- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Load-balancing by combining redundant WAN interfac...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Load-balancing by combining redundant WAN interface to form a Zone
Hi all,
I've got two different sites connected to each other over twos WAN link. Both ends have a Fortigate firewall. At present, one of the link is disabled as redundant; however, I need to start using the other link and perform some sort of load-balancing over the two paths.
I've been suggested to use the 'Zone' feature by combining the two WAN interfaces on BOTH firewalls into a zone. Since this is a live environment, with a large number of policies set up on both sides, there is limited time to perform the change. There is also OSPF running on the interfaces.
What are the things I need to consider before going ahead with this change? Has anyone done a similar activity before? Please share your advice / experience.
Cheers!
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would have been nice to have provided the firmware version running on the fgts as there are three "main" versions of Fortigate firmware in use -- load-balancing WAN connections is setup slightly differently under each.
Ideally, you would want to set up load-balancing from the beginning and then create your firewall policies (and everything else). But since you already have firewall policies in place, your best bet is to load an unencrypted backup config into a text editor and do the following (assuming 4.3 or 5.0):
[ul]
config system zone
edit "Load_Balance"
set interface "WAN interface1" "WAN interface2"
next
end
[ul](Note before loading the revised config, make sure you have some sort of backup plan in case you have made a mistake in editing the config, like have a console/rollover cable on hand or a management/stand alone port configured that you can connect to.)
Depending on the type of load-balancing you want, you will need to set up the distance on each interface, including checking/unchecking the override internal DNS option; under ECMP Load Balancing Method, choose type desired and set up Dead Gateway Detection. Check the routing monitor to see if 0/0 routes are up to both WAN interfaces (Depending on load-balancing method though). Perform testing -- pull out each of the WAN cables (one at a time) to see how well the fgt acts -- adjust DGD accordingly.
I have done the above on firmware 4.3 and 5.0 -- none of our fgts are on 5.2 so have no experience with setting up load-balancing on that firmware, but I do understand the built-in WAN load-balancer is quite nice.
From my own experience, I had no real problems load-balancing with WAN connections from the same ISP -- some slight problems when WAN links are from different ISPs though (but I'm thinking it is mainly due to one of the ISP WAN links being so unreliable). Other issue is DNS resolution if using different ISPs -- had to use either a local DNS server (that is pointing to a public DNS) or a public DNS directly (like googles) -- likewise with internal client stations.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dave,
I really appreciate your response.
I'm running OS 4.0 MR3 Patch 15 on both firewalls. Both firewalls have a redundant pair (slave). I do not have physical access to the firewalls. They both have multiple VDOMs so I will maintain management/console access even if the config goes bad. The firewall policies have been in place for over a year now, the redundant link was added much recently, hence the requirement to bundle them.
Would the steps you suggested work on 4.0 MR3? Also, when I search/replace all occurrences of WAN1 to Load-Balance, is that catering for updating the policies? Also, would it be a good idea to create the Zone on the GUI? In fact, would the whole thing be easier on the GUI or CLI?
For ECMP, I'm not too familiar with its implementation. Do you have any recommendations or any documentation I can refer to for this?
Thanks in advance.
Related Posts
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.