Monitor Ipsec VPN with fortinet firewalls

David Elebute
David Elebute used Ask the Experts™
on
Can fortinet firewalls (50d) be setup to monitor an ipsec vpn connection and switch to another if one is down?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
bbaoIT Consultant

Commented:
if you are referring to IPSec logging on Fortinet firewalls, check below steps:

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-ipsecvpn-52/Logging_Monitoring/Logging_VPN_Events.htm
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-ipsecvpn-52/Redundant_VPN_Config/Redundant_Route_Based_Example.htm shows an example and http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/Redundant_VPN_Config/Configuration_Overview.htm the generic steps for using different ISP interfaces.
For redundancy you need two of something on each site - two WAN interfaces, or two FortiGates. Otherwise there is nothing to choose as alternative path.
David ElebuteSystems Consultant

Author

Commented:
thank you bbao but logging is not what i was referring to
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

David ElebuteSystems Consultant

Author

Commented:
thank you Qlemo
just one interface wan1 on the fortinet side
trying to see if i can monitor vpn1 and if it goes down down to switch to vpn2 on same wan1 interface the on the fortinet side there is no secondary wan link just making sure to switch to secondary vpn connection (vpn2) when vpn1 is down
see attached pdf drawing
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
A secondary VPN connection without any other redundancy doesn't make any sense unless you need to make changes to the VPN and still maintain a working connection. A rather rare situation.
David ElebuteSystems Consultant

Author

Commented:
yes rare but trying to see if we can use the fortinet because we done this with cisco firewalls
David ElebuteSystems Consultant

Author

Commented:
Qlemo
please advise
from what i am getting from you the fortinet firewalls cannot do what i need them to do, correct?
all help is greatly appreciated
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
I think so. You need something to change physically to allow to change the metrics automatically, which again changes the routie predence and paths (an inactive interface adds a "routing distance", and so makes the corresponding route "more expensive") . You can change routes manually to perform a switch-over, that would work then with two VPN policies.
David ElebuteSystems Consultant

Author

Commented:
thanks again Qlemo
below is my current policy CLI
below is the current vpn policy side on the remote site
i was hoping the line set schedule could be manipulated to do what is needed, manually will not work
i have 18 locations connected back to the main hub of the network

config firewall policy
    edit 2
        set srcintf "internal"
        set dstintf "wan1"
            set srcaddr "Local"            
            set dstaddr "Remote_Main"            
        set action ipsec
        set schedule "always"
            set service "ANY"            
        set inbound enable
        set outbound enable
        set vpntunnel "VPN"


if what we are trying to do would work i would think that it would be along the following:

set schedule "always"
i need the code to setup "schedule" for when the link to set vpntunnel "VPN" is down use set vpntunnel "VPN2"

any and all help is greatly appreciated!
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
A schedule is not based on events, only on fixed times, say "disabled from 9 to 5".
David ElebuteSystems Consultant

Author

Commented:
thanks again Qlemo
looks like we are going to need to replace these location firewalls
wow i was hoping to spare the expense
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
If you explain what the exact story behind your request is, I or someone else might be able to propose something different on FortiGate.
In general, you should always describe the issue you want to resolve, not the way you think you want to resolve it (or have resolved it in the past with different equipment). That way you can get advice outside of the box.
David ElebuteSystems Consultant

Author

Commented:
Okay Qlemo here goes...

we have a central location (hub)
18 remote locations (spokes)
we have just added a second isp to our hub end firewall for failover at the main site

currently our remote sites do not have same failover to secondary isp (may look to that in future)
we need to have the remote sites cut to secondary vpn connection when primary isp link at hub is down; switch to secondary vpn until primary vpn is back up
***
we were hoping to keep our investment in Fortinet but will move to another firewall product (Cisco looks like the front runner as we have been able to get this configuration with them)
***

I hope this helps
All help is greatly appreciated!
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
I really don't know if there is a best practice, but I would set up a (public) DNS entry for the main site gateway, which is updated if the ISP connection (link) fails. That way the branches can re-initate traffic again.
In the main site the same VPN including routes are defined for two interfaces with different weight. If the "main" interface goes down on failure, the switch-over can take place.
Systems Consultant
Commented:
thank you again Qlemo
i really appreciate your help
from what i see so far we cannot accomplish our objective with fortinet firewalls
regards

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial