Advanced concepts

Advanced concepts

This chapter provides configuration concepts and techniques to enhance your network security. This section includes the topics:

  • Dual internet connections (redundant Internet connections)
  • Single firewall vs. multiple virtual domains
  • Modem
  • FortiExtender
  • DHCP servers and relays
  • Assigning IP address by MAC address
  • DNS services
  • Dynamic DNS
  • FortiClient discovery and registration
  • IP addresses for self-originated traffic
  • Administration for schools
  • Replacement messages list
  • Disk
  • CLI Scripts
  • Rejecting PING requests
  • Opening TCP 113
  • Obfuscate HTTP responses


Dual Internet connections (redundant Internet connections)

Dual internet connection, dual WAN, or redundant internet connection refers to using two FortiGate interfaces to connect to the Internet. Dual internet connections can be used in three ways:


  • Redundant interfaces, should one interface go down, the second automatically becomes the main internet connection
  • For load sharing to ensure better throughput.
  • A combination of redundancy and load sharing.


Redundant interfaces

Redundant interfaces, ensures that should your internet access be no longer available through a certain port, the FortiGate unit will use an alternate port to connect to the Internet.


Configuring redundant interfaces

In this scenario, two interfaces, WAN1 and WAN2 are connected to the Internet using two different ISPs. WAN1 is the primary connection. In an event of a failure of WAN1, WAN2 automatically becomes the connection to the Internet. For this configuration to function correctly, you need to configure three specific settings:

  • Configure a link health monitor to determine when the primary interface (WAN1) is down and when the connection returns
  • Configure a default route for each interface.
  • Configure security policies to allow traffic through each interface to the internal network.


Link Health Monitor

Adding a link health monitor is required for routing fail over traffic. A link health monitor will confirm the connectivity of the device’s interface


To add a link health monitor

config system link-monitor edit “Example1”

set srcint <Interface_sending_probe>

set server <ISP_IP_address>

set protocol <Ping or http>

set gateway-ip <the_gateway_IP_to_reach_the_server_if_required>

set failtime <failure_count>

set interval <seconds>

set update-cascade-interface enable set update-static-route enable

set status enable





You need to configure a default route for each interface and indicate which route is preferred by specifying the distance. The lower distance is declared active and placed higher in the routing table.

When you have dual WAN interfaces that are configured to provide fail over, you might not be able to connect to the backup WAN interface because the FortiGate unit may not route traffic (even responses) out of the backup interface. The FortiGate unit per- forms a reverse path lookup to prevent spoofed traffic. If no entry can be found in the routing table which sends the return traffic out the same interface, then the incoming traffic is dropped.


To configure the routing of the two interfaces – web-based manager

1. Go to Router > Static > Static Routes and select Create New Route or IPv6 Route.

For low-end FortiGate units, go to System > Network > Routing and select Create New Route or

IPv6 Route.

2. Set the Destination IP/Mask to the address and netmask of if it’s an IPv4 route. If it’s an IPv6 route, set Destination IP/Mask to the address and netmask of ::/0

3. Select the Device to the primary connection, WAN1.

4. Enter the Gateway address.

5. Select Advanced.

6. Set the Distance to 10.

7. Select OK.

8. Repeat steps 1 through 7 setting the Device to WAN2 and a Distance of 20.


To configure the IPv4 routing of the two interfaces – CLI

config router static edit 0

set dst set device WAN1

set gateway <gateway_address>

set distance 10 next

edit 0

set dst set device WAN2

set gateway <gateway_address>

set distance 20 next



To configure the IPv6 routing of the two interfaces – CLI

config router static6 edit 0

set dst ::/0

set device WAN1

set gateway <gateway_address>

set distance 10 next

edit 0

set dst ::/0

set device WAN2

set gateway <gateway_address>

set distance 20 next



Security policies

When creating security policies, you need to configure duplicate policies to ensure that after traffic fails over WAN1, regular traffic will be allowed to pass through WAN2 as it did with WAN1. This ensures that fail-over will occur with minimal affect to users. For more information on creating security policies see the Firewall Guide.


Load sharing

Load sharing enables you to use both connections to the internet at the same time, but do not provide fail over support. When configuring for load sharing, you need to ensure routing is configured for both external ports, for example, WAN1 and WAN2, have static routes with the same distance and priority.

Further configuration can be done using Equal Cost Multiple Path (ECMP). For more information on ECMP and load sharing, see the Advanced Routing Guide.


Link redundancy and load sharing

In this scenario, both links are available to distribute Internet traffic over both links. Should one of the interfaces fail, the FortiGate unit will continue to send traffic over the other active interface. Configuration is similar to the Redundant interfaces configuration, with the main difference being that the configured routes should have equal distance settings.

This means both routes will remain active in the routing table. To make one interface the preferred interface, use a default policy route to indicate the interface that is preferred for accessing the Internet. If traffic matches the security policy, the policy overrides all entries in the routing table, including connected routes. You may need to add a specific policy routes that override these default policy routes.

To redirect traffic over the secondary interface, create policy routes to direct some traffic onto it rather than the primary interface. When adding the policy route, only define the outgoing interface and leave the gateway blank. This ensures that the policy route will not be active when the link is down.

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.