Connecting a FortiGate unit to two ISPs for redundant Internet connections

1 of 7

http://docs-legacy.fortinet.com/cb/html/FOS_Cookbook/Install_advanc...

Advanced FortiGate installation and setup : Connecting a FortiGate unit to two ISPs for redundant Internet connections

Connecting a FortiGate unit to two ISPs for redundant Internet connections Problem Create a backup Internet connection with your FortiGate unit, so that if the primary internet connection fails, some or all traffic automatically switches to the backup Internet connection and when the primary Internet connection is restored, traffic automatically switches back to it.

Solution Watch the video: http://docs.fortinet.com/cb-inst2.html This solution describes how to improve the reliability of a network’s connection to the Internet by using two Internet connections to two different ISPs. In this solution, the primary ISP is connected to wan1 with a static IP and the backup ISP is connected to wan2 using DHCP. To allow the internal network to use wan1 to connect to the Internet add internal to wan1 security policies. Add duplicate internal to wan2 security policies to use wan2 to connect to the Internet. You can choose to reduce the amount of traffic when the wan2 interface is operating by adding fewer security polices for connections to the wan2 interface. You could also use techniques such as traffic shaping to limit the amount of traffic processed by the wan2 interface. You could also add security policies that include FortiGuard web filtering or other web filtering techniques to block popular but less important websites. Application control could also be used to limit the applications that can be used when traffic is using the wan2 interface.

Configuring the primary Internet connection to use wan1 1 Connect the FortiGate wan1 interface to your primary ISP-supplied equipment. Connect the internal network to

10-02-2015 15:19

Connecting a FortiGate unit to two ISPs for redundant Internet connections

2 of 7

http://docs-legacy.fortinet.com/cb/html/FOS_Cookbook/Install_advanc...

the internal interface.

2 From a PC on the Internal network, log in to the FortiGate web-based manager using admin and no password. 3 Go to System > Network > Interface and Edit the wan1 interface and change the following settings: Addressing mode

Manual

IP/Netmask

172.20.120.14/255.255.255.0

4 Edit the internal interface and change the following settings: Addressing mode

Manual

IP/Netmask

192.168.1.99/255.255.255.0

5 Go to Router > Static > Static Route and select Create New to add the following default route. Destination IP/Mask

0.0.0.0/0.0.0.0

Device

wan1

Gateway

172.20.120.2

6 Go to System > Network > DNS and add Primary and Secondary DNS servers. 7 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet through the wan1 interface.

10-02-2015 15:19

Connecting a FortiGate unit to two ISPs for redundant Internet connections

3 of 7

http://docs-legacy.fortinet.com/cb/html/FOS_Cookbook/Install_advanc...

Some FortiGate models include this security policy in the default configuration. If you have one of these models, this step has already been done for you.

Source Interface/Zone

internal

Source Address

All

Destination Interface/Zone wan1 Destination Address

All

Schedule

always

Service

ANY

Action

ACCEPT

8 Select Enable NAT and Use Destination Interface Address. 9 Select OK to save the security policy.

Adding the backup Internet connection using wan2 1 Connect the wan2 interface to your backup ISP-supplied equipment.

10-02-2015 15:19

Connecting a FortiGate unit to two ISPs for redundant Internet connections

4 of 7

http://docs-legacy.fortinet.com/cb/html/FOS_Cookbook/Install_advanc...

2 Log in to the web-based manager. 3 Go to System > Network > Interface and Edit the wan2 interface. 4 Set the Addressing Mode to DHCP and select Retrieve Default Gateway from server. Clear the checkbox for Override internal DNS. 5 Select OK to save the changes. If everything is connected correctly, the wan2 interface should acquire an IP address from the ISP’s DHCP server. This can take a few minutes, you can select the Status link to refresh the display. Eventually, an Obtained IP/Netmask should appear. If the ISP’s DHCP server supplies DNS server IP addresses and a default gateway, they should also appear. Make sure Retrieve Default Gateway from server is selected so that a default route is added to the routing table. Normally in a dual Internet configuration, you would not select Override internal DNS because you would not want the FortiGate unit to use the backup ISP’s DNS servers. 6 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet through the wan2 interface. Source Interface/Zone

internal

Source Address

All

Destination Interface/Zone wan2 Destination Address

All

Schedule

always

Service

ANY

Action

ACCEPT

7 Select Enable NAT and Use Destination Interface Address. 8 Select OK to save the security policy.

Set the default route to wan1 to be the primary default route and add a ping server for wan1 and a ping server for wan2 As a result of this configuration, the FortiGate unit will have two default routes, one that directs traffic to wan1 and one that directs traffic to wan2. The default route to wan2 is obtained from the backup ISP’s DHCP server. The ping servers verify the ability of the wan1 and wan2 interfaces to connect to the Internet. Because the wan2 default route is acquired from the ISP using DHCP, the distance of the wan2 default route must be changed by editing the wan2 interface.

1 Go to Router > Static > Static Route and Edit the wan1 default route, select Advanced and set the Distance to 10. The distance may already be set to 10 so you may not actually have to change it. 2 Go to System > Network > Interface list. Edit the wan2 interface and set the distance to 20 (or any number higher than 10).

10-02-2015 15:19

Connecting a FortiGate unit to two ISPs for redundant Internet connections

5 of 7

http://docs-legacy.fortinet.com/cb/html/FOS_Cookbook/Install_advanc...

3 To confirm which default route is now actually being used by the FortiGate unit, go to Router > Monitor > Routing Monitor to view the current FortiGate routing table. Routes that are not active do not appear on the routing monitor. In this example, only the one static route should appear: the wan1 default route. Its distance should be 10. Connected routes for the connected interfaces should also appear.

