Failover Routing – Fortigates – Dead Peer Gateway Style
Failover Routing – Fortigates – Dead Peer Gateway Style
Redundancy is a necessary factor of
networking and an important part of high availability. There are different
forms and failover routing is one of them. Using the dead peer gateway method
is one way to ensure there is a failover of traffic between one interface to
another. It is a simple concept and there are a few knowledge base articles on
how to do so. I am developing this article because in my experience, following
the KB articles provided by Fortigate, the 2009 and 2014 versions, I ran into
issues. I am here to makes things as concise as possible.
Setting up failover routing
requires the link monitor to be configured along with the ensuring traffic will
flow in the same manner as the primary link. That means, firewall rules should be
allowed through both primary and secondary ports. Routes must also be in place
for both ports but should have varying distances so that the secondary route is
in use ONLY when the primary one has gone done. In the end it is a rather
simple thing but I will document it step by step and explain.
If port2 goes down traffic will be failed over to port3 and
vice and versa. This requires a monitoring of the interface, proper routing,
and firewall policies.
·
Site A is on Port 2 (192.168.22.0/24)
·
Site B is on Port 3 (192.168.24.0/24)
Set the link monitor
When creating the link monitor, use a gateway to check that
will
The gateway must be the gateway IP of
the interface specified.
Adjust the static routes
Static routes should be adjusted for each network to
failover. The same network must be defined for both port 2 and port 3. They
will be given different distances however. With a distance of 10 on port 2,
traffic will be routed through port 2, having greater precedence.
edit 2
set dst 192.168.24.0 255.255.255.0
set gateway 10.10.102.2
set distance 10
set weight 0
set priority 0
set device "port3"
set comment ''
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
next
edit 12
set dst 192.168.24.0 255.255.255.0
set gateway 10.10.101.2
set distance 15
set weight 0
set priority 0
set device "port2"
set comment ''
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
set dst 192.168.24.0 255.255.255.0
set gateway 10.10.102.2
set distance 10
set weight 0
set priority 0
set device "port3"
set comment ''
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
next
edit 12
set dst 192.168.24.0 255.255.255.0
set gateway 10.10.101.2
set distance 15
set weight 0
set priority 0
set device "port2"
set comment ''
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
Adjust Firewall Policies
The proper access must be reassessed for the alternate port.
That is, the port traffic will be routed to at the time of a failover. Any
traffic that was supposed to go through port 2 will need to be defined in the
firewall policy to also go over port3. This can be done with in the same
policy. The point is, when making a rule destined for port 2 will need to be
replicated for port3.
Check
Routing
Ensuring which route the device actual takes can be made
sure of with the below command. This command shows routes actually being used,
identified by an asterisk beside it. As you can see below, traffic flows out
port3. It has the closer distance.
get router info
routing-table database | grep 192.168.24.0
S 192.168.24.0/24 [15/0] via 10.10.101.2,
port2
S *> 192.168.24.0/24 [10/0] via
10.10.102.2, port3
Comments
Post a Comment