Configuring two WAN links for failover

You can go both ways. If the distance/priority is equal you will use both lines, more or less 50/50. If one distance is lower it will take precedence; that one should go to your primary ISP then. No doubt you' ve already read many posts on the forums about this..." dual WAN" is a never ending story. Despite it' s trivial with FGTs.

Thanks Ede. I have found two articles: " Configuring Dual Internet Links (Design Considerations)" : http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=10376&sliceId=1&docTypeID=DT_KCARTICLE_1_1 and " Technical Note : Configuring link redundancy - Traffic load-balancing / load-sharing - ECMP (Equal Cost Multiple Path) - Dual Internet or WAN scenario" : http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=100137 What if I tell you that one of my WAN interfaces receives it' s config from DHCP? How can I create a weighted route for this? Thanks, Matt

Hmmm I always use the " Retrieve gateway from server" option in the wan interface setup. The default route created by this has the highest priority (distance=0). If you can do that for the other wan line as well you get load balancing. If the secondary has a static IP and a static default route then you get a failover setup. Does that help?

You set gateways with static routes, not in the interface setup. The checkbox has the effect to automatically insert a default route for you to your ISP. Easier esp. if the gateway address changes often. The Gateway LB settings are for a different scenario: usually the FGT knows that a WAN line is down if the link status is ' down' (because the modem is off or the like). Often the link to the next modem or router can be up but the internet connection itself can be down because of some trouble at the ISP. To defend against that you can define Gateway LB. A ' detect server' is a host preferable hosted on your ISP' s subnet that is always up; the line status is determined by link status AND ping reply status then. And if 2 or more WAN lines exist then the FGT can distribute the traffic according to weights or bandwidth (spillover).

Thanks Ede. So, all I need to do to have Link Redundancy on two DHCP lines is configure the " Distance" on each interface (setting the primary ISP as a shorter distance)? How does the Fortigate detect failure of the line and trigger a failover without gateway load balancing? This morning, the physical link was up, but the server was down. I suppose the best bet here is to configure the " least common denominator" router as the ping server for gateway load balancing? Thanks, Matt

How does the Fortigate detect failure of the line and trigger a failover without gateway load balancing?

usually the FGT knows that a WAN line is down if the link status is ' down'

I' d ping a well known server to determine that I have internet access. And one per WAN line in case this server is taken down for maintenance - with a common target both lines (both routes) would be down at the same time. The closer the server is to your gateway the better (usu. a router from your ISP will do, if it allows ICMP).

Just a note of specifics with DHCP Link redundancy (not load balancing**): 1) Default gateway configuration: When configuring an interface to be configured via DHCP, there is an " Distance" option within the " Addressing mode" configuration options. Use " Distance" to decide primary and secondary interfaces (by default wan1 will have a distance of " 1," wan2 will have a distance of " 5" ) Make sure " Retrieve default gateway from server" is checked. 2) Configuring the failure monitoring process, the failover causing process Check off " Detect Interface Status for Gateway Load Balancing" Use a " detect server" and " detect protocol" (like 4.2.2.1 and Ping as the detect). The detect protocol packets should be sent out of the interface configured with the lowest Distance, to the detect server. If this fails, then the Fortigate will cause a failover to the interface configured with the second to lowest Distance. Weight and Spillover Threshold are only used for load balancing. ** Load balancing is pretty easy here (although I haven' t tested it): Configure the Distance to 1 on all interfaces. Configure the Weight for a ratio of traffic to carry over this interface. Configure the spillover threshold to a maximum before throwing traffic towards a second line.