Failover Routing – Fortigates – Dead Peer Gateway Style

Failover Routing – Fortigates – Dead Peer Gateway Style


Redundancy is a necessary factor of networking and an important part of high availability. There are different forms and failover routing is one of them. Using the dead peer gateway method is one way to ensure there is a failover of traffic between one interface to another. It is a simple concept and there are a few knowledge base articles on how to do so. I am developing this article because in my experience, following the KB articles provided by Fortigate, the 2009 and 2014 versions, I ran into issues. I am here to makes things as concise as possible.
Setting up failover routing requires the link monitor to be configured along with the ensuring traffic will flow in the same manner as the primary link. That means, firewall rules should be allowed through both primary and secondary ports. Routes must also be in place for both ports but should have varying distances so that the secondary route is in use ONLY when the primary one has gone done. In the end it is a rather simple thing but I will document it step by step and explain.

If port2 goes down traffic will be failed over to port3 and vice and versa. This requires a monitoring of the interface, proper routing, and firewall policies.

·         Site A is on Port 2 (192.168.22.0/24)
·         Site B is on Port 3 (192.168.24.0/24)

Set the link monitor


When creating the link monitor, use a gateway to check that will




The gateway must be the gateway IP of the interface specified.

Adjust the static routes

Static routes should be adjusted for each network to failover. The same network must be defined for both port 2 and port 3. They will be given different distances however. With a distance of 10 on port 2, traffic will be routed through port 2, having greater precedence.
edit 2
set dst 192.168.24.0 255.255.255.0
set gateway 10.10.102.2
set distance 10
set weight 0
set priority 0
set device "port3"
set comment ''
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
next
edit 12
set dst 192.168.24.0 255.255.255.0
set gateway 10.10.101.2
set distance 15
set weight 0
set priority 0
set device "port2"
set comment ''
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable

Adjust Firewall Policies

The proper access must be reassessed for the alternate port. That is, the port traffic will be routed to at the time of a failover. Any traffic that was supposed to go through port 2 will need to be defined in the firewall policy to also go over port3. This can be done with in the same policy. The point is, when making a rule destined for port 2 will need to be replicated for port3.

Check Routing

Ensuring which route the device actual takes can be made sure of with the below command. This command shows routes actually being used, identified by an asterisk beside it. As you can see below, traffic flows out port3. It has the closer distance.
get router info routing-table database | grep 192.168.24.0
S       192.168.24.0/24 [15/0] via 10.10.101.2, port2
S    *> 192.168.24.0/24 [10/0] via 10.10.102.2, port3







Comments

Popular Posts