PaloAlto Dual ISP with ECMP testing

 

tracert (Trace Route)

show routing route ecmp yes

其它補充:

如果要指定某一個 Source IP / Range ..走特定的 WAN x / ISP x ,

就同一般的[網通設備]一樣.

使用 政策路由 Policy-Based Route [PBR] 設定即可,

等同於 PaloAlto  的  Policy Based Forwarding  [PBF] 設定

判斷邏輯為: 

檢查是否有 PBF Rule -->  有命中則 依 PBF 決定路由

若沒命中則視  Routing Table  (可用 ECMP ) 決定其路由

OSPF over IPsec gre tunnel in FortiGate

 Continuing this theme, this time it’s a site-to-site VPN between FTGs

https://xrcd2.blogspot.com/2025/07/fortigate-site-to-site-vpn-lab.html

https://xrcd2.blogspot.com/2023/02/ospf-over-ipsec-for-paloalto-and.html

CLI config example

(1)

FortiGate-BH (VPN-TO-HQ) # show

config vpn ipsec phase1-interface

    edit "VPN-TO-HQ"

        set interface "port1"

        set local-gw 68.10.1.1

        set peertype any

        set net-device disable

        set proposal des-md5 des-sha1

        set dhgrp 14 5

        set encapsulation gre

        set remote-gw 210.10.1.1

        set psksecret FortiPWD168

    next

end

FortiGate-BH (VPN-TO-HQ) # show

config vpn ipsec phase2-interface

    edit "VPN-TO-HQ"

        set phase1name "VPN-TO-HQ"

        set proposal des-md5 des-sha1

        set dhgrp 14 5

        set auto-negotiate enable

        set encapsulation transport-mode

        set protocol 47

    next

end

FortiGate-BH (VPN-TO-HQ) # show

config system interface

    edit "VPN-TO-HQ"

        set vdom "root"

        set ip 192.168.1.2 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 192.168.1.1 255.255.255.252

        set snmp-index 15

        set interface "port1"

    next

end

================================================

(2)

FortiGate-HQ (VPN-TO-BH) # show

config vpn ipsec phase1-interface

    edit "VPN-TO-BH"

        set interface "port1"

        set local-gw 210.10.1.1

        set peertype any

        set net-device disable

        set proposal des-md5 des-sha1

        set dhgrp 14 5

        set encapsulation gre

        set remote-gw 68.10.1.1

        set psksecret FortiPWD168

    next

end

FortiGate-HQ (VPN-TO-BH) # show

config vpn ipsec phase2-interface

    edit "VPN-TO-BH"

        set phase1name "VPN-TO-BH"

        set proposal des-md5 des-sha1

        set dhgrp 14 5

        set auto-negotiate enable

        set encapsulation transport-mode

        set protocol 47

    next

end

FortiGate-HQ (VPN-TO-BH) # show

config system interface

    edit "VPN-TO-BH"

        set vdom "root"

        set ip 192.168.1.1 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 192.168.1.2 255.255.255.252

        set snmp-index 15

        set interface "port1"

    next

end

===================================================

WEB config  example

========================================

Tracer & Ping Test 

FortiGate Site to Site VPN Lab

 Continuing this theme, this time it’s a site-to-site VPN between FTGs

https://xrcd2.blogspot.com/2023/02/ospf-over-ipsec-for-paloalto-and.html