In an office or branch location that relies on internet access for productivity, it’s obviously typical to see a primary and secondary internet connection from two separate providers. In IPv4 world if you are not using your own IP space and BGP peering with the upstream providers, then automatic failover when the primary connection goes down becomes a concern. In a simple active/passive two ISP to one router (dual homed) setup, the router/firewall will have two static default routes for each provider. Each route will have a weight or metric determining which one is more preferred. Active/Active connections is an option, especially now with the rise of SD-WAN solutions, but often times a simple active/passive is what’s needed. In Fortinet world the metric for active/passive is Distance. The lower the Distance the more preferred the route.

In the image above the primary ISP route will be used due to the distance value of 1. But how does the firewall know when the Primary ISP is having issues and needs to stop sending internet bound traffic that way? With this configuration by itself, the only way the firewall will remove the default route to our primary ISP is if the interface on the device itself goes down. As most network operators know, it’s very common for a physical interface on a router/firewall to stay up, but the modem or somewhere upstream is actually not working. What we really need to do for this situation is setup what Fortinet calls a Link Monitor (previously called Dead Gateway Detection).

The function of the Link Monitor is to take an interface and continuously try and call out to an IP address up stream. ‘Call out’ to an IP address means ping, tcp/udp echo, or http query. But the general idea for this scenario is if the Fortigate can access something upstream then the internet connection must be alive and well. If after the specified link monitor failure attempts occurs, then the firewall will either shut down the Primary ISP interface or simply update the routing table. In the configuration example below the firewall is set to ping 8.8.8.8 out the Primary ISP interface.

SETTINGS OF IMPORTANCE:

set interval 2 = Time in seconds between sending link health check packets. Set to 2 seconds.

set failtime 5 = Number of times a health check can fail.

set recoverytime 10 = Number of times health check must succeed to verify connection is back up.

set update-static-route enable = Removes static route from routing table if link monitor fails.

In our dual homed example the Fortigate sends a ping to 8.8.8.8 out WAN1 connected to the Primary ISP every 2 seconds. If the ping fails to reach 8.8.8.8 five times in a row then the default static route is removed from the firewall routing table and the secondary default static route takes over. Once the ping succeeds over the Primary ISP interface 10 times, the default static route is added back.

The configuration above is what I’ve used in the past successfully which differs from the Fortinet Link Monitor defaults. With the default settings I’ve had issues with flapping between connections. Every situation is different but the configuration above for internet connections is what I’ve had the best luck with. The Link Monitor feature is what Cisco world calls an IP SLA.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s