Link to home
Start Free TrialLog in
Avatar of David Elebute
David ElebuteFlag for United States of America

asked on

Monitor Ipsec VPN with fortinet firewalls

Can fortinet firewalls (50d) be setup to monitor an ipsec vpn connection and switch to another if one is down?
Avatar of bbao
Flag of Australia image

if you are referring to IPSec logging on Fortinet firewalls, check below steps: shows an example and the generic steps for using different ISP interfaces.
For redundancy you need two of something on each site - two WAN interfaces, or two FortiGates. Otherwise there is nothing to choose as alternative path.
Avatar of David Elebute


thank you bbao but logging is not what i was referring to
thank you Qlemo
just one interface wan1 on the fortinet side
trying to see if i can monitor vpn1 and if it goes down down to switch to vpn2 on same wan1 interface the on the fortinet side there is no secondary wan link just making sure to switch to secondary vpn connection (vpn2) when vpn1 is down
see attached pdf drawing
A secondary VPN connection without any other redundancy doesn't make any sense unless you need to make changes to the VPN and still maintain a working connection. A rather rare situation.
yes rare but trying to see if we can use the fortinet because we done this with cisco firewalls
please advise
from what i am getting from you the fortinet firewalls cannot do what i need them to do, correct?
all help is greatly appreciated
I think so. You need something to change physically to allow to change the metrics automatically, which again changes the routie predence and paths (an inactive interface adds a "routing distance", and so makes the corresponding route "more expensive") . You can change routes manually to perform a switch-over, that would work then with two VPN policies.
thanks again Qlemo
below is my current policy CLI
below is the current vpn policy side on the remote site
i was hoping the line set schedule could be manipulated to do what is needed, manually will not work
i have 18 locations connected back to the main hub of the network

config firewall policy
    edit 2
        set srcintf "internal"
        set dstintf "wan1"
            set srcaddr "Local"            
            set dstaddr "Remote_Main"            
        set action ipsec
        set schedule "always"
            set service "ANY"            
        set inbound enable
        set outbound enable
        set vpntunnel "VPN"

if what we are trying to do would work i would think that it would be along the following:

set schedule "always"
i need the code to setup "schedule" for when the link to set vpntunnel "VPN" is down use set vpntunnel "VPN2"

any and all help is greatly appreciated!
A schedule is not based on events, only on fixed times, say "disabled from 9 to 5".
thanks again Qlemo
looks like we are going to need to replace these location firewalls
wow i was hoping to spare the expense
If you explain what the exact story behind your request is, I or someone else might be able to propose something different on FortiGate.
In general, you should always describe the issue you want to resolve, not the way you think you want to resolve it (or have resolved it in the past with different equipment). That way you can get advice outside of the box.
Okay Qlemo here goes...

we have a central location (hub)
18 remote locations (spokes)
we have just added a second isp to our hub end firewall for failover at the main site

currently our remote sites do not have same failover to secondary isp (may look to that in future)
we need to have the remote sites cut to secondary vpn connection when primary isp link at hub is down; switch to secondary vpn until primary vpn is back up
we were hoping to keep our investment in Fortinet but will move to another firewall product (Cisco looks like the front runner as we have been able to get this configuration with them)

I hope this helps
All help is greatly appreciated!
I really don't know if there is a best practice, but I would set up a (public) DNS entry for the main site gateway, which is updated if the ISP connection (link) fails. That way the branches can re-initate traffic again.
In the main site the same VPN including routes are defined for two interfaces with different weight. If the "main" interface goes down on failure, the switch-over can take place.
Avatar of David Elebute
David Elebute
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial