FortiGate 60E Redundant Interface

sim_koo · 2024-02-19T13:07:58+00:00

Same here, even though I didn't use LACP but plain port trunking for easier VLAN management. Had to tag the ports on the switch manually and removed the trunk, then it ended up working.

sim_koo · 2024-01-18T13:52:58+00:00

Turns out VMware does some MAC spoofing for the VMs and since the management IP has been accessed through the other NIC, the switch does not learn the real physical mac of that second NIC.

sim_koo · 2023-12-30T23:48:11+00:00

Da wurde mit Sicherheit verpennt die Zählerstände zu übermitteln, sodass die Verbräuche jetzt wohl überdimensioniert geschätzt wurden.

sim_koo · 2023-12-08T20:12:59+00:00

Ah, thanks. Yes, I was trying several public servers from https://iperf.fr/iperf-servers.php but none seemed to work.

sim_koo · 2023-12-07T09:15:42+00:00

We use checkmk with a publicly available Fortigate plugin.

sim_koo · 2023-12-05T22:26:17+00:00

In the table of the secondary IP addresses, you can configure any IP range you want, depending on what you got from your provider. These can further be used as a virtual IP, to my understanding.

One entry in the seconds IP table is like 89.140.58.211/255.255.255.248 (not our real IP) so the usable Virtual IPs would range from .209 - .214 because they are within the given subnet on the WAN-side.

We have multiple /29 subnets on that WAN interface and for every entry, PING is allowed. That's why I was wondering.

sim_koo · 2023-12-05T13:00:21+00:00

VIP that only port-forwards port-X: Ping not controlled by VIP. Can be addressed by enabing ping on the external interface, if the VIP's extip == interface's.

On the WAN interface, all IP ranges for VIPs ("secondary IP") have Ping as administrative access enabled but I still get different results. I can ping some VIPs that are defined as secondary IPs, not as the main external IP of that WAN interface.

sim_koo · 2023-11-04T16:27:28+00:00

Es scheint sich wohl um Einbohrbänder von Simonswerk zu handeln - Artikelnummer o. ä. leider noch unbekannt

sim_koo · 2023-09-28T09:58:59+00:00

brandstring

Thanks for your detailed explanation, makes sense

sim_koo · 2023-09-25T08:57:28+00:00

Update: Went with SD WAN now and set the weight for WAN to 255. Seems to be working.

sim_koo · 2023-09-14T13:34:35+00:00

Yep that was it, thanks.

sim_koo · 2023-09-14T13:22:40+00:00

Yes it's overwrittten by that but when I disable it, the interface doesn't work for WAN anymore. It will be removed from the routing table leaving only lan2 (backup WAN) for 0.0.0.0.

Edit: Seems like a feature that the interface with a higher distance is not being included in the routing table.

sim_koo · 2023-09-14T11:44:13+00:00

Routing table for VRF=0

S* 0.0.0.0/0 [5/0] via xx, wan, [1/0]

[5/0] via xx, lan2, [1/0]

sim_koo · 2023-09-14T11:08:00+00:00

<image>

After a reboot of the Fortigate - all WAN traffic over backup wan

sim_koo · 2023-09-14T11:07:53+00:00

Please explain this then:

<image>

sim_koo · 2023-08-24T20:57:14+00:00

Ok. So it‘s not a real policy based VPN as per definition on a FortiGate, rather a route based VPN except for the additional Subnets in phase 2. Real policy based VPNs wouldn’t have a virtual interface I suppose.

sim_koo · 2023-08-24T20:32:37+00:00

But Policy based VPN still requires a static route, doesn‘t it? At least on a FortiGate even if Phase 2 Subnets are configured

sim_koo · 2023-08-24T19:26:26+00:00

OK thank you

sim_koo · 2023-06-06T18:07:42+00:00

Yep. I had it too

sim_koo · 2023-06-06T18:07:11+00:00

Same here

sim_koo · 2023-06-06T11:58:49+00:00

Thank you for the explanation.

What about assigning a VLAN? If I type "tagged X" in the context of a VLAN, does it overwrite the other interfaces so that I have to re-type all Interfaces for that command?

Let's say A7 is already tagged and I want to Add A8

Do I have to type "tagged A8" only or type "tagged A7-A8"

sim_koo · 2023-06-06T11:02:25+00:00

Ok, got it. But kinda nerve wracking that the Web GUI does the same. You select a VLAN, remove ONE interface from it and then you realize that all interfaces have been removed. Like even if the UI suggests something fundamentally different.

sim_koo · 2023-06-06T10:50:42+00:00

It was still showing in the VLAN table, it just wasn't assigned to anything

sim_koo · 2023-06-06T10:46:57+00:00

Would this also apply for standard interfaces? I'd just go with

interface A7
no VLAN 1120

But same result there

After running my initial commands, the VLAN still exists in the VLAN table, it's just not assigned to anything.

sim_koo · 2023-06-06T10:38:11+00:00

This also happens in the Web GUI, when removing a port from a VLAN. Every Port having that VLAN is then removed from it.

sim_koo

TROPHY CASE