Hot!Fortigate SD-WAN with FGCP HA

Author
grindelwaldus
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/24 03:44:46
  • Status: offline
2019/02/07 02:08:57 (permalink) 6.0
0

Fortigate SD-WAN with FGCP HA

Hi guys.
I have a pair of VM-based Fortigates (VM00) configured to work in a topology described here: https://cookbook.fortinet.com/sd-wan-with-fgcp-ha-expert-60/
I'm a bit confused by one thing however. That's what the article says about testing failover scenarios:
 
To test failover of the redundant Internet configuration, you must simulate a failed Internet connection to one of the ports. You can do so by disconnecting power from the wan1 switch or otherwise disconnecting the wan1 interfaces of both FortiGates from ISP 1.
Specifically I'm confused by "disconnecting the wan1 interfaces of both FortiGates from ISP 1.". This scenario works fine, but what if, for instance, WAN1 of only the first Fortigate fails? 
As I understand, "monitor interfaces" feature will save me in a scenario like this. I'm not, however, able to test this cause I'm doing all of this inside a virtualized envronment (EVE-NG), so I can't emulate physical interface failure. Can someone confirm this feature is acceptable in such scenario?
Also, "monitor interfaces" is only for physical link failures. Is there any way to prevent traffic blackholing in case my link's up, but the GW is not reachable? I was thinking of Remote Link Failover: https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_failoverRemoteLink.htm but I encountered some problems during the configuration so I'm not relly sure this feature is acceptable for my scenario.
post edited by grindelwaldus - 2019/02/07 02:19:56
#1
grindelwaldus
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/24 03:44:46
  • Status: offline
Re: Fortigate SD-WAN with FGCP HA 2019/02/21 02:47:54 (permalink)
0
OK, so to answer my question: you just need to configure two SD-WAN Perfomance SLA rules, one for the first ISP, one for the second, and it will work like a charm. Ping checks are only perfoemed from the current active HA member. So no matter what kind of failure you'll have - ISP's WAN failure link or only your HA active member WAN1 port failure - with Perfomance SLA rule your active HA member will switch to WAN2 in such scenario.
#2
Jump to:
© 2019 APG vNext Commercial Version 5.5