Creating redundant network interfaces with os 2.8

About redundant interfaces

You can combine two or more physical interfaces to provide link redundancy, to ensure that Internet services remain active if one physical interface fails.

You can set up this feature on any FortiGate unit that has two spare interfaces.

For example, if you have two Internet services connected to a FortiGate unit, T1 on Wan 1 and DSL on Wan 2, you can configure Wan 2 to take over Internet traffic if Wan 1 fails.

Creating redundant interfaces

Creating redundant interfaces includes these steps:

• Creating new static routes
• Configuring a ping server on each interface
• Setting route preferences
• Creating a firewall policy

Creating new static routes

The redundant interfaces will use these static routes.

The distance value specifies the priority of every route going to the same destination. The route with the lower distance is added to the route table and used first. The second route will not be used until the first route fails. Thus, the route using the primary interface must have a lower distance value, so that it will be used instead of the route using the secondary interface.

To create new static routes

1. Go to Router > Static.
2. Select Create New.
3. Enter the destination IP for the primary route.
4. Select the device for the primary route.
5. Set a distance of 10.
6. Select OK.
7. Enter the same destination IP for the secondary route.
8. Select the device for the secondary route.
9. Set a distance of 11.
10. Go to Router > Monitor to confirm the new routes.

Configuring a ping server

The FortiGate unit tests the connection through an interface by sending a ping to a reliable server. If the connection is active, the server will send a ping back to the FortiGate unit. If a ping test repeatedly fails, the FortiGate unit considers that connection to have failed, and will select an alternate connection. You can set the interval between pings and the number of times the ping test can fail before a connection is considered failed in Network Options.

To test a connection, a ping must be sent to a reliable server, usually a DNS server. The local gateway or a common website are not reliable enough to confirm a connection.

To configure a ping server

1. Go to System > Network > Interface.
2. Select the Edit icon for the devices using the two new static routes.
3. Enter an IP address for Ping Server.
4. Select Enable for Ping Server.

Verifying and setting the route preference

You can set up multiple routes to a destination in the network. The FortiGate unit uses the best route for each destination, specified by the lowest priority value.

To verify the route preference

1. Open the Command Line Interface (CLI).
2. Log in to the FortiGate unit.
3. To verify the route preferences, enter the following:
   
   

   config router static
      show

The main route should have a lower priority value than the secondary route. If this is not the case, you can set priority values manually.

To set the route preference in the CLI, enter the following:

  &nbspconfig router static
     &nbspedit 2
         set device <secondary device>
         set gateway <secondary IP>
      next
      edit 2
         set device <primary device>
         set gateway <primary IP>
   end

Creating a firewall policy

You must define a firewall policy for the new route from your primary device to the secondary device to function.

To create a firewall policy

1. Go to Firewall > Policy.
2. Select Create New
3. Select the primary interface for Source
4. Select the secondary interface for Destination.
5. Select the IP address of the primary interface for Source.
6. Select the IP address of the secondary interface for Destination.
7. Leave other options at the default settings.
8. Select OK.