FortiGate: Simple WAN Fail-Over

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
my hair nets down so if you guys are like me chances are you're working from home which means you're you know at your house with a single internet connection and just like me you're gonna inevitably hit a snag where your primary internet fails I had that happen yesterday you know what good a firewall engineer and an IT professional is when their Internet's down I was basically knocked down a few pegs holes to uh conference call junkie anyways while I was down and out a little bit frustrated I decided to do some research on previous videos that I've done and what they covered and you know on as well as you know how to tackle this issue and much to my surprise I realized that pretty much the only video I have revolving around multiple and fell over is a video that specifically talks about a four tagay cluster an H a cluster communicating with multiplying speeds and I didn't even do a step-by-step on that one so I figured I'd do you a solid and do a basic I have a single FortiGate but I have two ISPs and one of them I only want to use for fellow so keeping it simple keeping it sweet this is how you set up a FortiGate device so that when one will be your primary and when to will be your fellow over in the event that when one fills now Before we jump in there's one thing that can make sure you know and that is this isn't the interface is physically down this isn't a heart down this is for situations where your interface is up when one is showing green on the FortiGate like let's say your internal to the FortiGate and you decide to log into it and when you log in you see the network interface is up well you know usually in situations like that if it's DHCP or whatever and you have equal routes etc etc it'll at least pull the route because the interface but if that interface is up it's going to keep it there right so the link monitor is gonna test the interface as well and in the event that it can't reach the server you define that's when you'll get the actual failover that you desire so let's jump right in gonna go ahead and start off by saying this is on a 4-2 Y 561 either it does not have a secondary internet connection this is specifically so we can go through the actual process as far as the CLI goes I also want to make mention that this is on 6.4 dot zero do not install it don't install it on a production unit I'm warning you it's ga-ga with for the neck I usually say it stands for generally ass it's gonna be buggy right last thing you want to do is be the little tech guy on the phones you know guinea pig so but I digress just anyways so I'm gonna log in to my for the Wi-Fi here which is sitting on the counter behind me you know it's doing its best life it's it's helping me make videos to help give people some level of comfort whenever they first dive into these things right so you look at my interfaces if you already have a firewall that's in place you might not have zones which means your policy probably looks like land to when one land two DMZ etc etc I like to keep my interfaces configured using zones it helps keep things simple from a policy standpoint there's an outside interface when one way into I assign it to the outside zone if it's an inside interface land Wi-Fi whatever and I install it or you know place it within the inside zone there's a TMZ veil on VLAN bad line I don't even know where that came from there's a DMZ VLAN DMZ zone etc that way if you have a situation where you need to add multiple interfaces or maybe you're porting over your policy set to a new vice-leader what if your physical arrangement changes you're kind of screwed into having to redo all this policies right well not so much for this because it's just inside the outside outside the inside inside the DMZ etc fording that did come out with a way of giving a role to an interface you know you can say it's a DMZ or a LAN or or whatever but to quote Lord of war and I prefer my way so whatever I have an outside zone that has both win won and Wayne to and then I have my inside zone that has my data VLAN so groovy we have what we need so from there we jump in you can figure this on the CLI this is not SD win this is not you know for two Nets this do you age you know insert special effects here which is what a market non stopped for right this is Wayne link fell over primary LAN LAN serves all functionality and if it buggers up let's jump on over to the way into right so first things first is we go to config system link monitor late monitor it's all you need config system link - monitor and then from there you can do a get I don't have any installed yet since my primary internet link is the one I'm wanting to monitor I'm gonna edit and then I'm gonna title this thing man 1 keep it simple as I like to do with all of my firewall configurations keep it simple that way if you step off a cliff or you need to hire new help or whatever any engineer can really jump in here and kind of you know make heads and tails of what's what so edit when one that creates the link monitor titled win one and this is where we have our list of information and we can actually sit so we're sitting here named Wayne one it's monitoring the when one interface address mode you have two options here you can do ipv4 or you can do ipv6 stick with me for most of you probably will if you're in a situation where you do an ipv6 more power to you most of the u.s. is fairly liked behind from a network architecture standpoint with their actual implementation of it not to mention the engineers