FortiWAN Outbound Load Balancing and Failover (Auto Routing)

1 Reply

Example 2

The auto routing policies to be established accordingly:

  1. Always route connections through WAN#1 (fixed algorithm). 2. Always route connections through WAN#2 (fixed algorithm).
  2. Always route connections through WAN#3 (fixed algorithm).
  3. Route connections evenly among the three WAN links with “Round-Robin”.
  4. Route connections through the three WAN links by “Round-Robin” with weight ratio WAN#1:WAN#2:WAN#3 = 1:2:3. Note: if there are six connections to be established, the first connection will be routed through WAN#1, the second and third through WAN#2, and the last three through WAN#3.
  5. Route connections through WAN#1 and WAN#2 depending on the bandwidth left in the downstream traffic of each WAN link.
  6. Route connections through WAN#2 and WAN#3 depending on the bandwidth left in the total traffic of each WAN link.
Label Algorithm Parameter
WAN1 Fixed Check WAN #1
WAN2 Fixed Check WAN #2
WAN3 Fixed Check WAN #3
Round-Robin 1:1:1 Round-Robin Enter “1” for WAN #1, WAN #2, and

WAN #3
Round-Robin 1:2:3 Round-Robin Enter “1” for WAN #1, “2” for WAN #2, “3” for WAN #3
By Downstream By Downstream Check both WAN #1 and WAN #2
By Total By Total Traffic Check both WAN #2 and WAN #3

Defining filters for the following:

  1. The connections from 192.168.0.100 to FTP 210.10.10.11 are routed by the policy “WAN3”. If WAN #3 fails, they will be routed by policy “by Downstream”.
  2. The connections from sub-network 192.168.10.0/24 to web servers on the internet are routed by the policy “Round-Robin1:1:1”.
  3. The connections from 192.168.0.100~192.168.0.200 to sub-network 192.192.0.0/24 on TCP port 8000 are routed by the policy “WAN2”. If WAN #2 fails, they will be routed by the policy “WAN3”.
  4. The connections from the LAN to the Internet are routed by the policy “by Downstream”. If both WAN #1 and WAN #2 fail, they will be routed by “WAN3”.
  5. The connections from 211.21.48.196 to FTP 210.10.10.11 are routed by policy “Round-Robin1:2:3”.
  6. The connections from 211.21.48.195 to any SMTP server on the internet are routed by policy “WAN3”. If WAN #3 fails, they will be routed by “WAN3”. Note: In this case, the host at 211.21.48.195 will not be able to establish connections to any SMTP server on the internet when WAN #3 fails, even though some other WAN links still keep alive. For more details, refer to “Fail-over” policy.
  7. The connections from DMZ to the internet are routed by policy “By Downstream”. If both WAN #1 and WAN #2 fail, it will be routed by “By Total”. Note: Usually, when both WAN #1 and WAN #2 fail, fail-over policy will take effect. Somehow in the case above when both WAN links fail, then all traffic will be routed to WAN #3.
  8. The connections from an arbitrary host to the hosts at 60.200.10.1~60.200.10.10 will be routed by policy “WAN2”. If WAN #2 fails, they will be routed by “WAN1”.
  9. The connections from an arbitrary host to any host on the Internet will be routed by the policy “by Downstream”.
See also
  • WAN Link Health Detection l Configuring your WAN

 

  • Load Balancing & Fault Tolerance l Busyhour Settings l Using the web UI
Pages: 1 2
This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiWAN Outbound Load Balancing and Failover (Auto Routing)

  1. John

    Hi,
    Can Fortiwan control incoming traffic to route into different static IP instead of using IP configured in WAN interface. I have IPSEC VPN use 10.2.2.1 as gateway (mapped to wan IP in firewall Interface). Outgoing VPN traffic used 10.2.2.1 but incoming will come thru 10.2.2.4. Do Fortiwan has feature to force incoming vpn traffic to come in thru 10.2.2.1 ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.