I needed this a year ago. I tried to use this setup to keep things simple when adding a Fortiextender, rather than using sdwan, but cookbook and support said I needed static gateways to enter in the monitor settings...guess I should have tried! Thanks!
When they eliminated ECMP Failover in the GUI in v5.4 and called support to find out how to do this, their tech had me so confused, I stayed in v5.2 for another couple of years. I won’t even mention how they wanted me to set it up with SD-WAN. Keep up the great work! Can you do an update on how to setup site-to-site VPNs with WAN Failover.
Thank you for the Priority setting and administrative distance advice at the end of the video that was very helpful, I was trying to figure that out before seeing your video
Too true, a very simple and great approach to WAN failover. The next level up I gather is to implement SD-WAN as it gives move granularity with performance metrics, so that e.g. Voice paths traverse links with lowest latency and jitter.
Thanks to Mike's tutorials I've configured a pair of 80E in HA as I'm also using SD-WAN for Link monitor! But before having HA I was also using link monitor, too.
You mention using Zones for the outside interfaces, why not use SDWAN? Finally getting round to sorting out our firewalls, its a mess :( Two external interfaces one with a /24 and the other /30. I am wondering how traffic will behave when it has come in via the backup connection(will have to get the ISPs to do BGP). We have lots of public services which have the public IPs from the primary WAN but not the WAN2. Can traffic pass from WAN2 to WAN1? Or will zoning sort this out with one IP scope for the zone rather than individual interfaces having IPs. Its a live system 24/7 so cant play too much.
When this video was made SDWAN wasn’t as mature on Fortinet. (In my opinion). It has come a long ways since then. The only thing you will fight with the firewall sharing a /24 out both links is asynchronous routing. Can’t always guarantee an isp is going to return traffic the path you sent it out. Receive a default route from both and send it IMo
@@FortinetGuru heh, thanks for getting back. Concerning the path traffic may return on, is there any way it can access/see the ip scope on WAN1 say if the traffic comes from WAN2? Policy all/all between the WAN links ? Hope that makes sense. More importantly I hope you are doing well. Chris.
Awesome video, really help me out. I just have one question how does it know which route to pull ? Will it just pull any route based on the interface ?
Does this only work if the primary interface shows "up"? Reason for the question, could you setup wan1 and wan2 where wan1 is a metered connection, after 300Gig cost goes up, in this setup, could we pull the plug physically on wan1 and then would wan2 engage and then re-engage wan1 when the next billing cycle rolls through? This is in a rural area and there are literally only 2 options for internet (excluding satellite).
Hi I have a set up where 2 100F firewalls running in a-a mode and one isp link terminate on each firewall.Please suggest how to achieve failover in case of link failure or isp failure.
Hello guru i have question for you about isp failover So my question is if system is connected with two isps isp 1 isp2 along with firewall attached in between switch and isps so if isp1 is down how the isp2 will automatically take the load on it without configuring like isp1 ? What that term called?
I'm new to fortigate. But I wanted to know how to change the settings for failover. {Scenario: WAN 1 ISP is being taking out and we want WAN 2 to be the primary link. However, we want to configure the failover so that WAN 2 is primary and WAN 1 is the failover only if WAN 2 go down. I want to test it and make sure it's working before cutting off the current ISP WAN 1 link. So when we bring in another ISP it will be easier to configure the failover. Is this something easy to do.
You had wan1 and wan2 in a zone, that helps with the policies, can you tell how to create the zone when the individual interfaces are already in use by policies?
Hi Guru, I am using fortigate and I have 2 wan connections,(WAN1 and when i configure " config sys link-monitor" and when i configure set srcintf wan2 it is giving me error "value parse error before 'WAN2' " . I can not see wan2/wan1 when i ? after set srcintf ....why is that?
