Configuring ISP failover using SD WAN

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone in this video I'm going to show you how to configure ISP failover using sd1 as you can see I have um two ISP that I've actually configured here isp1 isp2 and now you can see there's some traffic going on uh upload download now if you I'm going to show you what I've done basically uh what I've done is to make sure that my eye is being worn and my isp2 interface are configured now your IP address definitely will be different from my IP address and uh in your case in my case this is what I'm using for my one IP and My Lan IP I mean sorry my two one IP this one I'm using then I created a Zone whereby both of them are actually included in the zone and then on the sd1 um this is the zone that I have which is called the outside zone I'm going to show you how to create that I created um sd1 rule to choose um which interface I prefer and based on which criteria and I actually work with the performance SLA they are different default performance SLA but I created these two slis and I'm actually using uh this isv1 as my preferred SLE that doesn't mean that it says the best of the tooling that I have in fact my isp2 is actually better in terms of latency than my isp1 but in terms of Gita because you can as you can see here my ISO one is way better than that it basically increase on your preference whichever one you want to use so then of course we're going to also create the static routes using um any destination using the uh the Zone interface that we created and after that we're going to create a policy this is the policy that I have we're going to create a policy which is this particular one here which allows land traffic to the internet we're going to enable Nats and that's all basically we're just going to do so I'm going to show you how to create that I'm going to remove all this configuration and make it clean uh device and then I'm going to show you how to set up your sd1 um if you already have this configured before um there are things that you need to do let's say you already have um land configurable for you and you want to configure as you want the certain things you could do like let's say just I'm going to go through this step I'm going to remove my policy and my policies out the next I'm going to do is to remove my static route and the next I'm going to do is to go to my sd1 oh I have a performance assembly actually I'm gonna remove my performance SLA the other performance is selling my rules here I'm Gonna Roll that row you want to go back to Performance SMA and then after that I'm going to go back to um zones then I'm gonna remove the isp's interface from the zones notice that this has to be done in sequential order because sometimes when they are being referenced it's not going to allow you to be able to remove them not just I can't remove this um simply because I already have that created uh as a Zone this is a zone so I'm going to Auto remove the zone as well so I'm going to go back to interface here and I'm going to go to Zone here I'm going to remove okay that's just icon so here I can actually delete those that zone out of it give me a minute yeah one other thing I need to notice is that I cannot delete this Zone I can basically give an arrow so what I noticed was that it's still being used by one of my policy so this policy here is using that particular zone so I'm just going to remove that I'm probably just going to switch it over to um this temporarily and then I'm going to remove that later so now I can go back to that um as the one zone now that zone that's easy which basically deletes it also from there so you can delete it from here from sd1 so now that's what I was always well when it comes to referencing so you might actually look at your reference if you see here there are two things that is referencing there's a zero image of racism so if this zero means I can basically delete this line if we have two things I'm going to have to remove those two things that are referencing it before I can actually remove the interface that's basically what this referencing means now the next I'm going to do or the first I'm going to do is to set up my sd1 to set up my sd1 uh you have sd1 member as the one so I'm going to create a Zone you can call this zone or outside Zone whatever kind of Zone you want I'm going to use outside in my own case now you can see I can't really hard remember now you've been wondering why can't I remember because the first thing I need to create will be to create the members so I've already created The Zone but I can't I didn't remember so I'm going to come back here and create the sd1 member so here I am the first member I'm going to have it is my sd1 I'm going to leave the rear that's selling the same but I'm going to choose the as they want to belong to the outside so or I can just leave it this the default way first I'm going to show you um either way so I'm going to leave it this way click ok now one thing you notice is that that interface I created is automatically under this so let's create a new member and I say sd1 I mean isp2 and then I make that number of outside what you see is that that will actually come on the outside but what I want to do is to make both my eyes a one on my eyes and two to be a member of outside so I'm just going to go back to this outside Zone here and I'm gonna add the isp1 as a member and then click close so notice that that one's actually gone here so no longer under the virtual warning so I have both ISP interfaces uh created here as a member the next thing I'm going to do is to create a static route now before I create this article I just need to quickly show you the moment I create the outside Zone let's just I have the outsides upgraded here you can see the two members there I'm going to create a static route this will allow traffic from your land over to your internet so now here I'm saying any this zero slash zero zero dot zero zero zero basically means any and the interface I wanted to go through this time around is going to be the outside zone I'm not going to choose any of the eyes