Skip to main content
unknown1020
unknown1020
Explorer III
February 22, 2026
Question

implementing SD-WAN

  • February 22, 2026
  • 2 replies
  • 453 views

Hello Fortinet team,

Could you please help me with my question?

 

I need to configure SD-WAN on a FortiGate, as we have two active WAN links. The goal is for one to function as the primary link and the other as a backup, so that if the primary link goes down, the secondary link automatically assumes internet connectivity.

 

Currently, we have the following configured on the firewall:

 

SSL VPN

Site-to-Site VPN (IPsec)

 

Both configurations are associated with the primary WAN.

 

My questions are as follows:

 

SSL VPN: What configuration should be implemented so that, in case of a WAN1 failure, the SSL VPN service automatically switches to WAN2?

Considering that the clients have configured their agents with the remote gateway corresponding to the public IP address of the primary WAN.

 

Site-to-Site VPN (IPsec): In this case, the remote devices are pointing to the public IP address of the primary WAN1.

What would be the best practice to ensure automatic failover to WAN2 in the event of a failure?

 

This is my first time implementing SD-WAN in this scenario, so I would greatly appreciate your guidance and recommendations.

I look forward to your feedback.

2 replies

funkylicious
SuperUser
funkylicious
SuperUser
February 22, 2026

hi,

sdwan is used mostly for outbound traffic, lan to wan.

for sslvpn redundancy, you would need to put both links in the sslvpn config and either

- utilize two DNS records (A/AAAA) with a low TTL or a failover mechanism in the DNS/ISP, for each dns/link

or

- multiple remote gateways

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Multiple-gateway-IP-for-FortiClient/ta-p/195957

 

for IPsec you would need to configure an IPsec tunnel bound to each wan link or if the other side has/uses also sdwan -  https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-IPsec-VPN-with-SD-WAN/ta-p/209840 

"jack of all trades, master of none"
unknown1020
unknown1020Author
Explorer III
February 24, 2026

Thank you for your response.

The purpose of configuring the SD-WAN interface is that, if the primary link fails, the connection is restored through the secondary link. This way, users won't lose internet access. We had an incident with the ISP where the internet went down, and users couldn't access either the internet or the SSL VPN configured on the primary WAN.

 

My question is: in "VPN Settings >> Listen on Interfaces," do I only need to add both WAN interfaces?

 

After configuring SD-WAN, will it only allow me to add the WAN interfaces or only the SD-WAN interface? For example, in policies, it no longer allows me to add the WAN interface, only the SD-WAN interface.

 

Also, in the users' FortiClient agents, the users' remote gateway is the public IP address of the primary WAN. Therefore, I would only add the public IP address of my secondary WAN. Is that all? The public IP address of the secondary WAN shouldn't have the port configured as "Listen on Port" blocked, right?

funkylicious
SuperUser
funkylicious
SuperUser
February 24, 2026

in sslvpn > listen on... - yes, both interfaces

in policies you can use only the sdwan zone, in VIP(s) you can use a specific wan interface for example.

correct, the 2nd wan should not have blocked the port

"jack of all trades, master of none"
Demir25
Demir25
New Member
February 22, 2026

Hi, 

for the first case, use FortiDDNS. Use the DNS domain on Forticlient instead of the Public IP. 

Example: https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-redundancy/ta-p/195760

Terms & ConditionsAccessibility statement