Monitor Ipsec VPN with fortinet firewalls

Can fortinet firewalls (50d) be setup to monitor an ipsec vpn connection and switch to another if one is down?
David ElebuteSystems ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
if you are referring to IPSec logging on Fortinet firewalls, check below steps:

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-ipsecvpn-52/Logging_Monitoring/Logging_VPN_Events.htm
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-ipsecvpn-52/Redundant_VPN_Config/Redundant_Route_Based_Example.htm shows an example and http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/Redundant_VPN_Config/Configuration_Overview.htm the generic steps for using different ISP interfaces.
For redundancy you need two of something on each site - two WAN interfaces, or two FortiGates. Otherwise there is nothing to choose as alternative path.
David ElebuteSystems ConsultantAuthor Commented:
thank you bbao but logging is not what i was referring to
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

David ElebuteSystems ConsultantAuthor Commented:
thank you Qlemo
just one interface wan1 on the fortinet side
trying to see if i can monitor vpn1 and if it goes down down to switch to vpn2 on same wan1 interface the on the fortinet side there is no secondary wan link just making sure to switch to secondary vpn connection (vpn2) when vpn1 is down
see attached pdf drawing
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
A secondary VPN connection without any other redundancy doesn't make any sense unless you need to make changes to the VPN and still maintain a working connection. A rather rare situation.
David ElebuteSystems ConsultantAuthor Commented:
yes rare but trying to see if we can use the fortinet because we done this with cisco firewalls
David ElebuteSystems ConsultantAuthor Commented:
Qlemo
please advise
from what i am getting from you the fortinet firewalls cannot do what i need them to do, correct?
all help is greatly appreciated
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
I think so. You need something to change physically to allow to change the metrics automatically, which again changes the routie predence and paths (an inactive interface adds a "routing distance", and so makes the corresponding route "more expensive") . You can change routes manually to perform a switch-over, that would work then with two VPN policies.
David ElebuteSystems ConsultantAuthor Commented:
thanks again Qlemo
below is my current policy CLI
below is the current vpn policy side on the remote site
i was hoping the line set schedule could be manipulated to do what is needed, manually will not work
i have 18 locations connected back to the main hub of the network

config firewall policy
    edit 2
        set srcintf "internal"
        set dstintf "wan1"
            set srcaddr "Local"            
            set dstaddr "Remote_Main"            
        set action ipsec
        set schedule "always"
            set service "ANY"            
        set inbound enable
        set outbound enable
        set vpntunnel "VPN"


if what we are trying to do would work i would think that it would be along the following:

set schedule "always"
i need the code to setup "schedule" for when the link to set vpntunnel "VPN" is down use set vpntunnel "VPN2"

any and all help is greatly appreciated!
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
A schedule is not based on events, only on fixed times, say "disabled from 9 to 5".
David ElebuteSystems ConsultantAuthor Commented:
thanks again Qlemo
looks like we are going to need to replace these location firewalls
wow i was hoping to spare the expense
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
If you explain what the exact story behind your request is, I or someone else might be able to propose something different on FortiGate.
In general, you should always describe the issue you want to resolve, not the way you think you want to resolve it (or have resolved it in the past with different equipment). That way you can get advice outside of the box.
David ElebuteSystems ConsultantAuthor Commented:
Okay Qlemo here goes...

we have a central location (hub)
18 remote locations (spokes)
we have just added a second isp to our hub end firewall for failover at the main site

currently our remote sites do not have same failover to secondary isp (may look to that in future)
we need to have the remote sites cut to secondary vpn connection when primary isp link at hub is down; switch to secondary vpn until primary vpn is back up
***
we were hoping to keep our investment in Fortinet but will move to another firewall product (Cisco looks like the front runner as we have been able to get this configuration with them)
***

I hope this helps
All help is greatly appreciated!
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
I really don't know if there is a best practice, but I would set up a (public) DNS entry for the main site gateway, which is updated if the ISP connection (link) fails. That way the branches can re-initate traffic again.
In the main site the same VPN including routes are defined for two interfaces with different weight. If the "main" interface goes down on failure, the switch-over can take place.
David ElebuteSystems ConsultantAuthor Commented:
thank you again Qlemo
i really appreciate your help
from what i see so far we cannot accomplish our objective with fortinet firewalls
regards

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.