Monday, January 19, 2015

Dead Gateway detect fortigate

In a multiple ISP uplink and w/static routes, you need a means to control how to "swack" ( telco lingo for switching ) to the 2nd ISP2 when the main ISP1 is down. Gateway detect is the means for  this.

Take a look at this simple diagram;






So we want ISP1 to be our primary and ISP2 to be in play if ISP#1 is down. Here's one way to  manipulated with static routes

config router static
   config router static
    edit 10

        set device "wan1"
        set gateway 1.1.1.1

        set priority  90
    next
    edit 11


        set device "wan1"
        set gateway 2.2.2.1

        set priority 100 
    next


NOTE: Any routes other than blackhole routes on a fortigate can have the priority set. The lower value is preferred if you have 2 matching routes.

So now we can set the dead gateway detect

config router gwdetect
    edit "wan1"
        set failtime 100
        set interval 30
            set server "1.1.1.1"            
        set source-ip 1.1.1.2
    next
end


NOTE:you will adjust the interval and failtime values to suit your needs and to encompass any flapping. You can be aggressive or less-aggressive in your interval and failtime

So if 1.1.1.1 ( ISP1  )  becomes unreachable  ( link down, excessive packet loss, etc......) , the stand-by floating route at  2.2.2.1 with a priority of  100 will populate the  fortigate router information base.

You can validate  gwdetect via  the follow show cmd

 get router info gwdetect

wan1:
    proto ping, interval 30, failtimes 100, state up
    1.1.1.1 (1.1.1.2 ): state (up)



You can use protocols similar to juniperSRX probe or cisco IP SLA ( icmp/udp/tcp ) and you don't have to use the next-hop as the target, it could be a device 1-2-3 or more hops aways.


NOTE: please ensure you have the correct policies for traffic allowance outbound for the 2nd ISP#2 link.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
        o 
       /  \

1 comment:

  1. Have you determined how to configure this in Fortigate 5.4? I have tried various settings, but it seems that I can only do load balancing vs active / standby failover.

    ReplyDelete