Hot!WAN Failover Best Practice - New Failover Connection

Author
kknuckles
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/29 15:56:02
  • Location: Pearl, MS
  • Status: offline
2017/03/20 12:47:51 (permalink) 5.4
0

WAN Failover Best Practice - New Failover Connection

I have a FG200D and we are getting ready to receive a new Cradlepoint 3G/4G router for failover of the main office only. The plan is to connect it to WAN2. My question is this: Would it be better to use WAN LLB and set a sky high priority like 99 for WAN1 and 1 for WAN2, or would it be better to use two static routes and weight them accordingly?
 
I mainly want to make sure WAN2 isn't going to be used unless WAN1 is absolutely down. I don't mind a small amount of traffic for health check but we are only allotted so much data per month on the fail over service without overage charges.
 
I've seen multiple posts about this and read multiple articles, but couldn't really determine the best method from those. I've only known FortiOS 5.4, which apparently isn't the favorite for this setup since most of the failover documentation still references 5.2.
 
Opinions and thoughts welcomed and thanks in advance.
 
Kevin
#1

6 Replies Related Threads

    MikePruett
    Platinum Member
    • Total Posts : 581
    • Scores: 8
    • Reward points: 0
    • Joined: 2014/01/08 19:39:40
    • Location: Montgomery, Al
    • Status: offline
    Re: WAN Failover Best Practice - New Failover Connection 2017/03/20 13:14:01 (permalink)
    0
    I, personally, would do this.
     
    create a zone titled OUTSIDE
     
    place primary internet provider and secondary internet provider in there.
     
    Create two default routes, one to the primary and one to the secondary. Make the secondary have a slightly higher "priority" which in FortiOS just means cost.
     
    Configure link health monitoring through CLI for each connection. If primary WAN fails the configured number of times then it will yank the route and use the backup line.
     
    below is how to configure the link monitor
     
    config system link-monitor
    edit "wan1fail"
    set srcintf "wan1"
    set server "8.8.8.8"
    set interval 3
    set failtime 10
    set recoverytime 10
    set update-cascade-interface disable
    set protocol ping
    next
    end

    Mike Pruett
    Fortinet GURU
    #2
    kknuckles
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/02/29 15:56:02
    • Location: Pearl, MS
    • Status: offline
    Re: WAN Failover Best Practice - New Failover Connection 2017/03/20 14:02:49 (permalink)
    0
    Thanks Mike!
    #3
    phowardmhm
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/01/19 13:10:11
    • Status: offline
    Re: WAN Failover Best Practice - New Failover Connection 2017/05/01 16:20:52 (permalink)
    0
    I will be doing the same setup as described, any thoughts or ideas are appreciated.  Thanks,

    Pat
    #4
    wcbenyip
    Gold Member
    • Total Posts : 394
    • Scores: 4
    • Reward points: 0
    • Joined: 2004/12/27 23:02:51
    • Location: HKSARG
    • Status: offline
    Re: WAN Failover Best Practice - New Failover Connection 2017/05/01 21:00:21 (permalink)
    0
    Sounds this is a good method for WAN load balancing... but another trouble point is, you have to configure 2 complete set of policies for each interface going thru WAN1 and WAN2. That means, once you need to modify any policy from one of your huge no. of policies, you have to do it twice... and whenever need to create a new policy, you have to duplicate it for 2 WAN port.
     
    I set the WAN LB with this same method, it's really painful. Just thought does there another way to make it more precise or simple? Double no. of policies and making a complex policy screen are really not a best practice.... and it's not the normal WAN LOAD BALANCING in the market...

    Protect yourself~ http://www.secunia.com
    MBCS CEH FCNSA
    #5
    Maxim Vanichkin
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/11/05 07:59:48
    • Status: offline
    Re: WAN Failover Best Practice - New Failover Connection 2017/05/01 21:13:56 (permalink)
    0
    For exemple, ZyWALLs have "trunks" - 2,3,4... interfaces there (active, passive) - very easy! In your policies and routes you use only configured trunks - very convinent. Do FGs have such functionality?
    #6
    fl0at0xff
    Bronze Member
    • Total Posts : 25
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/08/23 00:13:56
    • Status: offline
    Re: WAN Failover Best Practice - New Failover Connection 2017/05/01 21:41:30 (permalink)
    0
    Hello,
     
    i'm not expert of DUAL wan but if I understand correctly, you simply want to do a WAN Failover and not a Load balancing right ? If yes, I suggest you to use only static. Here my guide lines:
    1. Configure default static route (wan1/wan2 with same distance but wan1 with lowest priority)
    2. Create link-monitor using CLI for each WAN. (config sys link-monitor) (-> set update-static-route disable)
    3. If you use IPSec, create your second IPSec that will use wan2. In CLI, don't forget to set the parameter "set monitor <gw_ip_wan1> that tell that this backup VPN IPSec must monitor the first one
    4. Add static route for your new IPsec (IPsec tunnel 2 with same distance than primary but higher priority)
    5. If you have not created a ZONE for WAN1 et WAN2, you must dupplicate all your policies/VIP for wan2
    6. If you have SSL/VPN, don't forget to add wan2 on listening interface for SSL/VPN configuration
    7. In case of IPsec, don't forget to configure the remote peer too.
     
    You can test your link monitor using the command diagnose sys link-monitor status all
     
    Hope this will help you.
     
    BR 
     
    #7
    Jump to:
    © 2017 APG vNext Commercial Version 5.5