Fortinet FortiGate firewalls offer multiple Internet support with flexibility in how the different Internet connections are utilized.
There are 2 different ways to configure a multi WAN setup on the firewall which is determined by what is required for the Internet connections.
The first way to configure a multi WAN is for a redundant scenario in which the secondary Internet connection is only used when the primary goes down. In this scenario the secondary Internet’s static route (gateway) would have a higher metric than the primary so that it is not active when the primary is up. In order to configure a multi WAN setup for Internet redundancy a few steps must be performed which are listed below.
1. Configure the interface to be used for the secondary Internet connection (i.e. Ip address, netmask, administrative access options, etc.)
2. Configure the static route for the secondary Internet’s gateway with a metric that is higher than the primary Internet connection. If the secondary Internet is not a manual connection (i.e. DHCP or PPPoE) you will need to set the metric/distance within the interface settings.
3. Create dead gateway detection entries. These are required when using multiple Internet connections in order for the firewall to know what Internet connections are up/available. The setup for the dead gateway detection is quite simple; add an upstream IP address to be pinged by the FortiGate which will tell the firewall if the connection is up or down. – **see tip below.
4. Configure/copy all the required firewall rules that are needed for the secondary Internet connection, if the primary is WAN1 and the secondary is WAN2 then most or all of the firewall rules for WAN1 will need to be recreated for WAN2 in order to allow traffic when the WAN2 Internet connection is active.
The second type of mutli WAN setup is having both Internet connections active at the same time in order to utilize both connections simultaneously and still have redundancy.
When using both Internet connections at the same time a ECMP (Equal Cost Multi-Path) load balancing method must be selected. The options are “Source IP based” “Weighted load balance” or “Spillover”.
“Source IP based” is the default load balance method which works by using a round robin method based on source IP addresses. The first outgoing session is routed out of the WAN1 while the second outgoing session from a different source IP address is routed out of the WAN2 Internet connection, then the next connection with a different source IP is routed out the WAN1 and so on for all new connections with different source IP’s.
“Weighted load balance” is used to control which Internet connection will be used more based on weights. For example if WAN1 has a weight of 10 and WAN2 has a weight of 20 then WAN2 would get more sessions as it has the higher value.
“Spillover” is used to control outgoing traffic based on bandwidth usage. For example if WAN1 has been configured with a spillover threshold of 5 Mbit then it will handle all traffic until the bandwidth usage hits 5 Mbit then it will start sending new sessions out of the WAN2 connection until the WAN1 bandwidth usages goes below 5 Mbit then it will send connections out the WAN1 again.
1. Configure the interface to be used for the secondary Internet connection (i.e. IP address, netmask, administrative access options, etc.)
2. Configure the static route for the secondary Internet’s gateway with a metric that is the same as the primary Internet connection. If the secondary Internet is not a manual connection (i.e. DHCP or PPPoE) you will need to set the metric/distance within the interface settings.
Tip – Using priority within the static route will tell the FortiGate which connection has higher priority when the distance/metric are the same. Use the default value of 0 for the priority of the connection you wish to be the primary and a higher priority for the secondary connection. The lower priority primary connection will be used when the FortiGate is not sure which default gateway to use for an outbound connection.
3. Create dead gateway detection entries. These are required when using multiple Internet connections in order for the firewall to know what Internet connections are up/available. The setup for the dead gateway detection is quite simple; add an upstream IP address to be pinged by the FortiGate which will tell the firewall if the connection is up or down. – **see tip below.
4. Configure/copy all the required firewall rules that are needed for the secondary Internet connection, if the primary is WAN1 and the secondary is WAN2 then most or all of the firewall rules for WAN1 will need to be recreated for WAN2 in order to allow traffic when the WAN2 Internet connection is active.
Tip - To force outgoing traffic through one of the Internet connections regardless of what equal cost load balancing method is being used is accomplished by using policy routes.
Policy routes are very powerful and are checked even before the active route table so any mistakes made can disrupt traffic flows. Basically how they work is by matching all of the configured values within the policy route which can be source IP/network, destination IP/network, protocol, etc. then if a match is made the FortiGate checks for a firewall policy that will allow the traffic. Also if there were policy routes for WAN2 and WAN2 is currently down, then the FortiGate does not try to make any matches for policy routes going out WAN2.
**Tip – When creating dead gateway detection entries, ensure that the ping server IP being used is not the default gateway as default gateway routers are usually directly connected to the FortiGate and the FortiGate will think the connection is always up even if the Internet connection is actually down. This happens because the FortiGate is pinging a local device and not an upstream device through the Internet connection.
No comments:
Post a Comment