ECMP - Probe Routing - NAT with WanLB FortiOS 5.4

slpassos · ‎02-16-2017

I have three doubts that I would like some help. Basically my problems boil down to: Routing, WAN LB and NAT.

1) ECMP in FortiOS 5.4 -> Apparently the ECMP Advanced Routing option has been removed from the GUI, and in place the option "WAN STATUS CHECK", which is used only for WanLB. That's right? Is there any way to solve this via CLI by creating routes with equal cost - and using health check?

2) In other equipment (Cisco - Sonicwall) that I have worked with, I can create a "Probe" and put that probe on a static route for example.This is useful when I have for example branch_A <-> VPN <-> FWL <-> SWC <-> MPLS <-> branch_A. So I can monitor if the MPLS link from branch_A, and in case MPLS drops, I reach via VPN. Can I resolve this with static route and probe in Fortigate or only with dynamic routing?

3) Output NAT in WanLB, with Origin ip other than WAN interface ip. I need it when traffic goes out over WAN1, it uses an ip pool_A. When traffic goes out on WAN2, it uses a different ip pool (pool_B); for redundant MX (With diferent IP address of the interface) for example.

Many thanks.

yashcparmar · ‎02-21-2017

Hi,

1) Yes, ECMP Advanced Routing option has been removed from the GUI. You can configure link monitoring from CLI:

config system link-monitor edit "GW1" set srcintf 'wan1' set protocol ping set gateway-ip 0.0.0.0 set status enable next

edit "GW2" set srcintf 'wan2' set protocol ping set gateway-ip 0.0.0.0 set status enable next end

If you want to use for example: Weighted Load Balance you can set weight per interface:

config system interface edit "wan1" set weight 60

Same can be done for other load balancing methods.

2) you can achieve this using config system link-monitor as shown in option 1).

3) If you are using Wan Link Load balance from GUI this requirement is not possible.

Though you can use solution 1) to achieve you requirement.

slpassos · ‎02-21-2017

yashcparmar wrote:

Hello and thanks,

1) OK... but it is bad. I have so many clients thats use fortigate for redundant link with MPLS (primary) and VPN (Secondary). This option on GUI is too more easy to use.

2) If I use link monitor, the firewall will remove all routes from the interface, not only a branch_A router to the Switch Core. I Really dont understand why FG do not use tracks/probes under static route like Cisco.. sonicwall..

3) Fortigate support answer me that this is "possible". I am trying and it does not work... =(

yashcparmar · ‎02-21-2017

Hi,

3) Fortigate support answer me that this is "possible".

If they have provided any solution or any KB then please share if possible.

slpassos · ‎02-22-2017

yashcparmar wrote:
Hi,

3) Fortigate support answer me that this is "possible".

If they have provided any solution or any KB then please share if possible.

Well,

I tried end dont work, then I reply the Fortigate support and they returned, informing that they made a mistake.

Its realy not possible. =/

Thanks

MikePruett · ‎02-22-2017

Setup ECMP through the CLI and you are on the way. Most of it can even be scripted to make things easier.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

tmazowski · ‎03-21-2017

There is one other piece to this:

FORTIGATE# config sys settings

FORTIGATE (settings) # set v4-ecmp-mode

source-ip-based         Select next hop based on source IP.

weight-based            Select next hop based on weight.

usage-based             Select next hop based on usage.

source-dest-ip-based    Select next hop based on both source and destination IPs.

zeki893 · ‎03-27-2017

For 3) Can't you setup the NAT pool in the firewall policy as outgoing interface with combination of policy routing?

2) @slpassos, I agree for 5.4 i don't know why they would remove the link-monitor from the GUI. it's such a useful feature.