because now they've been bonded together into a single Zoom so I'm going to choose the outside Zone and that's all I need to do here for the static route so you have the static route this basically allows the traffic now from the land over to the one but you also do within policy to actually do that policies are very important because without the policy you basically have an implicit deny any traffic so here I'm going to create a new policy I'm going to say Lan to [Music] okay internet now the incoming interface is basically any traffic coming from My Lan and where they're going to they're going to my one which is my outside zone now the source will be my lab IP in this case here my lab IP if you notice this interface is on my lab but which is a port 3 which is actually my Pro 3 address here yours might be different so I'm just going to choose um 9.3 which is basically specific so anything coming from this particular address here but going anywhere so this is basically is going anywhere so it's going anywhere so then next I'm going to say is any service between we try to browse we're trying to download whatever kind of protocol you're trying to use over the Internet should be allowed so here you can see everything should be accepted I'm going to enable nuts if you do have the solver security profile uh uh blind sense you can turn it on set all of this on or some of this on in my case I'm just going to leave it off for now because I don't know how I'm using the Trap version of try period so these licenses are now available for me to use I'm going to turn on all this session and I'm going to make sure that the policy is enabled I'm going to click ok now what I've done basically is to create um a policy firewall policy that will allow traffic from my land to go to day one so right now any traffic from my land can actually go to the one okay quickly show you a diagram of what I'm doing so if you see here as you can see here you can see I have ISP one I have isp2 I don't have my 40 gig firewall here and this is my log my the alarm can be any uh kind of networker you have just make something this simple now what I'm trying to say here is my eye has been worn and my Isme 2 will actually be failing over so in case this is no longer a viable link it will use the ISP switch to get to the Internet so all this traffic in the line here can actually use isp1 or isp2 or even use both of them to go out to the internet depending on how I want to set the performance policy or the SNL rules so basically this is all you have here so I'm going to leave it like this so this is basically the diagram this is what you want to overworking so the python Operator just created now is to allow all these devices here to go out through the line because we're using the outside outside Zone both of this little ISP here actually increase so both of this all this traffic to actually go to any of this interface here that's basically uh what I'm going to try to show now the next thing I'm going to do is your right earlier I actually disabled this particular policy so I'm just going to switch it back so that's information that my traffic capturing is actually working for whatever policy like config on this for now next thing I'm going to do is to go back to my um as you can see here there's no traffic here yeah it's because nothing is going out so next I'm going to do is to um go back to my sd1 then I'm going to as you can see it shows that basically uh most of the traffic I'm having is basically going through my port one um I haven't configured any performance SLA you know that's actually this is basically using bandwidth the volume of um byte received is majorly on um IR volume is on 0.1 and less volumes on Port 2 and then this session I got more active session on point one this basically will be changing based on whichever link this is essential try to balance this over so if I go to my PC for example um let me open a terminal okay and then let's just say Trace out let's say google.com three sets okay now right now my PC is basically going through um a different interface I'm gonna I'm gonna reroute my traffic to go through this firewall so right now it's going through a different uh firewall so I'm just going to run my traffic uh give me a moment to remember traffic to go through this firewall okay I did change my default gateway from m.10 to [Music] um 17.103 which basically I'm now using the 40 gig as my default giveaway on my PC so basically my PC now um is able to go to the internet using 57.10 which happens to be uh my one two interface which is actually um here 37 hours because my one my one one on my ISP one is six to seven so I'm going to go is going through the 57 um um was it called isp2 so if you look at the sd1 here you will notice that most of the bandwidth is now going through Port two as compared to earlier where most of them were going through for one and when you look at the volume it's the volume is still I would say I have more volume of traffic going through 0.1 but when you look at the session that is we have more session on um and then if we look at this now you can see that we have more traffic on um on isp2 then we have on ISP one if I run the trace rods again when you will notice is that it's still currently going to go through the 57.10 so it doesn't give it a moment to run that let me try that again I probably just messed it up okay yeah it's running now now you can see that it's actually going through 57 so what I'm going to do is I'm going to create a performance SMA and I'm going to create an sd1 rule that actually will move the traffic from um one one two over two one one so first I'm going to do the performance SLA now there are default performance SLA we could use AWS to text to test uh we can use default DNS which is Google DNS and uh all that kind of DNS because I think this is a 40 minute so if you use Gmail to test or you just go go to test and we said we could use Office 365. test as well if you click on edit here you can actually just specify the member so you can say Okay I want um what's it called isp1 to participate you could just even use both of them