FortiGate WAN Load Balancing

31/3/2016
FortiGateWANLoadBalancingnullhaus
Networking&Security
HOME
ARCHIVES
@NULLHAUS
FortiGate WAN Load Balancing

February14,2014byDrew 10Comments
FortinetgotalotrightwithitsFortiGateproductlineandloadbalancingisnoexception.Theyvemadeit
easyforadministratorswithmodestnetworkstoeasilyaccomplishnetworkredundancyandloadbalancing.
Whileloadbalancingcanbeusedforvariousapplications,itscommonlyusedforloadbalancingbetween
twoISPsandthisisthesubjectwellbecoveringtoday.
TheconfigurationdetailedhereinwascompletedonaFortiGate100DwithFortiOS5.
Topology
Thetopologywellbeusingisprettystraightforward.AsingleFortiGatefirewallseparatinganinternalhost
fromtwoloadbalancedISPs.Notablyyoulikelywontbeassignedsimilaraddressingbybothyour
providers,thisismerelyforsimplicitysake.
http://nullhaus.com/2014/02/fortigatewanloadbalancing/
1/14
31/3/2016
WAN
Ourfirststopwillbetoconfigureourwaninterfaces.TheFortiGateunithastwodesignatedinterfaces
markedaswan1andwan2whichwelluseforconnectivitytoourISPs.Letsconfigureourfirstinternet
connectiononwan1.
IntheSystempane,opentheNetworkandthenInterfacesmenuitems.
InsidetheInterfacesdialogwellseetheaddressingassignedtoeachoftheFortiGatesinterfaces.Lets
doubleclickonthewan1interfacetohavealookatthesettings.
Inthewan1settingswellusetheIPof10.10.10.10andnetworkmask255.255.255.0.Youshouldbeable
2/14
31/3/2016
toleavetherestasis.ClickOK.
Nowletsdothesameforthewan2connectionandthistimewiththeaddressof10.20.10.10.
Ensureyourwan1andwan2interfacesareproperlycabledintotheappropriateinternetconnections.Once
thatsdonenavigatetoSystem,Dashboardwherewecanverifythattheconnectionstoourgatewaysare
upandfunctioning.
3/14
31/3/2016
Policies
Withourwaninterfacesonlineweneedtohavepoliciesinplaceallowingthetraffictoflowthroughthem.
IntheleftpaneexpandPolicyanddrilldownintothePolicy,Policymembers.Inhereyoullseethe
existingpoliciesattachedthedeviceinterfaces.
Expandingtheinternalwan1policygroupyoullseeanexistingpolicy.Doubleclicktheexistingrule.
4/14
31/3/2016
OpeningtheruleweseeadefinitionallowingallinternaltraffictoNAToutthewan1interface.
Closetherule.NowclickCreateNewtodefineanewruleforourwan2interface.
5/14
31/3/2016
WelldefinetheruleidenticaltothepreviouswiththeexceptionthattheOutgoinginterfacewillbewan2.
Savethesettingsandconfirmthatwehaveapolicyforbothinternaltowan1andinternaltowan2.
6/14
31/3/2016
ECMP Routing
Nowthatourinterfacesandpoliciesareinplace,itstimetoturnourattentiontoloadbalancing.Theload
balancinginthiscasetakestheformofEqualCostMultiPathrouting(ECMP).ECMPisarouting
methodologythatallowsmultiplepathsofthesamecosttoasingledestination.WellbeusingECMPto
