Redundant Internet with basic failover

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

The following example demonstrates how to configure a redundant Internet setup with basic failover.

The goal of this recipe is to achieve failover, where the primary ISP is used 100% of the time, and the secondary ISP is used only if the primary goes down. In this example, the primary ISP uses the WAN1 interface and the secondary ISP uses the WAN2 interface.

For a redundant Internet recipe that uses the new SD-WAN feature in FortiOS 5.6, click here.

1. Connecting your ISPs to the FortiGate

Connect your ISP devices to your FortiGate so that the ISP you want to use for most traffic is connected to WAN1 and the other is connected to WAN2.

This shows a FortiGate with both wan 1 and wan 2 ports active.

2. Creating redundant firewall policies

Go to Policy & Objects > IPv4 and create a firewall policy that allows traffic from your primary ISP (WAN1) to your internal network.

Set Incoming Interface to the interface of your internal network and set Outgoing Interface to the Internet-facing interface of the primary ISP.

Enable NAT and apply Security Profiles, as required.

Enable Log Allowed Traffic for All Sessions so that you can verify the results later.

This image is described in the surrounding text. 

Go to Policy & Objects > IPv4 and create a firewall policy that allows traffic from your secondary ISP (WAN2) to your internal network.

Repeat the steps listed above.

This image is described in the surrounding text. 

3. Creating redundant routes

Go to Network > Static Routes and create a static route for each ISP. The primary ISP should have a higher route priority than the secondary ISP.

Create a new static route for the primary ISP, and set Gateway IP to the subnet of the WAN1 interface.

Set Interface to the WAN1 interface.

This image is described in the surrounding text. 

Under Advanced Options, set the Priority to a low number (in this example, 5). The route with a smaller value will have a higher priority. This route will be preferred over the route you will configure for your secondary backup ISP.

Create a static route for the secondary ISP.

Set Gateway IP to the subnet of the WAN2 interface.

Set Interface to wan2.

Under Advanced Options, set the Priority to a higher number (in this example, 10). Make sure the priority is set to a larger number than your previous route to ensure it is lower priority.

This image is described in the surrounding text. 

Make sure both static routes are set to an equal distance. In this example, the Distance is set to the default of 10 on both routes. This ensures that both default routes will remain in the routing table.

 This image is described in the surrounding text.

4. Configuring the link monitor

You can use the CLI to configure the link monitor. Go to Dashboard > CLI and enter the following commands to configure the link monitor for the WAN1 interface:

config system link-monitor
 edit wan1
         (wan1) #get
                  set name wan1
                  set server 8.8.4.4
                  set protocol ping
                  set gateway-ip 172.25.176.1 
                  set interval 5
                  set timeout 1
                  set failtime 5
                  set recoverytime 5
                  set update-cascade-interface enable
                  set update-static-route enable
                  set status enable
                end

Set the server to a reliable IP address to test your connection to the Internet with the WAN1 interface. In this example, the Google public DNS IP address, 8.8.4.4, is used (since the other Google IPv4 address, 8.8.8.8, is commonly used for other ping tests).

The gateway-ip uses the same gateway IP addresses configured in Step 3.

Configure the link monitor for the WAN2 interface:

config system link-monitor
 edit wan2
         (wan2) #get
                  set name wan2
                  set server 8.8.4.4
                  set protocol ping
                  set gateway-ip 192.168.13.1
                  set interval 5
                  set timeout 1
                  set failtime 5
                  set recoverytime 5
                  set update-cascade-interface enable
                  set update-static-route enable
                  set status enable
                end

5. Results

To test failover of the redundant Internet configuration, you must simulate a failed Internet connection.

First, verify that users still have Internet access by navigating to Policy & Objects > IPv4 Policy. Right-click on the primary Internet access policy and select Show in FortiView to verify where traffic is flowing.

 This image is described in the surrounding text.

This image is described in the surrounding text.

Physically disconnect the Ethernet cable from the Internet side of the ISP modem or device to simulate failover. Then, make sure that all traffic automatically goes through the WAN2 port, until WAN1 is available again. 

This image is described in the surrounding text. 

Go to Log & Report > System Events to confirm that the Link Monitor has changed state and that the static route for your primary ISP has been removed.

 This image is described in the surrounding text.

Go to Monitor > Routing Monitor to view the static routes in the routing table.

When the primary ISP connection is active, you will see an active route for WAN1 and WAN2

This image is described in the surrounding text. 

When the primary ISP connection fails, only the default route for WAN2 appears.

 This image is described in the surrounding text.

Enter the following CLI command to view the routing table:

get router info routing-table all 

When the primary ISP connection is active, you will see an asterisk (*), with the routes for both WAN1 and WAN2 showing as active.

 This image is described in the surrounding text.

When the primary ISP connection fails, the route for WAN1 is automatically removed from the routing table.

This image is described in the surrounding text. 

Reconnect the cable when you have verified successful failover and you should find that traffic only flows through the primary ISP again.

For further reading, check out Dual Internet connections in the FortiOS 5.6 Handbook. Also check out more on the system link monitor CLI commands.

Fortinet Technical Documentation

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at techdoc@fortinet.com.
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

  • Was this helpful?
  • Yes   No