FortiWAN Outbound Load Balancing and Failover (Auto Routing)

Outbound Load Balancing and Failover (Auto Routing)

Auto Routing Mechanism

Auto Routing load-balances the outbound traffic across multiple WAN links according to a pre-defined routing policies. During WAN link failures, auto routing will also adjust the routing methods to distribute the outbound traffic ONLY among the WAN links in fit and working conditions, thus avoiding the failed link(s).

The traditional method of backing up WAN links by having a secondary WAN link taking over the failed link. Basically having a main line and a second line as backup, aided by any standard router’s backup policy, minimum fault tolerance can be achieved. This kind of approach means certain lines remain idle for most of the time and it is a waste of resources. In addition, the router configurations can be tedious.

Another approach for multiple WAN links backup is by dividing the LAN into multiple segments, each doing its own thing as they are all independent WAN links. Under standard conditions, each segment has its own way using separate routers. When one of the WAN links fails, the administrator has to change the router configuration to bypass the failed link. The obvious drawback to this approach is the unnecessary workload for administrators. Whenever WAN link status changes, the LAN environment settings (such as gateway, netmask, router policies, proxy settings, etc) all need to be adjusted.

Fault Tolerance Mechanism

As previously stated, without WAN load-balancer such as FortiWAN, the traditional way of using multiple WAN links always involves human intervention.

FortiWAN has an internal “Virtual Trunk” circuit, which is essentially a combination of the multiple WAN links. Auto routing is capable of adjusting the ‘Virtual Trunk” to include only the WAN links that are functioning normally and to direct outbound traffic through the “Virtual Trunk circuit” without human intervention. Network users will therefore not be able to notice any change of status in WAN links (See “WAN Link Health Detection”).

The figure above illustrates auto routing securing uninterrupted connection to the internet even during WAN link failures. Compared to the traditional multiple WAN link usage, auto routing can effectively use all available WAN links to balance outbound traffic even when all the WAN links are in perfect working condition. Auto routing cannot prevent data loss on a WAN link when it fails, but all subsequent sessions will be automatically routed to other working links.

FortiWAN provides mechanisms to record, notify and analysis on events refer to the Auto Routing service, see “Log”, “Statistics: Traffic”, “Statistics: Bandwidth” and “Reports”.

Configurations

It allows administrators to determine the way traffic is routed to WAN links. Multiple WAN links have a variety of ideal auto-routing methods for any network environment. Auto routing is configured in 2 steps: Policies and Filters.

Policy

An Auto Routing policy defines how to dynamically distribute outbound traffic (sessions) over multiple WAN links according to traffic loading of the WAN links, which achieve the outbound load balancing. The basic items to define a policy are the load balancing algorithm and the related WAN parameters. By associating an Auto Routing filter rule with a policy, Auto Routing can determine a good WAN link among the candidates and route the outgoing sessions that match the filter rule to the WAN link.

Label   Enter a name to the auto routing policy. The label (policy name) will be listed in the Routing Policy drop-menu later for assigning a policy to a filter.
T   Check to enable threshold function to the policy.

Administrators can configure the downstream and upstream threshold of each WAN link on the configuration page of WAN Setting (See “Configuring your WAN”). WAN links with traffic that exceeds the threshold values will be considered as failed to Auto Routing, and traffic flow will be re-directed to other WAN links based on the selected algorithm.

Algorithm   Select an load balancing algorithm from the drop-down menu for this routing policy. System distributes sessions that match this policy among WAN links according to the algorithm. The algorithms for options are:

l Fixed l Round-Robin l By Connection l By Downstream Traffic l By Upstream Traffic l By Total Traffic l By Optimum Route

See Load Balancing Algorithms for the details.

Parameter Select the WAN links from the WAN parameters for this routing policy to distribute sessions among. Numbering schemes indicate the WAN links. According to the algorithm, system dynamically routes each matched session to one of the participating WAN links. The WAN parameters varies from the chosen algorithm:

l  For algorithms Fixed, By Upstream Traffic, By Downstream Traffic, By Total Traffic and By Optimum Route, check the check-box under a number scheme to apply the WAN link to this policy. Selecting multiple WAN links is allowed and it implies traffic is balanced among the selected WAN links. When you create a new policy by click the add button for configuring it, the WAN parameters are checked by default if the corresponding WAN links have been enabled (see Configuring your WAN). Uncheck the check-box of a WAN link to remove it from this routing policy.

l  For algorithms Round-Robin and By Connection, apply a WAN link to this policy by defining the weight (or ratio) on the input box under a number scheme. Selecting multiple WAN links is allowed and it implies traffic is balanced among the selected WAN links. When you create a new policy by click the add button for configuring it, weights are defined as 1 to the WAN parameters by default if the corresponding WAN links have been enabled (see Configuring your WAN). Change the weight of a WAN link to 0 (zero) to remove it from this routing policy.