distributetrafficacrosstwoexternalinterfaces,therebybalancingtheload.FortiOSallowsthreedifferent
waystoconfigureECMP:
SourceIPbasedFortiOSbalancesthesessionsbasedonthesourceIP.
WeightedLoadBalanceTrafficisloadbalancedbetweenroutesbasedontheweightassignedto
eachinterface.
SpilloverTrafficisdistributedbetweenECMProutesbasedontheutilizationoftheinterface.
ThereisonecaveatwhenitcomestoweightedandspilloverloadbalancingonForiOSinvolvingcached
routes.Toexplainthis,letsconsideratimelyexamplesuchastheOlympics.Withamajoreventsuchas
this,everyoneistunedinandmorethanafewemployeesareprobablystreamingalivevideofeedattheir
desk.Duetogeographytheresagoodchancethatmanyoftheseusersarehittingthesamestreamingnode.
WhenFortiOScreatesanewsessiontoanewdestinationIP,itcreatesaroutecache.Ifanothersessionis
createdfromanothersourceforthesamedestinationIP,theFortiGatewillusetheexistingroutestoredin
theroutecache.Ifouremployeesarewatchingthesamestream,andassumingitscomingfromthesame
node,thetrafficwillignoretherulesofweightedorspilloverroutingandusethesingleinterface.
Letsnowtakealookatthesethreemethodsinmoredetail.
Source IP based
7/14
31/3/2016
WellstartfromthetopwithSourceIPbased,whichassignswaninterfacesbasedonthesourceIP.Oncean
internalhostmakesaconnectionacrossthewaninterface,allsubsequentsessionswilltraversethesame
waninterface.ThisisthedefaultECMPmethodandthesimplist.
UndertheRoutermenudrilldownintoStatic,Settings.SelectSourceIPbased.
AfterchoosingourECMPmethod,weneedtosetupDeadGatewayDetection.ThisgivestheFortiGatethe
abilitytoknowwhenoneoftheroutesisdown.
UndertheDeadGatewayDetectionsection,clickonCreateNew.Forwan1wellcreateanICMPPing
detectionagainst10.10.10.1effectivelysaying,ifthenexthopisdowntherouteisconsideredunusable.
WellsetthePingIntervalandFailoverThresholdto5.Thismeansthatevery5secondsthegatewaywill
bechecked,ifthecheckfails5timestheroutewillbetreatedasoffline.Inmostcasesyoudbeusingthe
nexthopforverificationofdeadgateways,butthereisnothingtosaythepingservercouldntbearemote
server.
Wethencreateaseconddeadgatewaydetectorforoursecondaryexternallink.
8/14
31/3/2016
Nowthatwehaveallthepiecesinplace,letstakealookatloadbalancinginaction.NavigatetoPolicy,
Policy,Policy.RightclickontheheaderandselectCountfromthedropdownmenu.
Inthepolicyviewyoullnowseethepacketcountoneachoftheinterfaces.
9/14
31/3/2016
Youshouldseethecountonthewan1andwan2interfacesincreasing.Yourmileagemyvary.Aswechose
sourcebasedrouting,theamountoftrafficoneachwanconnectionwillbedependentontheexternal
interfaceassignedtoeachinternalhost.
Weighted Load Balance

