Академический Документы
Профессиональный Документы
Культура Документы
FortiGateWANLoadBalancingnullhaus
Networking&Security
HOME
ARCHIVES
@NULLHAUS
FortinetgotalotrightwithitsFortiGateproductlineandloadbalancingisnoexception.Theyvemadeit
easyforadministratorswithmodestnetworkstoeasilyaccomplishnetworkredundancyandloadbalancing.
Whileloadbalancingcanbeusedforvariousapplications,itscommonlyusedforloadbalancingbetween
twoISPsandthisisthesubjectwellbecoveringtoday.
TheconfigurationdetailedhereinwascompletedonaFortiGate100DwithFortiOS5.
Topology
Thetopologywellbeusingisprettystraightforward.AsingleFortiGatefirewallseparatinganinternalhost
fromtwoloadbalancedISPs.Notablyyoulikelywontbeassignedsimilaraddressingbybothyour
providers,thisismerelyforsimplicitysake.
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
1/14
31/3/2016
FortiGateWANLoadBalancingnullhaus
WAN
Ourfirststopwillbetoconfigureourwaninterfaces.TheFortiGateunithastwodesignatedinterfaces
markedaswan1andwan2whichwelluseforconnectivitytoourISPs.Letsconfigureourfirstinternet
connectiononwan1.
IntheSystempane,opentheNetworkandthenInterfacesmenuitems.
InsidetheInterfacesdialogwellseetheaddressingassignedtoeachoftheFortiGatesinterfaces.Lets
doubleclickonthewan1interfacetohavealookatthesettings.
Inthewan1settingswellusetheIPof10.10.10.10andnetworkmask255.255.255.0.Youshouldbeable
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
2/14
31/3/2016
FortiGateWANLoadBalancingnullhaus
toleavetherestasis.ClickOK.
Nowletsdothesameforthewan2connectionandthistimewiththeaddressof10.20.10.10.
Ensureyourwan1andwan2interfacesareproperlycabledintotheappropriateinternetconnections.Once
thatsdonenavigatetoSystem,Dashboardwherewecanverifythattheconnectionstoourgatewaysare
upandfunctioning.
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
3/14
31/3/2016
FortiGateWANLoadBalancingnullhaus
Policies
Withourwaninterfacesonlineweneedtohavepoliciesinplaceallowingthetraffictoflowthroughthem.
IntheleftpaneexpandPolicyanddrilldownintothePolicy,Policymembers.Inhereyoullseethe
existingpoliciesattachedthedeviceinterfaces.
Expandingtheinternalwan1policygroupyoullseeanexistingpolicy.Doubleclicktheexistingrule.
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
4/14
31/3/2016
FortiGateWANLoadBalancingnullhaus
OpeningtheruleweseeadefinitionallowingallinternaltraffictoNAToutthewan1interface.
Closetherule.NowclickCreateNewtodefineanewruleforourwan2interface.
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
5/14
31/3/2016
FortiGateWANLoadBalancingnullhaus
WelldefinetheruleidenticaltothepreviouswiththeexceptionthattheOutgoinginterfacewillbewan2.
Savethesettingsandconfirmthatwehaveapolicyforbothinternaltowan1andinternaltowan2.
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
6/14
31/3/2016
FortiGateWANLoadBalancingnullhaus
ECMP Routing
Nowthatourinterfacesandpoliciesareinplace,itstimetoturnourattentiontoloadbalancing.Theload
balancinginthiscasetakestheformofEqualCostMultiPathrouting(ECMP).ECMPisarouting
methodologythatallowsmultiplepathsofthesamecosttoasingledestination.WellbeusingECMPto
distributetrafficacrosstwoexternalinterfaces,therebybalancingtheload.FortiOSallowsthreedifferent
waystoconfigureECMP:
SourceIPbasedFortiOSbalancesthesessionsbasedonthesourceIP.
WeightedLoadBalanceTrafficisloadbalancedbetweenroutesbasedontheweightassignedto
eachinterface.
SpilloverTrafficisdistributedbetweenECMProutesbasedontheutilizationoftheinterface.
