ISP level failover for LAN based outbound and DMZ inbound traffic

Unanswered Question
Jul 7th, 2009

Hi, I need help on how to achieve ISP level failover for LAN based outbound and DMZ inbound traffic.

Scenario (attached diagram)

LAN -> Firewal1 (in HA) -> WAN Routers (1&2) (in HA using HSRP) -> ISP-01 (Using two different Last miles)

LAN -> Firewal2 (in HA) -> WAN Routers (3&4) (in HA using HSRP) -> ISP-02 (Using two different Last miles)

Incase one last mile fails for any ISP, the second last mile takes over smoothly. However, in case there's outage in ISP itself, there's complete outage for outbound as well as inbound (to DMZ) traffic.

Is there a tested method for failover between ISP implemented to figure out the pro's and con's and if it can be implemented so that the complete traffic from WAN Routers 1 & 2 can be shifted to WAN routers 3 &4 and vice-versa. This would primarily help save outage in all inbound traffic to DMZ as the outbound can still be shifted from the LAN source.

Did some research and found BGP prepend working for some n/w's, looking for suggestions n inputs.

Thanks in advance.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 07/07/2009 - 04:29

Hello Satya,

you need a routing protocol here:

there are multiple devices involved and it is also a multivendor context:

I would use BGP sessions between the LAN switches on the left of the picture and the C3800 WAN routers:

this allows LAN distribution switches to detect if a router fails or its eBGP connection fails.

Devices in the middle FW pair1 and FW pair2 need to have static routes pointing to the inside/outside.

Another possible solution but I don't know if Fortinet supports it is to use OSPF between LAN switches, FWs, and C3800s.

The problem here is that without object tracking static routes are not enough to detect possible failures.

Hope to help


satya.singh Tue, 07/07/2009 - 04:38

Thanks Giuseppe, there are 2 L-2 switch between FW and Router, using different VLAN's. I guess BGP would be a feasible option, though not sure of the downside if any.

Giuseppe Larosa Tue, 07/07/2009 - 09:21

Hello Satya,

be aware that any L2 device in the middle has the capacity to keep up/up the interface of the device even if the other L3 device is down.

An alternate way to do this is the usage of reliable static routing:

However, you should permit the SLA probes packets through the firewalls so I would prefer to allow the BGP session(s).

Hope to help



This Discussion