David Elebute
asked on
Monitor Ipsec VPN with fortinet firewalls
Can fortinet firewalls (50d) be setup to monitor an ipsec vpn connection and switch to another if one is down?
https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-ipsecvpn-52/Redundant_VPN_Config/Redundant_Route_Based_Example.htm shows an example and http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/Redundant_VPN_Config/Configuration_Overview.htm the generic steps for using different ISP interfaces.
For redundancy you need two of something on each site - two WAN interfaces, or two FortiGates. Otherwise there is nothing to choose as alternative path.
For redundancy you need two of something on each site - two WAN interfaces, or two FortiGates. Otherwise there is nothing to choose as alternative path.
ASKER
thank you bbao but logging is not what i was referring to
ASKER
thank you Qlemo
just one interface wan1 on the fortinet side
trying to see if i can monitor vpn1 and if it goes down down to switch to vpn2 on same wan1 interface the on the fortinet side there is no secondary wan link just making sure to switch to secondary vpn connection (vpn2) when vpn1 is down
see attached pdf drawing
just one interface wan1 on the fortinet side
trying to see if i can monitor vpn1 and if it goes down down to switch to vpn2 on same wan1 interface the on the fortinet side there is no secondary wan link just making sure to switch to secondary vpn connection (vpn2) when vpn1 is down
see attached pdf drawing
A secondary VPN connection without any other redundancy doesn't make any sense unless you need to make changes to the VPN and still maintain a working connection. A rather rare situation.
ASKER
yes rare but trying to see if we can use the fortinet because we done this with cisco firewalls
ASKER
Qlemo
please advise
from what i am getting from you the fortinet firewalls cannot do what i need them to do, correct?
all help is greatly appreciated
please advise
from what i am getting from you the fortinet firewalls cannot do what i need them to do, correct?
all help is greatly appreciated
I think so. You need something to change physically to allow to change the metrics automatically, which again changes the routie predence and paths (an inactive interface adds a "routing distance", and so makes the corresponding route "more expensive") . You can change routes manually to perform a switch-over, that would work then with two VPN policies.
ASKER
thanks again Qlemo
below is my current policy CLI
below is the current vpn policy side on the remote site
i was hoping the line set schedule could be manipulated to do what is needed, manually will not work
i have 18 locations connected back to the main hub of the network
config firewall policy
edit 2
set srcintf "internal"
set dstintf "wan1"
set srcaddr "Local"
set dstaddr "Remote_Main"
set action ipsec
set schedule "always"
set service "ANY"
set inbound enable
set outbound enable
set vpntunnel "VPN"
if what we are trying to do would work i would think that it would be along the following:
set schedule "always"
i need the code to setup "schedule" for when the link to set vpntunnel "VPN" is down use set vpntunnel "VPN2"
any and all help is greatly appreciated!
below is my current policy CLI
below is the current vpn policy side on the remote site
i was hoping the line set schedule could be manipulated to do what is needed, manually will not work
i have 18 locations connected back to the main hub of the network
config firewall policy
edit 2
set srcintf "internal"
set dstintf "wan1"
set srcaddr "Local"
set dstaddr "Remote_Main"
set action ipsec
set schedule "always"
set service "ANY"
set inbound enable
set outbound enable
set vpntunnel "VPN"
if what we are trying to do would work i would think that it would be along the following:
set schedule "always"
i need the code to setup "schedule" for when the link to set vpntunnel "VPN" is down use set vpntunnel "VPN2"
any and all help is greatly appreciated!
A schedule is not based on events, only on fixed times, say "disabled from 9 to 5".
ASKER
thanks again Qlemo
looks like we are going to need to replace these location firewalls
wow i was hoping to spare the expense
looks like we are going to need to replace these location firewalls
wow i was hoping to spare the expense
If you explain what the exact story behind your request is, I or someone else might be able to propose something different on FortiGate.
In general, you should always describe the issue you want to resolve, not the way you think you want to resolve it (or have resolved it in the past with different equipment). That way you can get advice outside of the box.
In general, you should always describe the issue you want to resolve, not the way you think you want to resolve it (or have resolved it in the past with different equipment). That way you can get advice outside of the box.
ASKER
Okay Qlemo here goes...
we have a central location (hub)
18 remote locations (spokes)
we have just added a second isp to our hub end firewall for failover at the main site
currently our remote sites do not have same failover to secondary isp (may look to that in future)
we need to have the remote sites cut to secondary vpn connection when primary isp link at hub is down; switch to secondary vpn until primary vpn is back up
***
we were hoping to keep our investment in Fortinet but will move to another firewall product (Cisco looks like the front runner as we have been able to get this configuration with them)
***
I hope this helps
All help is greatly appreciated!
we have a central location (hub)
18 remote locations (spokes)
we have just added a second isp to our hub end firewall for failover at the main site
currently our remote sites do not have same failover to secondary isp (may look to that in future)
we need to have the remote sites cut to secondary vpn connection when primary isp link at hub is down; switch to secondary vpn until primary vpn is back up
***
we were hoping to keep our investment in Fortinet but will move to another firewall product (Cisco looks like the front runner as we have been able to get this configuration with them)
***
I hope this helps
All help is greatly appreciated!
I really don't know if there is a best practice, but I would set up a (public) DNS entry for the main site gateway, which is updated if the ISP connection (link) fails. That way the branches can re-initate traffic again.
In the main site the same VPN including routes are defined for two interfaces with different weight. If the "main" interface goes down on failure, the switch-over can take place.
In the main site the same VPN including routes are defined for two interfaces with different weight. If the "main" interface goes down on failure, the switch-over can take place.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-ipsecvpn-52/Logging_Monitoring/Logging_VPN_Events.htm