ThereisonecaveatwhenitcomestoweightedandspilloverloadbalancingonForiOSinvolvingcached
routes.Toexplainthis,letsconsideratimelyexamplesuchastheOlympics.Withamajoreventsuchas
this,everyoneistunedinandmorethanafewemployeesareprobablystreamingalivevideofeedattheir
desk.Duetogeographytheresagoodchancethatmanyoftheseusersarehittingthesamestreamingnode.
WhenFortiOScreatesanewsessiontoanewdestinationIP,itcreatesaroutecache.Ifanothersessionis
createdfromanothersourceforthesamedestinationIP,theFortiGatewillusetheexistingroutestoredin
theroutecache.Ifouremployeesarewatchingthesamestream,andassumingitscomingfromthesame
node,thetrafficwillignoretherulesofweightedorspilloverroutingandusethesingleinterface.
Letsnowtakealookatthesethreemethodsinmoredetail.
Source IP based
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
7/14
31/3/2016
FortiGateWANLoadBalancingnullhaus
WellstartfromthetopwithSourceIPbased,whichassignswaninterfacesbasedonthesourceIP.Oncean
internalhostmakesaconnectionacrossthewaninterface,allsubsequentsessionswilltraversethesame
waninterface.ThisisthedefaultECMPmethodandthesimplist.
UndertheRoutermenudrilldownintoStatic,Settings.SelectSourceIPbased.
AfterchoosingourECMPmethod,weneedtosetupDeadGatewayDetection.ThisgivestheFortiGatethe
abilitytoknowwhenoneoftheroutesisdown.
UndertheDeadGatewayDetectionsection,clickonCreateNew.Forwan1wellcreateanICMPPing
detectionagainst10.10.10.1effectivelysaying,ifthenexthopisdowntherouteisconsideredunusable.
WellsetthePingIntervalandFailoverThresholdto5.Thismeansthatevery5secondsthegatewaywill
bechecked,ifthecheckfails5timestheroutewillbetreatedasoffline.Inmostcasesyoudbeusingthe
nexthopforverificationofdeadgateways,butthereisnothingtosaythepingservercouldntbearemote
server.
Wethencreateaseconddeadgatewaydetectorforoursecondaryexternallink.
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
8/14
31/3/2016
FortiGateWANLoadBalancingnullhaus
Nowthatwehaveallthepiecesinplace,letstakealookatloadbalancinginaction.NavigatetoPolicy,
Policy,Policy.RightclickontheheaderandselectCountfromthedropdownmenu.
Inthepolicyviewyoullnowseethepacketcountoneachoftheinterfaces.
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
9/14
31/3/2016
FortiGateWANLoadBalancingnullhaus
Youshouldseethecountonthewan1andwan2interfacesincreasing.Yourmileagemyvary.Aswechose
sourcebasedrouting,theamountoftrafficoneachwanconnectionwillbedependentontheexternal
interfaceassignedtoeachinternalhost.
Spillover
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
10/14
31/3/2016
FortiGateWANLoadBalancingnullhaus
Spillover
FinallywhenusingSpilloverandnewsessioniscreatedtoanewdestination,FortiOSwillselectthefirst
interfacewheretheutilizationislowerthanthespecifiedlimit.Asthenamesuggestsyoucanconsiderthe
analogyofcontainerswithafinitecapacity.Ourfirstcontainerwillbefilleduntilitreachesitscapacity,any
additionalsessionswillbespilledovertothenextcontaineruntilthatcontainerisfilled,andsoon.Ifthe
contentsoffirstcontainerdropbelowcapacity,allnewsessionswillonceagainbepouredintothefirst
container.
WhenselectingtheSpilloveroption,youwillseeanewtablewhereyoucanpopulatedesiredthresholds.
FortiOSacceptstherangeof02097000KBpsforspilloverthresholds.Ifthethresholdonaninterfaceis
leftat0,nosessionswillbesenttolowernumberedinterfaces.
ThisconcludestheconfigurationofwanloadbalancingunderFortiOS.Hopefullythishasprovidedyou
enoughbackgroundonthevariousEqualCostMultiPathroutingoptionsavailabletomakeaninformed
decisionforloadbalacingyourISPconnections.
FiledUnder:Network
TaggedWith:ECMP,FortiGate,Fortinet,FortiOS5,Loadbalancing,Routing,WAN
10Comments
nullhaus
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
Login
11/14
31/3/2016
10Comments
nullhaus
Recommend
Share
FortiGateWANLoadBalancingnullhaus
Login
SortbyBest
Jointhediscussion
mrmack amonthago
Ihavemadealltheconfigurations,(itworkedonapreviousfirewalltoo).Buteverytimei
connectasecondWan,theWan1GoesDown.Doesanybodyhadthisproblembefore?
Reply Share
Ray ayearago
HiDrew,
Thanksforthetutorial.Ifweuseproxyserverforwebbrowsing,i.e.onlyonesourceIPfor
interfacetraffic.Andwewouldliketoloadsharebothinternetlink.WhatECMPmethod
shouldbeused?Fortigatevideodemonstrationusespilloverwithvalue5onbothlink,butno
resultisshown.Thanks.
Reply Share
Kevin ayearago
HiDrew,
Thanksforthetutorial.IhaveaFortiGate60Dwithv.5(build0929).Willibeabletoconfigure
WANLoadBalancingonit?Inoticethatmy60DdoesnothaveaRoutermenu.Thanks.
Reply Share
tounch>Kevin ayearago
The"router"menuisnomoreprsentinv5.
YoucanuseSystem>Network>Routinginplaceof.
Reply Share
DrewMcBeard
Mod >tounch
ayearago
Exactlyright.TheGUIdiffersslightlydependingonthemodelyou'reusing.If
desiredyoushouldbeabletoaccessthestandardGUIbyissuingthefollowing
change:
configsystemglobal
setguilitedisable
end
Reply Share
fercho ayearago
But,howwouldbethenetworkflowatthetimewhenbothISPwererunningnormally?Imean,
oncethatisconfiguredthatway,shouldIneedtocreatearoutetouseoneofbothISPas
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
12/14
31/3/2016
FortiGateWANLoadBalancingnullhaus
oncethatisconfiguredthatway,shouldIneedtocreatearoutetouseoneofbothISPas
defaultandtheotheronekeepsasalternateone?Or,bothareactiveactiveandthefortigate
chooseswhichonetousedependingtheutilizationofeachISP?
Reply Share
DrewMcBeard
Mod >fercho
ayearago
WithDeadGatewayDetection,theFortiGatewillknowthestatusofbothWAN
interfacesandwhethertheyareacceptingtraffic.WhenbothISPsarerunning,the
trafficwillflowaccordingtotheECMPmethodyou'vechosen(SourceIP,Weightedor
Spillover).Aslongasthat'sconfiguredappropriatelythenyoujustneedtosetthe
FortiGate'sinternaladdressasyourgateway.Noneedforyoumanageroutestothe
individualISPs.
Reply Share
Enkel ayearago
hi,verygoodexplanation.Canweusemorethanoneoptionatsametime?
Reply Share
DrewMcBeard
Mod >Enkel
ayearago
ConcerningECMP,youcanonlypickasingleloadbalancing
methodpervirtualdomain.OrganizationswithmultipleISPsusuallyhaveone
higherperformingconnection,withasecondaryinplaceasbackup.Incases
suchasthis,Spilloveristheobviouschoice.
Reply Share
ABOUT
Nullhausisahumbletechnicaljournalcoveringnetworking
andsecurity.Thegoalistoprovidefreshperspectiveon
establishedsubjectsandinsightintonewtechnologies.
SEARCH
TAGS
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
13/14
31/3/2016
ACL
FortiGateWANLoadBalancingnullhaus
ASACaptureCiscoCisco1800DeepPacketInspection
FirewallFortiGateFortinet
FortiOS5FreeBSDHPHPMSMHPNetworkingIOS12.4
IPsec Loadbalancing Monitoring Nagios
PA3050 Packet
NATNSClient++OpenSSHOSI
PaloAltoPowershellPrivacyProCurve
RoutingSecurityPolicySlackwareTCP/IPTrafficshaping
Virtualrouter Virtualwire VPN VRRP WAN
WirelessWireshark
CATEGORIES
Monitor
Network
OpenSource
Security
Copyright20132016nullhausAllrightsreserved
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
14/14