We have an ip block /24 and you mention setting up BGP as a preference. Why is this? (If its a stupid question feel free to slap me down). We have two connections a 10GB (whoop whoop) and 1GB and currently both set to static and going to use AD to pump everything out the 10GB. I was looking at your suggestion of link monitor till you mentioned BGP. We have statics also set for our internal. All our servers have IPs on the /24 external range (NAT of course). Note: Our 1gb backup connection is using a /30.
BGP is wonderful because if you have public facing resources you dont have to do any weird DNS failovers. You present your inbound and outbound traffic as the same subnet space so if you have vendors that require IP whitelisting you can provide them a single one instead of multiples from other providers. It also gives you the ability to have IPSEC tunnels auto failover to other links if the primary fails (because they are tied to a loopback address that is tied to the /24 that is being broadcast out of multiple links).
Fortinet Guru that would be awesome. I really need a way to manage the webfiltering in a consistent manner at like 50 different sites. Mixed bag of fortigates as well but they all run 6.0. If I could create consistency with the policies that would be awesome as well. Thanks for everything you do👍
You can also use the link-monitor to monitor sites (from the point of view of the remote site) using SNMP you can view Latency Jitter etc config system link-monitor edit "Outlook_HTTP" set server "outlook.com" set protocol http set interval 10 set update-cascade-interface disable set update-static-route disable next edit "TER-INET_Ping" set server "8.8.8.8" "1.0.0.1" set update-cascade-interface disable set update-static-route disable next edit "DC6_Ping" set server "internal.fqdn.local" set source-ip 10.1.0.1 set interval 10 set update-cascade-interface disable set update-static-route disable next
First, War Eagle! But I'm in the opposite situation. We're mostly remote and have a very reliable primary connection, so I want to remove my secondary. Our Fortigate is configured (was set up by a consultant) with failover via this method. Based on your video, I can see both the WAN1 and WAN2 monitor. What should I do to remove these and remove failover? I can see that I can disable them with the status option, but can I delete them?
War Eagle! You can skin the cat however you see fit. WAN1 and WAN2 failover monitors are nice if you are using specific links for specific items. If you are just wanting to force all traffic out WAN1 and only utilize WAN2 during a failover solution then you only need WAN1 to be monitored. Either that or start diving into the world of SD-WAN on the Fortinet device and utilize SLA's and such.
Followed your guide. ITs working as you describe, but what happens when your primary link gets back online again ? My setup just remained on the secondary as primary was back online. Please advise
@@guillaumebesner2331 I managed to fix the problem by adding 2 Static Routes. One for the wan and one for wan2, keeping the same administrative distance but changing the priority for wan to 2 and the priority for wan2 to 5 and it is now working as intended.
Great video, thank you! I had a question tho, it seems that unless I change the AD of the interfaces so that the backup is higher, then both default routes are in the routing table (although showing the configured priority). If I change the AD then the secondary connection only enters the routing table when the monitor goes down. Is it ok to have both default routes in the table in different priorities?
Absolutely. You want them both in the table so they can both respond to traffic that comes into them. The priority is what gives one preference for outbound traffic
@@FortinetGuru Ah! awesome explanation, I get it. And also the reason why I'll be able to connect to the mgmt on the backup link should I need to. tvm!!
What happens if you configure 2 link monitors for the same interface for example "8.8.8. 8" and "1.1.1. 1" and "8.8.8. 8" is down but "1.1.1. 1" is still up? Does the fortigate switch to the secondary interface or because "1.1.1. 1" is still up dosent switch? Thank you great video!
Hi mike good video and very interest information. if i create an outside zone whit two wan interfaces. can i assign a different ip for each interface that are in the zone?
You mentioned that we should not install 6.4 - I recently received an RMA, and the tech recommended 6.4 (I was previously running 6.0). Is 6.4 stable yet? The tech claimed it was more stable than 6.2?