uh if you want but I prefer to create my own uh music code um SMA so I'm going to create an SLA I'm going to say ISP one on the SLA I'm going to use ping notice that they have DNS you can use HTTP I'm going to put it in active mode I'm going to be pinging 4.2.2.2 or I could just be picking 8.8 or 8.8 or I could think in the different DNA so I'm just going to bring um 4.2.2.2 and I'm going to set my participants should be my isp1 and then I'm going to set my target SLE the latest c um the literacy we can actually set the mutancy um whatever kind of Liberty you want I can circulate I want my latest to be three milliseconds uh my Jitter you could set your data I can say well I don't want to register to be more than one um milliseconds but I do not want any packet though so zero packet loss now what I want to do is okay I can check the interval uh it will be checking it at 500 milliseconds interval now what I have here is failure before inactive how many times do you want it to time out before you decrease this multiplies with one Link in that team I can say I wanted to time up three times because three five times what I wanted seven or three times and then when does it restore the link it will restore the link after five checks so here these are to create the Isla so here this is the first SLA we've created I'm going to create a new SMA for I want to use Bing and I'm going to be playing game Open DNS I want to specify is B2 I'm going to set the there so this one I can just say Okay I want this one to have a higher latency you can say okay my deleted should be 10 my threshold and my um Jitter treasure will be five but this is still like the zero packet loss I also don't want more than three failed time and um I'm gonna click on OK there so basically you can see I have SLA for um IPS and isb1 SLE and I have a two instantly and this is basically uh the results so now I want to create um let me go back there notice that we have good results now now I'm going to create an sd1 because by default you have an implicit design so we're going to sd1 rule for preferred um ISP because I prefer knife stay warm so I say one is my preferred link now I'm going to use all as the source address and destination address I'm also going to use all as destination address and then the server is basically going to be any then I'm actually going to be using best quality as my um best strategy for selection it's basically going to be using uh the member with the best quality you could use but maximum bandwidth you could use low cost uh and so on like that so now the next I'm going to do is we're going to select the interface preference I basically want my eyes to be warm to be my preferential interface the next thing I'm going to do is to choose the measured SLA notice we use DNS they do all the default one but I created um ISP one SNL this is what I'm going to be using to measure and the criteria the quality criteria I'm using is latency basically for the latency goes below this particular milliseconds search that's basically what I have there and I'm going to click ok so in this case now what I've done here is to switch my preferred link over to isp1 what you will notice here is that traffic will begin to change from this um yellow which is about towards my isp2 over 2.1 over time so um the same thing with session as well so let's see if we can create some more traffic so basically all I'm just doing is great create some traffic on my on my network foreign traffic and what you will see is that traffic will be going you'll be having more traffic on um what's it called one um the ice in primary ISP link as you can see you can see that this already of a circle we have here is compared to what we had earlier so I'll just push more traffic over to isp1 and then we'll go through the volume which is this the last change we'll go to the session and that's also changed because we basically switch over our preferred link from is we want to ice into now let me show you this remember when we do that first part earlier earlier it was going through 57 but when we did the sd1 rule matches is going down through 67. so right now is going through um six seven which is my ISP one now how would you know if this link is filling over correctly you could actually disable the isp1 and then see if the traffic goes over to ice because I'm going to go back to um let me run it pink foreign and I'm going to go to um my interfaces I'm going to disable my one one and I'm going to open back the Ping notice it's still ping in looks as that that is to fail the bank still continues despite the fact that iso1 is disabled if I disable my SP2 the link is actually going to fill so let me break this and then do that trace route again notice it's gonna switch automatically over to 57 so I'm waiting for that to come up watch this notice that system automatically 257 now I'm going to break this I'm going to turn back on my ping and I'm gonna enable back pull one as you can still see it's still going on uh editing by clicking basically breaks away now the thing is still going on if I go back and do my trace route what you will notice watch this not just it's still on 57 I'm going to give you the time and what as we're going to use some minutes now currently it's still using the secondary link now what I will do is just give it a moment you see automatically it will just basically switch over back because of the SLE setting which sets it's going to switch over back so I'm going to try it again this basically checks every 500 milliseconds that's actually so I have to wait for those things actually goes notice this automatically it switch over back to 67. now it took a while but because of the um performance SLA that we do have that let me show you what we have here that says that it will be it will check it at 500 milliseconds so basically it's going to say okay let me wait 500 milliseconds before I check if the leak has been restarted it's going to check the link five times to see five successes so once it does the five five times check again after they check anytime after this is basically more like a waste time and then after