Take a look at this simple diagram;
So we want ISP1 to be our primary and ISP2 to be in play if ISP#1 is down. Here's one way to manipulated with static routes
config router static
config router static
edit 10
set device "wan1"
set gateway 1.1.1.1
set priority 90
next
edit 11
set device "wan1"
set gateway 2.2.2.1
set priority 100
next
NOTE: Any routes other than blackhole routes on a fortigate can have the priority set. The lower value is preferred if you have 2 matching routes.
So now we can set the dead gateway detect
config router gwdetect
edit "wan1"
set failtime 100
set interval 30
set server "1.1.1.1"
set source-ip 1.1.1.2
next
end
NOTE:you will adjust the interval and failtime values to suit your needs and to encompass any flapping. You can be aggressive or less-aggressive in your interval and failtime
So if 1.1.1.1 ( ISP1 ) becomes unreachable ( link down, excessive packet loss, etc......) , the stand-by floating route at 2.2.2.1 with a priority of 100 will populate the fortigate router information base.
You can validate gwdetect via the follow show cmd
get router info gwdetect
wan1:
proto ping, interval 30, failtimes 100, state up
1.1.1.1 (1.1.1.2 ): state (up)
You can use protocols similar to juniperSRX probe or cisco IP SLA ( icmp/udp/tcp ) and you don't have to use the next-hop as the target, it could be a device 1-2-3 or more hops aways.
NOTE: please ensure you have the correct policies for traffic allowance outbound for the 2nd ISP#2 link.
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
Have you determined how to configure this in Fortigate 5.4? I have tried various settings, but it seems that I can only do load balancing vs active / standby failover.
ReplyDelete