Thanks for the video, I have a failover with 3 mobile hotspot routers, I have a base GB plan at each router, so when I finished my GB the download speed is lower than 1Mbps, (still having access to internet), is there a way to shut down a wan intarface when the ISP reduces the internet speed?
is this the correct path to make it work 2 wan at the same time? I have created a list of addresses on fortigate, created a group where i Put all, then I've created the policy to make all this group go out with wan 2, the others will go on wan 1. I 've made another ipv4 policy under with all all and the wan1 but it doesn't work, what am I doing wrong?
Not sure I am 100% following what you are saying. I group my WAN by zone so I can utilize single policy to flow traffic to each interface (if they are serving the same purpose)
hi,, i am private person. is there a fortinet product you can recomend that i can use for my 2 isp ? there are only 4 computer max with ethernet and a number of mobile devices via wifi. ofc this should not be an business solution - only provide a redundant internet connection #sendhelpPLZ :-) thanks
It's so annoying when you know so much about this that you seem bored telling us. I usually take it as a sign the presenter knows what he is talking about.
I needed this a year ago. I tried to use this setup to keep things simple when adding a Fortiextender, rather than using sdwan, but cookbook and support said I needed static gateways to enter in the monitor settings...guess I should have tried! Thanks!
When they eliminated ECMP Failover in the GUI in v5.4 and called support to find out how to do this, their tech had me so confused, I stayed in v5.2 for another couple of years. I won’t even mention how they wanted me to set it up with SD-WAN. Keep up the great work!
Can you do an update on how to setup site-to-site VPNs with WAN Failover.
Thank you for the Priority setting and administrative distance advice at the end of the video that was very helpful, I was trying to figure that out before seeing your video
Too true, a very simple and great approach to WAN failover.
The next level up I gather is to implement SD-WAN as it gives move granularity with performance metrics, so that e.g. Voice paths traverse links with lowest latency and jitter.
That is correct. SDWAN adds the capability to easily route traffic over certain links etc
Thanks to Mike's tutorials I've configured a pair of 80E in HA as I'm also using SD-WAN for Link monitor! But before having HA I was also using link monitor, too.
Yeah. I like the SD WAN features. Link monitors hold a spot near and dear to my heart.
@@FortinetGuru Could you create a vid on SD WAN features, to explain SLA a bit?
BR!
Simple easy to follow instructions. I now have failover setup! Thanks for the help!
You mention using Zones for the outside interfaces, why not use SDWAN?
Finally getting round to sorting out our firewalls, its a mess :(
Two external interfaces one with a /24 and the other /30. I am wondering how traffic will behave when it has come in via the backup connection(will have to get the ISPs to do BGP). We have lots of public services which have the public IPs from the primary WAN but not the WAN2. Can traffic pass from WAN2 to WAN1? Or will zoning sort this out with one IP scope for the zone rather than individual interfaces having IPs.
Its a live system 24/7 so cant play too much.
When this video was made SDWAN wasn’t as mature on Fortinet. (In my opinion). It has come a long ways since then.
The only thing you will fight with the firewall sharing a /24 out both links is asynchronous routing. Can’t always guarantee an isp is going to return traffic the path you sent it out.
Receive a default route from both and send it IMo
@@FortinetGuru heh, thanks for getting back. Concerning the path traffic may return on, is there any way it can access/see the ip scope on WAN1 say if the traffic comes from WAN2? Policy all/all between the WAN links ?
Hope that makes sense.
More importantly I hope you are doing well.
Chris.
Thank you, great explanation. Subscribed.
Awesome video, really help me out. I just have one question how does it know which route to pull ? Will it just pull any route based on the interface ?
Does this only work if the primary interface shows "up"? Reason for the question, could you setup wan1 and wan2 where wan1 is a metered connection, after 300Gig cost goes up, in this setup, could we pull the plug physically on wan1 and then would wan2 engage and then re-engage wan1 when the next billing cycle rolls through? This is in a rural area and there are literally only 2 options for internet (excluding satellite).
Hi I have a set up where 2 100F firewalls running in a-a mode and one isp link terminate on each firewall.Please suggest how to achieve failover in case of link failure or isp failure.
HI,
Great video.