after it takes five seconds other than five times we're like okay now I'm good now the name currently take over as a primary link so automatically you notice the link actually came back online as a primary link so let me break that and then try that again which is oh sorry uh so this is still going to be the primary link so this is basically how this works so what I'm going to do next is if I go back to my isd1 as you can still see um on the volume you have um on this actually you have more of this traffic on isb1 on bandwidth you have mobile XP one no volume in this case you have a mobile isp2 uh let's try and increase this you can see this is what we have so let's try and create more traffic again let's see I'm going to refresh this and I'm going to refresh this as well notice that and then notice that this has changed so what I want to do at this point before I do anything look I want to show you that right now I'm still going through my eyes anymore so if I disable isp2 ISP one will still be working if I disable I spin one is in two would take over so basically so if I come back here let me go back to my opinion then I disable isp1 notice my thinking is still going on but if I disable isp2 watch this notice that both of them has failed then let's say I renewable back my ISP one which is that let's disable battery is a one again say that let's enable is two as you can see traffic is going to isp2 how do we confirm that if we do the trace route again you will see the traffic is growing and going through isp2 notice that and then when the traffic comes back online like someone actually one comes back online the traffic will go through sv1 now let me quickly run some traffic over this around some speed tests and then now if I go back to my sd1 and then I go back and I'm waiting for traffic to go over that I go over to my uh my outside Zone you basically will see traffic over this I'm waiting for um traffic actually go over that link let me see okay good because we have traffic going over there so here uh let me try to refresh that page which is there's nothing going tricep one at the moment it's basically disabled not just notice is picture is what we have in the traffic on and then that's same thing with session for loom and session everything is basically isp2 so if we turn back I speak one back online it will basically take a while otherwise we want to take over from isp2 uh let me break this because still think ha when I speak one comes back online which is currently online it's still going to take about 500 milliseconds to actually check because checks every 500 milliseconds and then after that it will then check for five successes which is basically paying a C5 reply without anyone breaking and then once that happens it will then switch over to isp1 so let's see if the switch over to ice cream now to switch over to ISP one let's move some traffic on isb1 [Music] let's go back to our SD one and then one thing you'll notice here as you can still see isp2 still has more traffic and isa1 but over time you will notice that ISO one is basically going to take over notice this again is one is taking a while or bandwidth area session is increasing more let's do this speed test again I'll go so while that one is running let's check again notice in bandwidth we have more of ic1 and volume external increasing Stone increasing notice this is increasing more session is increasing more you can as well check here as well when you see that traffic is basically moving over this so what you're seeing is when you go to your policy you basically will see all the traffic that has actually been moving over um the one interface so you can see we've actually pull about 17 gigs of traffic already so basically this is how you can actually configure sd1 for failover on your 40 gig firewall basically puts in the likes and the comments uh if you actually want to learn more about sd1 this is basically just fill over there are more things that HD one does more apart from just uh failover there all the things that you can use as the one for so sd1 is not just recipe for fail away glad to use it to actually determine which path should actually use when it comes to when it comes to which application is more preferred you want your what was it called application that actually consumers that uses the uh real-time application do you want to use your isp2 it's over your isp1 that's more in depth about is the one but for now this is basically using sd1 as a failover link uh thank you for watching now please do like and subscribe and share this video If this video has been helpful to you please share the orders I would like to actually increase my subscriber list on this channel thank you
Info
Channel: Techy-World
Views: 1,930
Rating: undefined out of 5
Keywords: dual wan, dual isp, dual isp failover, dual wan failover, fortinet tutorial, dual isp failover fortigate
Id: cHRCMPXepfw
Channel Id: undefined
Length: 30min 40sec (1840 seconds)
Published: Wed Jun 21 2023
Related Videos
How Fortigate SDWAN works
Rakshit Vidyarthi
10K
Cisco Dual ISP Failover: No More Internet DownTime!
IT Solutions Network
6.2K
I HACKED my Internet Service Provider's router. So I could get rid of it.
Tomaž Zaman
957K
SD-WAN Configuration for Internet Failover With Two Connections | WAN1 & WAN2 | FortiGate 80D
KBTrainings
46K
FortiGate IPsec ADVPN with SDWAN and Dual ISPs
Verifine Academy
16K
Configure Site-to-Site IPSec Tunnel & SD-WAN
Static Route
13K
Installing FortiGate & FortiWeb - Part I
Techy-World
3.1K
SDWAN Failover and Bandwidth Aggregation Explained
Lawrence Systems
36K
FortiGate Radius Configuration
SinaOnline
10K
FortiGate: Simple WAN Fail-Over
Fortinet Guru
43K
Full Fortinet Setup & Walkthrough **For Beginners** | SD-WAN | VLAN | Wi-Fi | Testing & More
Keith Barker - The OG of IT
60K
How to configure SD-WAN in FortiGate Firewall
IgoroTech Official
9.6K
pfSense Firewall (totally) Rules! Basic rule setup...🤫
The Network Berg
125K
OPNSense Firewall Multi-WAN Failover and Load Balancing - Virtual Lab Building Series: Ep 6
LS111 Cyber Security Education
21K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.