If you edit the wan2 interface and set the distance to a lower value (say 5), the wan1 default route is removed from the router monitor and is replaced with the wan2 default route (because the wan2 route has the lower distance). You can also have both default routes appear in the router monitor by setting their distances to the same value (say 10). When both routes have the same distance, this is known as equal cost multi path (ECMP) routing and both default routes are used. Sessions are load balanced between them. For an example, see “Distributing sessions between dual redundant Internet connections with usage-based ECMP” . 4 Go to Router > Static > Settings and select Create New and add the wan1 ping server: Interface

wan1

Ping Server

172.20.120.2

Detect Protocol

ICMP Ping

Ping Interval (seconds)

5

Failover Threshold

5

5 Select Create New and add the wan2 ping server. The wan2 ping server is optional for this configuration. However adding the wan2 ping server means the FortiGate unit will record even log messages when the wan2 ping server can’t reach its destination. Interface

wan2

Ping Server

10.41.101.100

Detect Protocol

ICMP Ping

Ping Interval (seconds)

5

Failover Threshold

5

Results If the wan1 ping server can connect to its ping server IP address the routing monitor appears as shown above with a default route to the wan1 interface. All traffic to the Internet uses the wan1 interface and the internal to

10-02-2015 15:19

Connecting a FortiGate unit to two ISPs for redundant Internet connections

6 of 7

http://docs-legacy.fortinet.com/cb/html/FOS_Cookbook/Install_advanc...

wan1 security policy. You can verify this by viewing the routing monitor and by going to Policy > Policy > Policy and viewing the Count column for the internal to wan1 and internal to wan2 policies while connecting to the Internet. The internal to wan1 policy count should increase, while the internal to wan2 count should not. If you change the network so that the wan1 ping server cannot connect to its ping server IP address, (for example, by physically disconnecting the cable from the wan1 interface), the default route should change to the wan2 interface (called default route failover):

An event log message similar to the following should also be recorded. 2011-08-24 10:16:39 log_id=0100020001 type=event subtype=system pri=critical vd=root interface="wan1" status=down msg="Ping peer: (172.20.120.14->172.20.120.2 ping-down)" With the wan2 link active, attempt to connect to the Internet from the Internal network. If you can connect, this confirms that the dual Internet connection configuration is correct. View the security policy count column for the internal to wan2 policy. The count should be increasing, indicating that this policy is accepting traffic. When you restore the wan1 interface’s connection, the ping server should detect that network traffic is restored and the routing table should revert to including the wan1 default route. All new sessions will use the internal to wan1 security policy. Sessions that were established using the internal to wan2 security policy will continue to use this policy and the wan2 interface until they are terminated. However, all new sessions will use the internal to wan1 security policy. Outgoing sessions and their responses that are in progress during a failover will have to be restarted after the failover, since responses to traffic sent out on one interface will not come back on another. During a failover, incoming sessions received by a firewall VIP security policy from the wan1 interface before the failover may be sent out the wan2 interface after the failover. Outbound sessions initiated by the server and sent out the VIP security policy will have their source IP address modified according to the interface that sends the session to the Internet. If the wan1 link fails, outgoing VIP sessions automatically fail over to wan2. The source address of these sessions depends on the address defined in the firewall VIP.

If you can browse the web from the internal network, your configuration is successful. If you cannot, try the steps described in “Troubleshooting NAT/Route mode installations” to find the problem.

Changing this redundant Internet configuration to use ECMP The basic redundant Internet connection scenario described in this section should be successful for many networks. However, to potentially improve default route failover performance and to reduce the number of fail overs for incoming connections when the primary ISP fails and re-connects you could implement Equal Cost Multipath (ECMP) routing. You could implement a basic ECMP configuration of this redundant Internet connection scenario by setting the distances for both default routes to the same value and setting the priority of the default route to the primary ISP to a lower value than the priority of the default route to the backup ISP. The route with the lowest priority value is considered the best route. Use the following steps to modify the configuration. Because the wan2 default route is acquired from the ISP using DHCP, the priority of the wan2 default route must be changed by editing the wan2 interface from the CLI.

10-02-2015 15:19

Connecting a FortiGate unit to two ISPs for redundant Internet connections

7 of 7

http://docs-legacy.fortinet.com/cb/html/FOS_Cookbook/Install_advanc...

1 Go to Router > Static > Static Route and Edit the wan1 default route. 2 Select Advanced and set the Distance to 10 and the Priority to 5 3 Enter the following CLI command to edit the distance and priority of the wan2 default route. config system interface edit wan2 set distance 10 set priority 20 end Since the wan1 default route has the lowest priority it is considered the best route and all traffic heading from the private network for the Internet uses the wan1 interface.

When two different distances are used on the wan1 and wan2 default routes, traffic originating from the Internet can only be responded to by the interface with the default route with the lowest distance metric (wan1). If a user from the Internet has established a connection to the Internal network through the wan1 interface, the user would lose their connection if the wan1 connection to the Internet fails. After a brief interruption the user would automatically re-connect through the wan2 interface. When the wan1 Internet connection comes back, the user’s connection would be interrupted a second time because it would have to switch back to the wan1 interface since the wan2 interface would no longer be able to process traffic. When ECMP is implemented, both interfaces are able to respond to traffic initiated from the Internet as the routing is based on the session tables. The user would still lose their connection when the wan1 Internet connection fails, but after connecting through the wan2 interface the user’s connection would be able to continue on the wan2 interface after the wan1 connection was restored resulting in only a single interruption. A number of ECMP scenarios are available. For another, see “Distributing sessions between dual redundant Internet connections with usage-based ECMP” .

10-02-2015 15:19