Dead Gateway Detection is feature like the backup or reduntant ISP service.
In case we have 2 ISP connections to internet – a backup line with smaller bandwith and another used normally – we can use one as a backup internet connection.
The topology:
1.1.1.0/24 | | Firewall | | | 2.2.2.0/24 | | | DFGW1 2.2.2.254 | | | 8.8.8.8 | 3.3.3.0/24 | DFGW2 3.3.3.254 | 9.9.9.9 |
– Server or Host used for destination to ping on
port1: 8.8.8.8
port2: 9.9.9.9
– Default gateway on
port1: 2.2.2.254
port2: 3.3.3.254
– Interface IP on
port1: 2.2.2.1
port2: 3.3.3.1
port3: 1.1.1.1
1. PING Server configuration.
firewall (root) # show full-configuration router gwdetect
config router gwdetect
edit "port1"
set failtime 5
set ha-priority 1
set interval 5
set protocol ping
set server "8.8.8.8"
set source-ip 0.0.0.0
next
edit "port2"
set failtime 5
set ha-priority 1
set interval 5
set protocol ping
set server "9.9.9.9"
set source-ip 0.0.0.0
next
end
|
2. Default routes with different priority. The smallest priority will be used.
firewall (root) # show full-configuration router static
config router static
edit 1
set blackhole disable
set comment ''
set device "port1"
set distance 10
set dst 0.0.0.0 0.0.0.0
set dynamic-gateway disable
set gateway 2.2.2.254
set priority 0
set weight 0
next
edit 2
set blackhole disable
set comment ''
set device "port2"
set distance 10
set dst 0.0.0.0 0.0.0.0
set dynamic-gateway disable
set gateway 3.3.3.254
set priority 100
set weight 0
next
end
|
3. Interface configuration.
firewall (root) # show sys interface port1
config system interface
edit "port1"
set vdom "root"
set ip 2.2.2.1 255.255.255.0
set allowaccess ping https ssh fgfm
set fail-detect enable
set fail-detect-option detectserver
set type physical
set spillover-threshold 1
set alias "external1"
set macaddr 00:0c:29:00:7c:76
next
end
firewall (root) # show sys interface port2
config system interface
edit "port2"
set vdom "root"
set ip 3.3.3.1 255.255.255.0
set allowaccess https ssh fgfm
set fail-detect enable
set fail-detect-option detectserver
set type physical
set alias "external2"
set macaddr 00:0c:29:00:7c:80
next
end
|
Lets test it, how it works.
Set the Ping server configured on Port1 down (8.8.8.8)
firewall (root) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 3.3.3.254, port2, [100/0]
C 1.1.1.0/24 is directly connected, port3
C 2.2.2.0/24 is directly connected, port1
C 3.3.3.0/24 is directly connected, port2
|
We will see that the default route goes on port2.
Set the Ping server configured on port1 up.
firewall (root) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 2.2.2.254, port1
[10/0] via 3.3.3.254, port2, [100/0]
C 1.1.1.0/24 is directly connected, port3
C 2.2.2.0/24 is directly connected, port1
C 3.3.3.0/24 is directly connected, port2
|
The default route is on port1 again. The question that I cannot answer now:
– If the second default route is on a different interface and the currently used ISP line goes down (the ping host is not pingable anymore), then what happens with the active sessions? With Cisco ASA the sessions cannot survive if the default gateway is on another interface, with Checkpoint it works fine. What is with Fortigate in this case? Is the interface in the session table or not?
itsecworks 
Ralph
November 25, 2012
Hello, when the route goes down, then for existing sessions a new route will be determined.
itsecworks
November 28, 2012
Thanks for your answer! That means Fortigate does not uses the interface in its session table (or it uses but it can update it..)