TZ500 Redundancy Tunnel
Hi,
We have a TZ500 in our office and created a VPN tunnel with our branch through 3rd party partner, and our branch is using the Fortinet firewall for the VPN establishment.
The partner would like to know how to establish a redundancy tunnel on TZ500. Have anyone the experience with the redundancy tunnel on TZ500?
The firmware version is 6.5.4.8-89n.
Best Answer
-
shiprasahu93 Moderator
Hello @MarkCheng,
You can achieve redundancy by using route-based VPN. The following KB explains the same.
When using route-based VPN you can have two VPNs within the same location and use one over the other for redundancy using routes and their metric values.
Please, let us know if you still have any queries.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
0
Answers
Hi @MarkCheng
Fortigate and Sonicwall are setup with interface based tunnels. On the Sonicwall you don't specify the subnets in the tunnel policy using this method, instead you create static routes or use OSPF to control the routing.
You create a tunnel for the primary connection and a backup connection. So if the Sonicwall has one ISP, and the Fortigate has two ISP's you have two tunnels on the Sonicwall, each negotiating to different ISP's on the Fortigate.
@shiprasahu93 Thank you for your references. I will take time to try the configuration.
@Ajishlal Thank you for your suggestions. Yes, the SonicWall has one ISP only, and the Fortigate has two ISP's. I tried to put two of Fortigate's IPs as the primary and secondary gateway. Still, I observed it couldn't switch the gateway from the primary to secondary automatically when I turn off the primary IP. So even I short the primary gateway detection interval. Any suggestions?
Try with just the non-working Fortigate IP address in the Primary gateway first, observe the logs. If you cannot get it working by itself, it's never going to be able to fail over to it.