Creating redundant network interfaces with os 3.0

About redundant interfaces

You can combine two or more physical interfaces to provide link redundancy, to ensure that Internet services remain active if one physical interface fails.

You can set up this feature on any FortiGate unit that has two spare interfaces.

For example, if you have two Internet services connected to a FortiGate unit, T1 on Wan 1 and DSL on Wan 2, you can configure Wan 2 to take over Internet traffic if Wan 1 fails.

FortiGate firmware on models 800 and higher implements redundant interfaces, and the procedure to create redundant interfaces is different from models up to 500. See the procedure for models 800 and above.

Creating redundant interfaces in models up to 500

Creating redundant interfaces includes these steps:

• Creating new static routes
• Configuring a ping server on each interface
• Setting route preferences
• Creating a firewall policy

Creating new static routes

The redundant interfaces will use these static routes.

The distance value specifies the priority of every route going to the same destination. The route with the lower distance is added to the route table and used first. The second route will not be used until the first route fails. Thus, the route using the primary interface must have a lower distance value, so that it will be used instead of the route using the secondary interface.

To create new static routes

1. Go to Router > Static.
2. Select Create New.
3. Enter the destination IP for the primary route.
4. Select the interface for the primary route.
5. Set a distance of 10.
6. select OK.
7. Enter the same destination IP for the secondary route.
8. Select the device for the secondary route.
9. Set a distance of 11.
10. Go to Router > Monitor to confirm the new routes.

Configuring a ping server

The FortiGate unit tests the connection through an interface by sending a ping to a reliable server. If the connection is active, the server will send a ping back to the FortiGate unit. If a ping test repeatedly fails, the FortiGate unit considers that connection to have failed, and will select an alternate connection. You can set the interval between pings and the number of times the ping test can fail before a connection is considered failed in Network Options.

To test a connection, a ping must be sent to a reliable server, usually a DNS server. The local gateway or a common website are not reliable enough to confirm a connection.

To configure a ping server

1. Go to System > Network > Interface.
2. Select the Edit icon for the devices using the two new static routes.
3. Enter an IP address for Ping Server.
4. Select Enable for Ping Server.

Verifying and setting the route preference

You can set up multiple routes to a destination in the network. The FortiGate unit uses the best route for each destination, specified by the lowest priority value.

To verify the route preference

1. Open the Command Line Interface (CLI).
2. Log in to the FortiGate unit.
3. To verify the route preferences, enter the following:
   
   

   config router static
      show

The main route should have a lower priority value than the secondary route. If this is not the case, you can set priority values manually.

To set the route preference in the CLI, enter the following:

  config router static
     edit 2
         set device <secondary device>
         set gateway <secondary IP>
      next
      edit 2
         set device <primary device>
         set gateway <primary IP>
   end

Creating a firewall policy

You must define a firewall policy for the new route from your primary device to the secondary device to function.

To create a firewall policy

1. Go to Firewall > Policy.
2. Select Create New
3. Select the primary interface for Source
4. Select the secondary interface for Destination.
5. Select the IP address of the primary interface for Source.
6. Select the IP address of the secondary interface for Destination.
7. Leave other options at the default settings.
8. Select OK.

In models 800 and above, adding redundant interfaces is a one step process. The FortiGate firmware implements redundant interfaces.

To create redundant interfaces

1. Go to System > Network > Interface.
2. Select Create New
3. Enter a name for the redundant interface.
   The interface name must not be the same as any other interface, zone or VDOM.
4. Select Redundant Interface for Type.
5. Select an interface included in the redundant interface from Available Interfaces.
6. Select the right arrow button to move the interface to the Selected Interface list.
7. Repeat the selection procedure for all interfaces you want to include in the redundant interface.
8. Enter the destination IP for the redundant interfaces in IP/Netmask.
9. Enter an IP address for Ping Server.
10. Select Enable for Ping Server.
11. Configure other interface options as required.
12. Select OK.