The following example demonstrates how to configure a basic failover with redundant Internet setup.
The goal of this recipe is to achieve failover, where the primary ISP is used 100% of the time, and the secondary ISP is used only if the primary goes down. In this example, the primary ISP uses the WAN1 interface and the secondary ISP uses the WAN2 interface.
For a redundant Internet recipe that uses the new SD-WAN feature in FortiOS 5.6, click here.
Find this recipe for other FortiOS versions
5.2.0 | 5.2.1 + | 5.4 | 5.6
1. Connecting your ISPs to the FortiGate |
|
|
Connect your ISP devices to your FortiGate so that the ISP you wish to use for most traffic is connected to WAN1 and the other connects to WAN2. |
 |
2. Creating redundant firewall policies |
|
|
Go to Policy & Objects > IPv4 and create a firewall policy that allows traffic from your primary ISP (WAN1) to your internal network. Set Incoming Interface to the interface of your internal network and set Outgoing Interface to the internet facing interface of the primary ISP. Enable NAT and apply Security Profiles as required. Enable Log Allowed Traffic for All Sessions so that you can verify the results later. |
 |
|
Go to Policy & Objects > IPv4 and create a firewall policy that allows traffic from your secondary ISP (WAN2) to your internal network. Repeat the steps listed above. |
 |
3. Creating redundant routes |
|
|
Go to Network > Static Routes and create a static route for each ISP. The primary ISP should have a higher route priority than the secondary ISP. Create a new static route for the primary ISP, and set Gateway IP to the subnet of the WAN1 interface. Set Interface to the WAN1 interface. |
 |
|
Under Advanced Options, set the Priority to a low number. In this example, 5. The route with a smaller value will have a higher priority. This route will be preferred over the route you will configure for your secondary backup ISP. |
|
|
Create a static route for the secondary ISP. Set Gateway IP to the subnet of the WAN2 interface. Set Interface to wan2. Under Advanced Options, set the Priority to a higher number. In this example, 10. Make sure the priority is set to a larger number than your previous route to ensure it is lower priority. |
 |
|
Make sure both static routes are set to an equal distance. In this example, the Distance is set to the default of 10 on both routes. This ensures that both default routes will remain in the routing table. |
 |
4. Configuring the link-monitor |
|
|
You can use the CLI to configure the link-monitor. Go to Dashboard > CLI and enter the following commands to configure the link monitor for the WAN1 interface: config system link-monitor
edit wan1
(wan1) #get
set name wan1
set server 8.8.4.4
set protocol ping
set gateway-ip 172.25.176.1
set interval 5
set timeout 1
set failtime 5
set recoverytime 5
set update-cascade-interface enable
set update-static-route enable
set status enable
end
Set the server to a reliable IP address to test your connection to the Internet with the WAN1 interface. In this example, the Google public DNS IP address, 8.8.4.4, is used (since the other Google IPv4 address, 8.8.8.8, is commonly used for other ping tests). The gateway-ip uses the same gateway IP addresses configured in Step 3. |
|
|
Configure the link monitor for the WAN2 interface: config system link-monitor
edit wan1
(wan1) #get
set name wan2
set server 8.8.4.4
set protocol ping
set gateway-ip 192.168.13.1
set interval 5
set timeout 1
set failtime 5
set recoverytime 5
set update-cascade-interface enable
set update-static-route enable
set status enable
end
|
|
5. Results |
|
|
To test failover of the redundant Internet configuration, you must simulate a failed Internet connection. |
|
|
First, verify that users still have Internet access by navigating to Policy & Objects > IPv4 Policy. Right-click on the primary Internet access policy and select Show in FortiView to see verify where traffic is flowing. |
|
|
Physically disconnect the Ethernet cable from the Internet side of the ISP modem or device to simulate failover. Then, make sure that all traffic automatically goes through the WAN2 port, until WAN1 is available again. |
 |
|
Go to Log & Report > System Events to confirm that the Link Monitor has changed state and that the static route for your primary ISP has been removed. |
 |
|
Go to Monitor > Routing Monitor to view the static routes in the routing table. |
|
|
When the primary ISP connection is active, you will see an active route for WAN1 and WAN2. |
 |
|
When the primary ISP connection fails, only the default route for WAN2 will appear. |
 |
|
Enter the following CLI command to view the routing table: get router info routing-table all
|
|
|
When the primary ISP connection is active, you will see an asterisk, *, with the routes for both WAN1 and WAN2 shown as active. |
 |
|
When the primary ISP connection fails, the route for WAN1 is automatically removed from the routing table. |
 |
|
Reconnect the cable when you have verified successful failover and you should find that traffic flows through only the primary ISP again. |
|
For further reading, check out Dual Internet connections in the FortiOS 5.6 Handbook. Also check out more on the system link monitor CLI commands.
The post Basic failover with redundant Internet appeared first on Fortinet Cookbook.