Over thinking things can really be a weakness. This week I had to provision a Fortigate 100D firewall for a customer with the following specs:
– dual ISP links, one for data and another for cloud PABX.
– all internet traffic is to use ISP1 and voice traffic via ISP2 with capability of failing over to the other link in the event their designated ISP link goes down.
– trunk one of the ports, vlan 1 as untagged and tagged vlan 100 for voice
If you have followed me long enough, you would probably noticed that I am more of a Cisco person and Fortigates are not really my cup of tea. This customer used to have an 800 series cisco router with a single internet link. This would have been a piece of cake if we just sticked with a cisco 1921 or a 1941 which they have onsite but for some reason their MSP were having issues with it, hence it was replaced with a Cisco 881.
We asked their MSP to provide us with the current configs of the cisco router and this is what we got:
interface FastEthernet0
switchport mode trunk
no ip address
!
!
!
interface FastEthernet4
description WAN
ip address 20.20.20.20 255.255.255.0
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
!
interface Vlan1
description — DATA—
ip address 10.10.10.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan100
description — VOICE—
ip address 10.10.20.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
Looking at the config we can see that FastEthernet0 is trunking and connected to a switch. Unlike the Cisco 1900 routers wherein you’d have to do an encapsulation dot1q to tag vlans, the Cisco 800’s implicitly untags vlan1 and tags whatever vlan you create.
Me the Fortigate noob, had to do the same thing for the Fortigate. Untagged the default vlan and start tagging vlan100 for voice. I went to System > Network > Interface > click on lan > double click or click on the edit button
On the edit interface page, choose manual addressing mode and enter the IP address and subnet mask. This is basically equivalent to
int vlan1
ip add 10.10.10.1 255.255.255.0
then click OK
This will lead you back to the Interfaces menu, then click on the Create New button.
Enter the interface name, under interface I chose lan, entered vlan number (in my example, I placed it in VLAN101, choose manual addressing mode and enter your IP and network subnet mask. Best practice to write a short description on the comments box then hit OK.
Creating a policy to allow traffic:
Next we need to create a policy to allow lan traffic to pass through your wan interface and do NAT. To do this you need to go to Policy & Objects > Policy > IPv4 > Create New
Incoming Interface : lan
Source Address : all
Outgoing Interface : wan1
Destination Address : all
Schedule : always
Service : all
Make sure you turn on NAT, enter comments then hit OK.
You make sure you do the same policies for lan to wan2, voice to wan1 and voice to wan2. Just change Incoming and Outgoing interfaces.
I missed mentioning that to create WAN interfaces, its pretty much the same thing how I created the lan interface and felt didn’t need to show that anymore.
Routing:
Here’s the part where I was over thinking things. The idea was to route all data to wan1 and 
voice to wan2, if one of the link goes down, routing will be diverted to the other link.
To create a static route, go to Router > Static Routes > Create New
Destination IP/Mask : 0.0.0.0/0.0.0.0
Device : WAN1
Gateway : 20.20.20.20
Administrative Distance : 10
Destination IP/Mask : 3.3.3.3/255.255.255.255 <— Cloud PABX server
Device : WAN2
Gateway : 30.30.30.30
Administrative Distance : 20
Initially I was thinking of using policy routes to route the phones to wan2, didn’t really think all I had to do was a simple static route.
Next, we’ll add a ping server for both wan1 and wan2. Go to Router > Static > Settings and click Create New. Simply select the interface (wan1 or wan2) then enter the wan ip in the IP server text box.
Running-Config 