Filter

Auto Routing filters are used to evaluate against the outbound sessions (sessions from LAN and DMZ to the Internet through the FortiWAN). The routing policy and fail-over of a matching filter rule are applied to the evaluated sessions. Base on the specified policies, Auto Routing determines which WAN port to use for forwarding packets of the sessions. A filter rule consists of a set of filter terms (When, Input Port, Source, Destination and Service) and the related policies (Routing policy and Fail-over policy) for action.

E Check to enable the rule.
When Select a time period for this filter term to evaluate the outbound sessions by the receiving time, or leave it as All-Time. See Busyhour Settings for details.
Input Port Select a interface that packets are received on for this filter term to evaluate the outbound sessions, or leave it as Any Port. See Using the web UI for details.
Source Define the source that packets come from for this filter term to evaluate the outbound sessions, or leave it as Any Address. See Using the web UI for details.
Destination Define the destination that packets are destined to for this filter term to evaluate the outbound sessions, or leave it as WAN. See Using the web UI for details.
Service Define the service that the packets belong to for this filter term to evaluate the outbound sessions, or leave it as Any. See Using the web UI for details.

 

Routing Policy Specify a routing policy for sessions that match this filter rule, or leave it as Default Policy. A matched session will be dynamically routed to a WAN link according to the policy. All the predefined routing policies are list here for options.
Fail-over Policy Once all the WAN links defined to a routing policy get failed, the fail-over policy will take effect. The fail-over policy could be one of the following options:

Predefined routing policy – Select another predefined routing policy as fail-over policy. The backup routing policy takes over to determine a WAN link for this session if the original routing policy fails.

Tunnel: TUNNEL_GROUP_NAME – This option is available only when Tunnel Routing is enabled. Select a predefined tunnel group as the fail-over policy. Once the fail-over policy takes over the original routing policy, packets of the session will be delivered to the remote FortiWAN device through Tunnel Routing. With defining appropriate Auto Routing policy and filter rule on the remote FortiWAN, packets of the session can be transferred through a WAN link of the remote FortiWAN. See Tunnel Routing for details.

NEXT-MATCH – When NEXT-MATCH takes over original routing policy, system continues evaluating the subsequent filter rules against the session and move on to the next matched policy where packets fall into. At least, it matches the default filter rule and goes to the default policy.

NO-ACTION – Take no actions when the original routing policy get failed, and packets of the session will be dropped.

L Check to enable logging. Whenever the rule is matched, system will record the event to log file.

Example 1

The auto routing policies to be established accordingly:

  1. Always route connections through WAN#1, which is an ADSL WAN link with 512k downstream/512k upstream.
  2. Always route connections through WAN#2, which is an ADSL WAN link with 1.5M downstream/384k upstream.
  3. Route connections with algorithm “Optimum Route”.
  4. Route connections based on the current downstream traffic of WAN links.
  5. Route connections based on the total traffic of each WAN link. Policy table will look like:
Label Algorithm Parameter
WAN1 (512/512) Fixed Check WAN#1
WAN2 (1536/384) Fixed Check WAN#2
By Optimum Route By Optimum Route Check both WAN #1 and WAN #2
By Downstream By Downstream Traffic Check both WAN #1 and WAN #2
By Total By Total Traffic Check both WAN #1 and WAN #2

Note: Labeling the policies alone does not mean the policy has been set up. Configuring WAN link bandwidth must be done under [System] -> [Network Settings].

Defining filters for the following:

  1. When LAN users access web server on the internet, use policy “By Optimum Route” to route connections to the best-conditioned link.
  2. When LAN users access the FTP server on the internet, use policy “WAN1(512/512)” to route connections. If WAN#1 fails, the connections will be routed “By Optimum Route”. Note: In this case, “By Optimum Route” will only route connections through WAN#2 as WAN #1 has failed.
  3. The connections from 211.21.48.195 in DMZ to SMTP server on the internet will be routed by policy “WAN1 (512/512)”. If WAN#1 fails, it will be routed by “WAN2 (1536/384)”.
  4. The connections from 211.21.48.195 in DMZ to POP3 server on the internet will be routed by “WAN1 (512/512)”. If WAN#1 fails, no action will be taken. Note: When WAN #1 fails, connection to the external POP server will also fail.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiWAN Outbound Load Balancing and Failover (Auto Routing)

  1. John

    Hi,
    Can Fortiwan control incoming traffic to route into different static IP instead of using IP configured in WAN interface. I have IPSEC VPN use 10.2.2.1 as gateway (mapped to wan IP in firewall Interface). Outgoing VPN traffic used 10.2.2.1 but incoming will come thru 10.2.2.4. Do Fortiwan has feature to force incoming vpn traffic to come in thru 10.2.2.1 ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.