Saturday, January 12, 2013

Fortigate : Configuring Dual Internet Links (Design Considerations)


Article
Description There are two separate considerations when using two Internet uplinks: Link Redundancy and Load Sharing. These two features can be combined or implemented separately.
ScenarioLink RedundancyLoad Sharing
1YesNo
2NoYes
3YesYes
Components
  • All FortiOS
Steps or Commands Please check also the related article :
Technical Note : Configuring link redundancy - traffic load-balancing - ECMP (Equal Cost Multiple Path) - Dual Internet or WAN scenario

 In each scenario, you must configure the appropriate firewall policies between the interfaces in question to allow the traffic - this document focuses on the routing issues.

Design Scenario #1: Link Redundancy (only)

If Internet access is no longer available on one link, you want traffic to make use of the other link.
  1. Routing
    You need one default route for each interface. Indicate which route is preferable by specifying the distance - the lower distance route is declared active and placed in the routing table.

  2. Determining whether link is down (ping servers)
    Define the ping server - this is a device that will respond to ping thereby indicating whether that link is up. It is usually recommended that you use the next hop / gateway device as your ping server.

    Define the ping server under System>Network>Edit Interface.

  3. Firewall policies
    You must define duplicate firewall policies to ensure that after traffic fails over, it is permitted through the firewall. For example, Internal>WAN1 & Internal>WAN2.

Design Scenario #2: Load Sharing (only)

You want to make use of both Internet links simultaneously but do not have any requirements for failing traffic over in the event of link failure.
What is the minimum needed as far as routing is concerned?
  • one default route for the primary link
  • direct other traffic over the other link using specific static routes
For more information, see the article Load sharing between two WAN interfaces.

Design Scenario #3: Link Redundancy and Load Sharing

While both links are available, you want to distribute the Internet traffic over both links. In the event that a link fails, send all traffic over the active link.
Use default routes with equal distance
This is similar to scenario #1, except that both default routes must have equal distance. The end result is that both routes will remain in the active routing table and and can be viewed in the Routing Monitor (see GUI). The presence of both routes is needed to satisfy reverse path lookup (anti-spoofing feature).
Set the distance:
  • when defining the static route
    or
  • for interfaces acquiring IP dynamically (DHCP or PPPoE), you can set the distance for the interface System>Network>Interface and configure the following:
    • check "retrieve gateway" (adds default route automatically)
    • enter value in distance field
To guarantee that 1 link is always preferred:
Use a default policy route to indicate which interface is the preferred interface for accessing the Internet.
** Warning -- Configure this with care! **
If a policy route matches traffic, this policy route overrides all entries in the routing table including connected routes. Consequently, you may need to add specific policy routes that override these default policy routes. The policy routing table will be read top to bottom.
To redirect traffic over the secondary link:
To make use of the secondary link, you need to use policy routes to direct some of the traffic onto it rather than onto the primary link.
When defining the policy route, it is best to only define the outgoing interface and leave the gateway blank. Leaving the gateway field blank ensures that the policy route will not be active when the link is down (it is affected by the ping server status).

Special Cases

1. Monitoring both WAN interfaces simultaneously.
If you need to be able to ping both WAN interfaces in order to demonstrate that the links are up, you will need to set the distance on both default routes to be the same.
Note: this is the same requirement as for Design Scenario #3.
2. Routing of traffic directed at VIPs.
Sessions associated with VIPs are handled in a special way.
Case Scenario #1 (VIP on non-default interface):Let us say that you have a FortiGate-60, and the default gateway is pointing to WAN 1 but you have a VIP on WAN 2 that points to the web server in the DMZ.
In this case, you do not need to create an additional static route or policy route for this VIP because a route cache entry is made which tells the FortiGate unit which interface it should use on the return path.
Case Scenario #2 (Redundancy VIPs):
If you have redundant VIPs defined on each of the WAN interfaces (WAN1 and WAN2 in the case of a FortiGate-60)
  1. inbound sessions will be handled as discussed in case scenario #1
  2. outbound sessions (initiated by the server) will have the server IP modified according to one of the 2 VIPs -- which VIP is selected depends on which interface has the preferred default route
Conclusion (redundant VIPs): make sure a policy route directs the server traffic out the desired interface.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Share this

Labels

WINDOWS SERVER (22) Windows (20) IIS (15) Interview questions (10) TFS (9) Troubleshooting Tips (9) Fortigate Firewall (8) SQL (8) Backup (6) Team Foundation Server (6) Webserver (6) Windows Administration Task (6) Microsoft certification (5) Virtualization (5) ADDS (4) Active Directory (4) FTP (4) PHP (4) SQL 2012 (4) SQL Server (4) server (4) DBA (3) MSSQL (3) Networking (3) Offer (3) Webhosting (3) Windows 8 (3) 74-409 (2) Agile Methodology (2) Apache (2) CLI Commands (2) DNS (2) Dedicated server (2) Difference between Active and Passive Connection Mode (2) Fortinet (2) GPO (2) IIS8 (2) IPAddress (2) IPV6 (2) MVA (2) Microsoft News (2) NAT (2) Software Development (2) TFS2013 (2) Uncategorized Post (2) XAMPP (2) firewall Administration. (2) powershell (2) .htaccess (1) ALM (1) Agile vs Scrum Difference (1) Blogging TIPS (1) CPanel (1) Command for Administrator (1) DC (1) DHCP (1) Domain joining nano server (1) Exam 74-409 (1) Excel TIps (1) File server (1) Fortigate Firewall HA (1) Fortigate Firmware Upgrade (1) Free Exam 70-740 (1) Free Voucher (1) Generation2 VM (1) Group Policy (1) HP (1) HP ILO IP CHange (1) HP OA IP Change (1) HP Proliant Servers (1) HTTP to HTTPS (1) Hyper-V (1) IAS (1) IIS Server hardening (1) ILO (1) Install dll (1) MCSA 2016 (1) Microsoft Virtual Academy (1) Microsoft file sharing Port (1) Migration (1) MySQL (1) NPS (1) Nano server (1) Network Drive (1) OA (1) Plesk Panel (1) Ports (1) Ports for windows file sharing (1) RADIUS (1) RDP (1) Remote Desktop Connection (1) SCRUM (1) SQL ErrorLog (1) SQL TEMPDB (1) Second Shot (1) Server 2012 (1) Startup Parameters (1) TEMPDB Movement (1) TIPS (1) Team Foundation Server 2013 (1) Temp profile. (1) Troubleshooting DNS (1) URL Rewriting (1) VDOM (1) VPS (1) VSS (1) Virtual Labs (1) Visual Studio (1) Visual Studio 2012 (1) Visual Studio 2013 (1) Visual source safe (1) Waterfall Model vs Agile Methodology (1) Windows 2016 (1) Windows 7 (1) Windows Server 2012 (1) Windows command line (1) XP (1) certification path (1) exam (1) free online courses (1) protocols/ports for windows file sharing on a firewall (1) sql error (1) what features has been installed in your SQL Server (1) windows 2012 (1) windows Time Service (1) work item types difference (1)

E-Books

Blogger Gadgets