August 8, 2011
08:43
by: nerenther

Setting up failover ospf routing on Fortigate

I’ve put together a small guide for setting up two Fortigates with failover ospf routing. This example is based on a small lab, but you can easily adapt it to your own environment.

This is the scenario:

In this scenario we want the 100Mb line to be prioritized.

Start of with setting up the two Fortigates with ip-adresses as shown. Also make sure to create firewall rules for traffic from internal to wan1 and wan2 and back (make sure not to enabel NAT).

Then you have to enter the following config to enable ospf:
On FGT1:
config router ospf
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 0.0.0.0 0.0.0.0
next
end
config ospf-interface
edit “wan1”
set cost 2
set interface “wan1”
next
edit “wan2”
set interface “wan2”
next
end
config redistribute “connected”
end
config redistribute “static”
end
config redistribute “rip”
end
config redistribute “bgp”
end
set router-id 0.0.0.2
end

On FGT2:
config router ospf
config area
edit 0.0.0.0
next
end
set default-information-originate enable
config network
edit 1
set prefix 0.0.0.0 0.0.0.0
next
end
config ospf-interface
edit “wan1”
set cost 2
set interface “wan1”
next
edit “wan2”
set interface “wan2”
next
end
config redistribute “connected”
end
config redistribute “static”
end
config redistribute “rip”
end
config redistribute “bgp”
end
set router-id 0.0.0.1
end

That should do it. To check that it is working, you can run the following command on FGT2:
info routing-table all

Then you will get an output similar to this:
Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP
O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area
* – candidate default

C 10.0.1.0/30 is directly connected, wan1
C 10.0.1.4/30 is directly connected, wan2
O 10.10.5.0/24 [110/102] via 10.0.1.1, wan1, 00:48:44
C 10.10.16.0/24 is directly connected, internal

From this we can see that the route to 10.10.5.0/24 is acquired via ospf.

You can find some more reading material here:
http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD30030
http://docs.fortinet.com/fgt/handbook/fortigate-dynamic-routing-40-mr1.pdf

Category(s): Fortinet
Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.