Troubeshooting Tip: WAN port showing as up but not passing traffic on SD-WAN in HA setup

Issue: 

The WAN interface is showing as inactive, but the interface status appears up.

FW01 # diagnose hardware deviceinfo nic
Description Fortinet 90E Ethernet Driver
System_Device_Name wan1
Current_HWaddr 00:09:0f:09:00:00
Permanent_HWaddr 90:6c:ac:c2:0f:42
State up
Link up
PHY Link up
Speed 1000
Duplex full
port: 0
def vid 4095
cur_vid 4095
netdev_running 1
stp: 0
mac_bypass 0
pci_rx 0
Rx_Packets 2881854046
Tx_Packets 1161563070
Rx_Bytes 3145805419908
Tx_Bytes 349280059743

Troubleshooting steps: 

1. When an SD-WAN member is shown as inactive, this is due to a failing health check. A simple way to check if this is failing is by running a sniffer filtered to the server being monitored.
2. Verify by pinging the WAN1 gateway address to check reachability, or by checking the ARP for the gateway as per the commands below.
3. Verify the interface status and speed settings.
4. Check whether bypassing the firewall and connecting the ISP directly to the laptop works fine.
5. Verify the routing table as below for the monitoring IP address and test with Ping options for reachability: 

get router info routing-table details 0.0.0.0

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
14.98.4.77, via wan1 inactive distance 0
* 47.254.165.49, via wan2 distance 0

execute ping-options source 14.98.4.78
execute ping 14.98.4.77
PING 14.98.4.77 (14.98.4.77): 56 data bytes
^C
--- 14.98.4.77 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

IN-BNG1-P-FW01 # get system arp | grep wan1
IN-BNG1-P-FW01 #

Run the below command and verify if the default Group ID 0 is in use:

get system ha status
HA Health Status: OK
Model: FortiGate-201F
Mode: HA A-A
Group Name: fgt1
Group ID: 0   ----> Group ID is 0.
Debug: 0
Cluster Uptime: 32 days 0h:16m:43s
Cluster state change time: 2025-08-28 14:51:10
Primary selected using:

If using the default Group ID, there is a chance it could conflict with a different cluster on the same ISP due to the way the Virtual MAC address is calculated: Technical Tip: Changing MAC address on WAN interface for a HA cluster 

Below update after configuration change of group ID to 128.

FGT201F-2 # get system ha status
HA Health Status: OK
Model: FortiGate-201F
Mode: HA A-A
Group Name: fgt2
Group ID: 128 ----> Changed to 128.
Debug: 0
Cluster Uptime: 32 days 0h:20m:23s
Cluster state change time: 2025-08-28 14:55:12
Primary selected using:

Once a group ID was configured/added, the last 4 octets of the virtual MAC address were derived from the group ID.

After that, ping to the gateway should resolve.