server and then to it's NATed address 10.10.10.10.
I was wondering if we should have a rule allowing traffic from the WAN2 interface to WAN1 interface.
As Tom points out, it's up to your ISP side if the route toward your /24 can be failed over to your secondary circuit. Generally they can't especially those /24 and /30 are bound to the interfaces on the ISP side. If the primary has /30 on the interface on both ISP and your FGT ends, then /24 is routed through the interface, yes, you can fail it over to the secondary with BGP.
We can get the ISP to fail over to the backup circuit using BGP etc. However I still have various public addresses I need to be accessible. The moment the circuit fails over these are no longer accessible.
The only way I can think of achiving this is if there is a route within the fortigate itself so that traffic can pass from the backup interface and 'see' the public IPs on the primary interface and then hence get translated via NAT to the real IPs of the servers internally.
I hope this makes sense.
I am considering one of Tom's ideas if I can change the secondary to a /24 and have multiple FQDN, one address on the primary and one on the secondary.
If your primary WAN interface has 188.8.131.52/24 configured, when the circuit goes down that directly-connected route would disappear from the routing-table. Check with "get router info routing-table all" when you unplug the cable from WAN.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.