Hi all,
I've got two different sites connected to each other over twos WAN link. Both ends have a Fortigate firewall. At present, one of the link is disabled as redundant; however, I need to start using the other link and perform some sort of load-balancing over the two paths.
I've been suggested to use the 'Zone' feature by combining the two WAN interfaces on BOTH firewalls into a zone. Since this is a live environment, with a large number of policies set up on both sides, there is limited time to perform the change. There is also OSPF running on the interfaces.
What are the things I need to consider before going ahead with this change? Has anyone done a similar activity before? Please share your advice / experience.
Cheers!
It would have been nice to have provided the firmware version running on the fgts as there are three "main" versions of Fortigate firmware in use -- load-balancing WAN connections is setup slightly differently under each.
Ideally, you would want to set up load-balancing from the beginning and then create your firewall policies (and everything else). But since you already have firewall policies in place, your best bet is to load an unencrypted backup config into a text editor and do the following (assuming 4.3 or 5.0):
[ul]
config system zone
edit "Load_Balance"
set interface "WAN interface1" "WAN interface2"
next
end
[ul](Note before loading the revised config, make sure you have some sort of backup plan in case you have made a mistake in editing the config, like have a console/rollover cable on hand or a management/stand alone port configured that you can connect to.)
Depending on the type of load-balancing you want, you will need to set up the distance on each interface, including checking/unchecking the override internal DNS option; under ECMP Load Balancing Method, choose type desired and set up Dead Gateway Detection. Check the routing monitor to see if 0/0 routes are up to both WAN interfaces (Depending on load-balancing method though). Perform testing -- pull out each of the WAN cables (one at a time) to see how well the fgt acts -- adjust DGD accordingly.
I have done the above on firmware 4.3 and 5.0 -- none of our fgts are on 5.2 so have no experience with setting up load-balancing on that firmware, but I do understand the built-in WAN load-balancer is quite nice.
From my own experience, I had no real problems load-balancing with WAN connections from the same ISP -- some slight problems when WAN links are from different ISPs though (but I'm thinking it is mainly due to one of the ISP WAN links being so unreliable). Other issue is DNS resolution if using different ISPs -- had to use either a local DNS server (that is pointing to a public DNS) or a public DNS directly (like googles) -- likewise with internal client stations.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hi Dave,
I really appreciate your response.
I'm running OS 4.0 MR3 Patch 15 on both firewalls. Both firewalls have a redundant pair (slave). I do not have physical access to the firewalls. They both have multiple VDOMs so I will maintain management/console access even if the config goes bad. The firewall policies have been in place for over a year now, the redundant link was added much recently, hence the requirement to bundle them.
Would the steps you suggested work on 4.0 MR3? Also, when I search/replace all occurrences of WAN1 to Load-Balance, is that catering for updating the policies? Also, would it be a good idea to create the Zone on the GUI? In fact, would the whole thing be easier on the GUI or CLI?
For ECMP, I'm not too familiar with its implementation. Do you have any recommendations or any documentation I can refer to for this?
Thanks in advance.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.