themselves just don't get it yet source interface this is the interface you wish to test from if I'm wanting to watch the connectivity of Wayne one my source interface is going to be William one you know if you're on a FortiGate and you're when one connection is port one then your source interface will be port one for server this is what you wish to actually test connectivity to I almost always use Google it very seldom has any kind of issues very reliable and your pings aren't going to concern them they get hit what tons of traffic all the time protocol is pink because I'm using the ping protocol to test connectivity you do have other options there like TCP echo e2p echo HTTP GET and TWA ap so you know echo link monitors HTTP is just changing the way it's testing the connectivity right so we have our source interface we have our server set now we need to look at things like our interval our timeout record interval is how many milliseconds it's going to test every 500 milliseconds out of the box this device whenever you set up a link monitor is gonna go hey you there hey you there hey you there it's gonna keep doing it and keep doing it the probe timeout is how long it's gonna wait on that probe to come back before it considers it lost which means every 500 milliseconds it's gonna send a test and if it doesn't get a response to that test within 500 milliseconds that was a failure and then fell time in recovery time these two options right here fell time is how many times in a row a probe needs to fail in order for it to hold the route which is referenced here update cascade interface update static route you know pull the information related to that interface if it fells enough times recovery time is the same exact thing it's going to be successful five times in a row in succession not oh I've worked here didn't work there work two times didn't work there not a crappy line five in a row and once it hits five in a row of successful connection attempts it'll reinstall that route status is enabled h8 priority is one so you know that's how you do it that's pretty much your interface right so you can go to next and then you can do a get and you see it there when one is the one I created and then you do a show you can actually see the parameters that were configured I keep it very very simple gateway IP and source IP I'll use whatever set for that interface if you leave it on quad zero but if you wanted it to take another path or do something else you have that capability I like this a lot from the standpoint that it does a very good job of making sure if the interface it's physically up but it's still experiencing connectivity issues you're okay right so that's good and then you come in here and you look under logging and reporting under events system events up here in the top right l'ainte monitor initial state is alive using protocol pink and if I were to you know pull that out and make it to where it couldn't get the quad 8 on my upstream firewall this would you would see it get pulled down and accordingly so that is how you do link monitoring there are a few things to consider them one you need to have to upstream connections to whatever you're trying to test link monitoring to - it doesn't have to be limited to win if you have multiple pass to anything you can use this so if you have multiple internal pass let's say your firewalls on slash 30 between switch 1 and it has another slash 30 between it and switch 2 so you have a redundant path there you can use it there as well so you got a lot of flexibility with that regard number 2 it's going to use the device and the route it that has priority so if you have two routes that have an administrative distance of 10 but one has a priority of 20 the one with the lower priority is going to get preference priority on a four-day gate is like cost on a Cisco device so usually in situations like this you won't win one and waiting to to have the same 80 administrative distance and the when to to have a higher priority that way it doesn't give preference or you know no that's pretty much what you want to do right and same thing for anything that has multiple routes anything a FortiGate does 14 that follows RFC to 18 so anything for ta it does is going to follow RFC it's going to follow the route table to note which path to take so just pay attention that and you're on your way that's a simple layout on how to make it where if your primary internet has an issue it'll pull that round start using your secondary obviously this isn't going to be the most useful situation for organizations that have public IP space and they're looking at you know self hosting servers when you get to that point just go ahead and order you an IP block and start doing BGP so I mean if you want to do it right do it right right so otherwise you have to deal with multiple VIPs and multiple MX records and a records and all that stuff to get your stuff jive and the way you wanted to and that's just a pain in the butt so that's how you do it if you have any questions hit them up in the comments below I'll be more than happy to answer them if I did a poor job elaborating on anything just let me know and I will you know make edits and add to it so if you have questions hit me up more than happy to answer them otherwise you guys have a great day and you let me know if you need anything thank you
Info
Channel: Fortinet Guru
Views: 44,668
Rating: undefined out of 5
Keywords:
Id: unsQ7qB2_5M
Channel Id: undefined
Length: 13min 12sec (792 seconds)
Published: Tue Apr 21 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.