For the backup interface should the firewall policys be set exactly the same (of course using backup IP/interface)?
It would. Using zones prevents the need for duplicate policies however.
Hello guru i have question for you about isp failover
So my question is if system is connected with two isps isp 1 isp2 along with firewall attached in between switch and isps so if isp1 is down how the isp2 will automatically take the load on it without configuring like isp1 ?
What that term called?
I'm new to fortigate. But I wanted to know how to change the settings for failover. {Scenario: WAN 1 ISP is being taking out and we want WAN 2 to be the primary link. However, we want to configure the failover so that WAN 2 is primary and WAN 1 is the failover only if WAN 2 go down. I want to test it and make sure it's working before cutting off the current ISP WAN 1 link. So when we bring in another ISP it will be easier to configure the failover. Is this something easy to do.
HI, did you manage to do this. Did you just use AD and priority. I take it you had static routes ?
Thanks for this great video sir. Question for ya--can WAN failover still be accomplished if using 2 fortigates in a high availability configuration?
Yes. With 900 different ways to skin the cat depending on your use-case or need.
you are soooooo underrated
You had wan1 and wan2 in a zone, that helps with the policies, can you tell how to create the zone when the individual interfaces are already in use by policies?
Hi Guru, I am using fortigate and I have 2 wan connections,(WAN1 and when i configure " config sys link-monitor" and when i configure set srcintf wan2 it is giving me error "value parse error before 'WAN2' " . I can not see wan2/wan1 when i ? after set srcintf ....why is that?
Great video as usual :) thank you.
We have an ip block /24 and you mention setting up BGP as a preference. Why is this? (If its a stupid question feel free to slap me down).
We have two connections a 10GB (whoop whoop) and 1GB and currently both set to static and going to use AD to pump everything out the 10GB. I was looking at your suggestion of link monitor till you mentioned BGP. We have statics also set for our internal. All our servers have IPs on the /24 external range (NAT of course).
Note: Our 1gb backup connection is using a /30.
BGP is wonderful because if you have public facing resources you dont have to do any weird DNS failovers. You present your inbound and outbound traffic as the same subnet space so if you have vendors that require IP whitelisting you can provide them a single one instead of multiples from other providers. It also gives you the ability to have IPSEC tunnels auto failover to other links if the primary fails (because they are tied to a loopback address that is tied to the /24 that is being broadcast out of multiple links).
Thank you sir! Great video
Great video. Do you have any videos in regards to fortimanager and how policy packages can be simplified using zones?
I don’t yet but I can make some.
Fortinet Guru that would be awesome. I really need a way to manage the webfiltering in a consistent manner at like 50 different sites. Mixed bag of fortigates as well but they all run 6.0. If I could create consistency with the policies that would be awesome as well. Thanks for everything you do👍
You can also use the link-monitor to monitor sites (from the point of view of the remote site) using SNMP you can view Latency Jitter etc
config system link-monitor
edit "Outlook_HTTP"
set server "outlook.com"
set protocol http
set interval 10
set update-cascade-interface disable
set update-static-route disable
next
edit "TER-INET_Ping"
set server "8.8.8.8" "1.0.0.1"
set update-cascade-interface disable
set update-static-route disable
next
edit "DC6_Ping"
set server "internal.fqdn.local"
set source-ip 10.1.0.1
set interval 10
set update-cascade-interface disable
set update-static-route disable
next
First, War Eagle! But I'm in the opposite situation. We're mostly remote and have a very reliable primary connection, so I want to remove my secondary. Our Fortigate is configured (was set up by a consultant) with failover via this method. Based on your video, I can see both the WAN1 and WAN2 monitor. What should I do to remove these and remove failover? I can see that I can disable them with the status option, but can I delete them?
War Eagle!
You can skin the cat however you see fit. WAN1 and WAN2 failover monitors are nice if you are using specific links for specific items. If you are just wanting to force all traffic out WAN1 and only utilize WAN2 during a failover solution then you only need WAN1 to be monitored. Either that or start diving into the world of SD-WAN on the Fortinet device and utilize SLA's and such.
