Skip to main content
Matt_B
Staff & Editor
Matt_B
Staff & Editor
March 5, 2026

Technical Tip: Configuring basic SD-WAN for Internet-facing links starting from default configuration

  • March 5, 2026
  • 0 replies
  • 943 views
Description This article demonstrates an example configuration for redundant Direct Internet Access using SD-WAN starting from factory configuration.
Scope FortiOS v7.4 and later.
Solution

Topology:

 

diagram_2.png

 

Configure wan1 and wan2 in the 'virtual-wan-link' SD-WAN zone:

 

Note: local access is recommended when making the following changes:

 

  1. Take a global configuration backup using a super_admin account before proceeding. Mistakes during initial SD-WAN configuration are common, and restoring a configuration backup allows prompt recovery in cases where the error cannot be identified quickly.


0.png
It is recommended to make a configuration backup before and after each major change. Note that restoring a configuration backup causes the device to reboot.

  1. Configure wan1 as an SD-WAN member using the Interface Migration Wizard and add it to the virtual-wan-link zone. See the article Technical Tip: Moving an Interface that has existing references to SD-WAN zone using Integrate Interface feature.

An interface cannot be configured as an SD-WAN member manually if the interface is already present in a firewall policy.

If the Interface Migration Wizard is not able to resolve the conflict, wan1 can be added manually similar to Step 5 below by removing it from existing firewall policies first.

  1. SD-WAN members created using the Interface Migration Wizard do not include a gateway. Configure a gateway for wan1. Go to Network -> SD-WAN -> SD-WAN Zones -> Edit wan1 -> Enter the gateway IP address for ISP1.


433110_05mod.png
If wan1 has a dynamic IP address retrieved using DHCP, select 'Dynamic' for the gateway instead of specifying an address.

433110_06mod.png

 

  1. Go to Network -> Static Routes. Create a new static route for the virtual-wan-link SD-WAN zone with 0.0.0.0/0 as the destination subnet.

Note that static routes configured for SD-WAN zones do not have a gateway/next-hop address defined on the route itself. These routes use the gateway and route priority configured directly on the SD-WAN member.

433110_09_mod.png
If attempting to create a new static route displays the error 'You cannot have duplicated routes on SD-WAN and non SD-WAN interfaces', this indicates one or more static routes are already configured using individual interfaces instead of SD-WAN zones.

433110_07mod.png
If this error occurs, go to Network -> Static Routes and edit the existing wan1 0.0.0.0/0.0.0.0 route to reference 'virtual-wan-link' instead of wan1.

433110_15mod.png

 

  1. Configure wan2 as an SD-WAN member:
    • Go to Network -> SD-WAN -> SD-WAN Zones -> Create new.
    • Select wan2 as interface.
    • Configure ISP2's gateway address as the gateway for the SD-WAN member.
    • Enter a 'Fallback priority' value for wan2 greater than one (1) to prefer wan1 over wan2 when forwarding traffic. This setting defines the priority of the default static route installed for wan2, where one (1) is the default and highest priority.

 

See the article Technical Tip: Routing behavior depending on distance and priority for static routes, and Policy Based Routes for more on route priority and administrative distance.

433110_16.png


With the above configuration, the firewall will only use wan2 to forward traffic if the wan1 Ethernet link to the upstream router goes down, for instance if the ISP1 device has a power issue or if the wan1 link is unplugged.

 

It is recommended to also configure a health check for wan1 to detect an internet issue with ISP1 if it occurs.

 

Configure a health check for automatic failover from wan1 to wan2:

 

Go to Network -> SD-WAN -> Performance SLAs -> Create New.

 

  • In Servers configure two addresses, preferably maintained by different service providers. This is recommended to avoid false positive failovers if one server does not respond.
  • In Participants configure the primary link, wan1. If both ISPs are having issues, the site will not have internet access, so there is no need to run the health check over wan2.
  • With this failover method, ensure 'Update static route' is enabled. Note other SD-WAN use cases frequently have this setting disabled.

 

15_mod.png
Verification:

 

An internet outage for wan1 can be simulated by linking the FortiGate wan1 port to a different device, misconfiguring the wan1 SD-WAN member gateway, or changing the Performance SLA servers to ones that do not respond to probes. The Performance SLA page shows wan1 as down.

12.png
Although the wan1 link remains up, the firewall flags the interface as dead disables associated static routes. The only 0.0.0.0/0 route in Dashboard -> Network -> Routing references wan2.

 

13.png

 

If local endpoints have internet access during the test, this verifies the backup wan2 link is working correctly.

 

Restoring the wan1 link to correct device and configuration restores the wan1 0.0.0.0/0 route.

 

10_mod.png

 

Result:
The steps above result in a basic SD-WAN use case: single site ISP redundancy with automatic failover and recovery. No SD-WAN rules are required: redundancy is achieved by enabling and disabling wan1's default route depending on the result of the health check.

 

A similar affect can be achieved without SD-WAN by configuring a link-monitor in CLI for wan1, see the article Technical Tip: Link-Monitor Explained. If SD-WAN is not being used, firewall policies must be configured for both wan1 and wan2 to allow internet access.

 

Related article:
SD-WAN quick start
    Terms & ConditionsAccessibility statement