Forthesecondoption,WeightedLoadBalance,FortiOSroutessessionstakingintoaccounttheweight
assignedtoeachinterface.Whenanewsessioniscreatedtoanewdestination(remembertheearlier
caveat),theFortiGatewillgeneratearandomnumber.Basedupontherandomnumber,weightedwiththe
valueassignedtotheinterfaces,oneofthewaninterfacesischosenastherouteforthatsession.Thismakes
itsothatamoreheavilyweightedinterfaceismorelikelytobechosen.
NavigatebacktotheRoutermenu,thendownintoStaticandSettings.FromhereselectWeightedLoad
Balancing.Youwillnoticeanewtablethatallowsyoutoassignweightstoeachoftheinterfaces.When
interfacesaregivenequalweight,thenFortiOSwilldistributetrafficequallyamongthoseinterfaces.
Spillover
10/14
31/3/2016
Spillover
FinallywhenusingSpilloverandnewsessioniscreatedtoanewdestination,FortiOSwillselectthefirst
interfacewheretheutilizationislowerthanthespecifiedlimit.Asthenamesuggestsyoucanconsiderthe
analogyofcontainerswithafinitecapacity.Ourfirstcontainerwillbefilleduntilitreachesitscapacity,any
additionalsessionswillbespilledovertothenextcontaineruntilthatcontainerisfilled,andsoon.Ifthe
contentsoffirstcontainerdropbelowcapacity,allnewsessionswillonceagainbepouredintothefirst
container.
WhenselectingtheSpilloveroption,youwillseeanewtablewhereyoucanpopulatedesiredthresholds.
FortiOSacceptstherangeof02097000KBpsforspilloverthresholds.Ifthethresholdonaninterfaceis
leftat0,nosessionswillbesenttolowernumberedinterfaces.
ThisconcludestheconfigurationofwanloadbalancingunderFortiOS.Hopefullythishasprovidedyou
enoughbackgroundonthevariousEqualCostMultiPathroutingoptionsavailabletomakeaninformed
decisionforloadbalacingyourISPconnections.
FiledUnder:Network
TaggedWith:ECMP,FortiGate,Fortinet,FortiOS5,Loadbalancing,Routing,WAN
10Comments
nullhaus
Login
11/14
31/3/2016
10Comments
nullhaus
Recommend
Share
Login
SortbyBest
Jointhediscussion
mrmack amonthago
Ihavemadealltheconfigurations,(itworkedonapreviousfirewalltoo).Buteverytimei
connectasecondWan,theWan1GoesDown.Doesanybodyhadthisproblembefore?
Reply Share
Ray ayearago
HiDrew,
Thanksforthetutorial.Ifweuseproxyserverforwebbrowsing,i.e.onlyonesourceIPfor
interfacetraffic.Andwewouldliketoloadsharebothinternetlink.WhatECMPmethod
shouldbeused?Fortigatevideodemonstrationusespilloverwithvalue5onbothlink,butno
resultisshown.Thanks.
Reply Share
Kevin ayearago
HiDrew,
Thanksforthetutorial.IhaveaFortiGate60Dwithv.5(build0929).Willibeabletoconfigure
WANLoadBalancingonit?Inoticethatmy60DdoesnothaveaRoutermenu.Thanks.
Reply Share
tounch>Kevin ayearago
The"router"menuisnomoreprsentinv5.
YoucanuseSystem>Network>Routinginplaceof.
Reply Share
DrewMcBeard
Mod >tounch
ayearago
Exactlyright.TheGUIdiffersslightlydependingonthemodelyou'reusing.If
desiredyoushouldbeabletoaccessthestandardGUIbyissuingthefollowing
change:
configsystemglobal
setguilitedisable
end
Reply Share
fercho ayearago
But,howwouldbethenetworkflowatthetimewhenbothISPwererunningnormally?Imean,
oncethatisconfiguredthatway,shouldIneedtocreatearoutetouseoneofbothISPas
12/14
31/3/2016
oncethatisconfiguredthatway,shouldIneedtocreatearoutetouseoneofbothISPas
defaultandtheotheronekeepsasalternateone?Or,bothareactiveactiveandthefortigate
chooseswhichonetousedependingtheutilizationofeachISP?
Reply Share
DrewMcBeard
Mod >fercho
ayearago
WithDeadGatewayDetection,theFortiGatewillknowthestatusofbothWAN
interfacesandwhethertheyareacceptingtraffic.WhenbothISPsarerunning,the
trafficwillflowaccordingtotheECMPmethodyou'vechosen(SourceIP,Weightedor
Spillover).Aslongasthat'sconfiguredappropriatelythenyoujustneedtosetthe
FortiGate'sinternaladdressasyourgateway.Noneedforyoumanageroutestothe
individualISPs.
Reply Share
Enkel ayearago
hi,verygoodexplanation.Canweusemorethanoneoptionatsametime?
Reply Share
DrewMcBeard
Mod >Enkel
ayearago
ConcerningECMP,youcanonlypickasingleloadbalancing
methodpervirtualdomain.OrganizationswithmultipleISPsusuallyhaveone
higherperformingconnection,withasecondaryinplaceasbackup.Incases
suchasthis,Spilloveristheobviouschoice.
Reply Share
ABOUT
Nullhausisahumbletechnicaljournalcoveringnetworking
andsecurity.Thegoalistoprovidefreshperspectiveon
establishedsubjectsandinsightintonewtechnologies.
SEARCH
Search this website
TAGS
13/14
31/3/2016
ACL
ASACaptureCiscoCisco1800DeepPacketInspection
DenyHosts DMZ DPI ECMP
FirewallFortiGateFortinet
FortiOS5FreeBSDHPHPMSMHPNetworkingIOS12.4
IPsec Loadbalancing Monitoring Nagios
PA3050 Packet
NATNSClient++OpenSSHOSI
PaloAltoPowershellPrivacyProCurve
RoutingSecurityPolicySlackwareTCP/IPTrafficshaping
Virtualrouter Virtualwire VPN VRRP WAN
WirelessWireshark
CATEGORIES
Monitor
Network
OpenSource
Security
Copyright20132016nullhausAllrightsreserved
14/14

FortiGate WAN Load Balancing - Nullhaus

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

FortiGate WAN Load Balancing - Nullhaus

Încărcat de

Drepturi de autor:

Formate disponibile

31/3/2016

Weighted Load Balance

Search this website

DenyHosts DMZ DPI ECMP

S-ar putea să vă placă și