Followed your guide. ITs working as you describe, but what happens when your primary link gets back online again ? My setup just remained on the secondary as primary was back online. Please advise
I have this exact same issue, how do I get it to go back to my wan1?
@@JohanBosman1 I tested again in GNS3 and it worked as described in the video, not sure what mistake I made originally
@@guillaumebesner2331 I managed to fix the problem by adding 2 Static Routes. One for the wan and one for wan2, keeping the same administrative distance but changing the priority for wan to 2 and the priority for wan2 to 5 and it is now working as intended.
Great video, thank you! I had a question tho, it seems that unless I change the AD of the interfaces so that the backup is higher, then both default routes are in the routing table (although showing the configured priority). If I change the AD then the secondary connection only enters the routing table when the monitor goes down. Is it ok to have both default routes in the table in different priorities?
Absolutely. You want them both in the table so they can both respond to traffic that comes into them. The priority is what gives one preference for outbound traffic
@@FortinetGuru Ah! awesome explanation, I get it. And also the reason why I'll be able to connect to the mgmt on the backup link should I need to. tvm!!
What happens if you configure 2 link monitors for the same interface for example "8.8.8. 8" and "1.1.1. 1" and "8.8.8. 8" is down but "1.1.1. 1" is still up? Does the fortigate switch to the secondary interface or because "1.1.1. 1" is still up dosent switch? Thank you great video!
You would set two servers on a single link monitor
So this steps can also be done on Fortigate F60 right?
Pretty much any model of FortiGate that has multiple paths to the internet.
Can you please send me a configuration running 2 ISP with web server configuration. Thanks in advance.
Hi mike good video and very interest information. if i create an outside zone whit two wan interfaces. can i assign a different ip for each interface that are in the zone?
You mentioned that we should not install 6.4 - I recently received an RMA, and the tech recommended 6.4 (I was previously running 6.0). Is 6.4 stable yet? The tech claimed it was more stable than 6.2?
6.4.6 is nice. At the release of this video 6.4 was still in the early patch phases.
Thanks for the video, I have a failover with 3 mobile hotspot routers, I have a base GB plan at each router, so when I finished my GB the download speed is lower than 1Mbps, (still having access to internet), is there a way to shut down a wan intarface when the ISP reduces the internet speed?
Mike, you configured live monitor only for wan1, what about wan2, do you have to do it?
I only configure it for wan1 because wan2 is the backup. I only want it to take over if wan1 fails. Otherwise, it’s non-existent to me
Awesome thanks
is this the correct path to make it work 2 wan at the same time? I have created a list of addresses on fortigate, created a group where i Put all, then I've created the policy to make all this group go out with wan 2, the others will go on wan 1. I 've made another ipv4 policy under with all all and the wan1 but it doesn't work, what am I doing wrong?
Not sure I am 100% following what you are saying. I group my WAN by zone so I can utilize single policy to flow traffic to each interface (if they are serving the same purpose)
Thanks a lot
hi,, i am private person. is there a fortinet product you can recomend that i can use for my 2 isp ? there are only 4 computer max with ethernet and a number of mobile devices via wifi.
ofc this should not be an business solution - only provide a redundant internet connection
#sendhelpPLZ :-) thanks
A 40F or a 60F would suffice
So where is the part where you fail over to WAN 2?
The SLA fails and yanks the route of the interface experiencing issues.
You are damn good 😊
Great - Fortinet Wan Fail Over Demistified
It is not difficult but if you have never done something before it can feel daunting. Glad this helps.
All code you get is GA unless youre on special build code.
This is true. .0 GA is the first one though. Always issues for people that use the deeper features.
Ok! Geesh! 2:44 =)
you are probably better off pinging your isp dns server
It's so annoying when you know so much about this that you seem bored telling us. I usually take it as a sign the presenter knows what he is talking about.
Thanks!!