Topic Thread

Next Generation Firewall (NGFW)

 View Only
Expand all | Collapse all

SD WAN and NAT Problem

  • 1.  SD WAN and NAT Problem

    Posted 09-27-2018 00:27
    Hi All,

    My fortigte is 200D, software version is FGT_200D-v6-build0163. I have a problem. I use my backup firewall to snapshot in order to express my problem, our business is 24/7, I can't do any change on our firewall that is running. Our office has two Internet dedicated lines, I want to use primary link, if our primary link is at fault then switch over to use backup line. Because some reason, we don't use interface IP as NAT IP address.
    I configure to use our primary link.


    We don't use Interface as NAT IP.

    After I finished configuration, some of our computer went through our backup line and used Internet IP 180.1.1.3.
    I tried policy route to let all host from 10.16.180.0/24 go through our primary link, but some of computer still went through our backup link.
    Next, I delete the policy route and changed firewall policy as below picture.

    All of our computers go through our primary link. I tried disconnecting our primary link, after that all of our computers were disconnected from the Internet, the firewall can't switch over to use backup line.

    ------------------------------
    Fred [LastName] [Designation]
    Network Engineer
    [CompanyName]
    [City] [State]
    [Phone]
    ------------------------------


  • 2.  RE: SD WAN and NAT Problem

     
    Posted 09-27-2018 06:15
    Dear,

    I think your problem hear is that you are using IP Pools with SDWAN. Fortigates always is choosing the first IPPools to get to the internet so the issue is with Fortigate trying to get through wan2 with the IP Pools of Wan1.
    If IP Pools is a must in your configuration you should switch to manual ECMP load balancing and do not use SDWAN.

    Regards

    ------------------------------
    Rony Moussa
    Fortinet NSE Certified: Level 8
    ------------------------------



  • 3.  RE: SD WAN and NAT Problem

    Posted 09-28-2018 01:08
    Hi Rony,

    Thank you. I can't find ECMP load balancing of fortios 6.0. Should I downgrade the fortios version of our firewalls?

    ------------------------------
    Fred [LastName] [Designation]
    Network Engineer
    [CompanyName]
    [City] [State]
    [Phone]
    ------------------------------



  • 4.  RE: SD WAN and NAT Problem

     
    Posted 09-29-2018 22:49
    Hi,

    Its configurable via cli only.

    Advanced static routing example: ECMP failover and load balancing
    Fortinet remove preview
    Advanced static routing example: ECMP failover and load balancing
    Advanced static routing example: ECMP failover and load balancing
    View this on Fortinet >


    Regards

    ------------------------------
    Rony Moussa
    Fortinet NSE Certified: Level 8
    ------------------------------



  • 5.  RE: SD WAN and NAT Problem

    Posted 01-16-2019 22:36
    Hi Rony,

    Thank you. I test link monitor, it can solve my problem on SDWAN and NAT problem. Now I have a new problem. I use fortigate 200E with firmware v6.0.1 build0131 (GA) to test. By default all traffic go through port13, I use policy route to force traffic from port1 to go through port14. But it doesn't work. 

    config system settings
    set inspection-mode flow
    set v4-ecmp-mode usage-based
    #
    edit "port1"
    set vdom "root"
    set ip 192.168.2.1 255.255.255.0
    set allowaccess ping https ssh http fgfm ftm
    set type physical
    set device-identification enable
    set role lan
    set snmp-index 5
    edit "port13"
    set vdom "root"
    set ip 10.12.172.250 255.255.255.0
    set allowaccess ping
    set type physical
    set spillover-threshold 300
    set role wan
    set snmp-index 17
    next
    edit "port14"
    set vdom "root"
    set ip 10.12.168.250 255.255.255.0
    set type physical
    set spillover-threshold 200
    set role wan
    set snmp-index 18
    #
    config router static
    edit 2
    set gateway 10.12.168.1
    set device "port14"
    next
    edit 3
    set gateway 10.12.172.1
    set device "port13"
    next
    #
    config router policy
    edit 2
    set input-device "port1"
    set src "192.168.2.0/255.255.255.0"
    set dstaddr "all"
    set gateway 10.12.168.1
    set output-device "port14"



    ​​​

    ------------------------------
    Fred [LastName] [Designation]
    Network Engineer
    [CompanyName]
    [City] [State]
    [Phone]
    ------------------------------