Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gonzalezw
Staff
Staff

Created on ‎09-15-2024 10:08 PM Edited on ‎07-28-2025 10:47 PM By Community Manager

Article Id 341370

Technical Tip: Configure ISP failover using default routes and link health monitor as traditional method without SD-WAN

Description This article describes how to set up an ISP Failover using static routing and link-health monitor
Scope FortiGate V7.x.
Solution
  1. Configure WAN interfaces using Manual IP assignment: Go to Network -> Interfaces, and assign an IP address to the first WAN interface:

 

Failover1.jpg

 

  • Repeat the same step as WAN1 but with WAN2 now.
  • Enable an option to add multiple interfaces in a policy and to avoid creating a separate policy for WAN2 or WAN1 for traffic coming from LAN to WAN. Go to System ->Feature Visibility and enable 'Multiple Interface Policies':

 

Failover2.jpg

 

  • Create a Firewall Policy under Policy & Objects -> Firewall Policy and select 'Create New'.
 

Failover4.jpg

 

Note1:

After enabling 'Multiple Interface Policies', add multiple interfaces to a single policy.

 

  • Configure the default routes to allow the Failover under Network -> Static Routes and select 'Create New'.

 

Failover5.jpg

 

Note 2:

It is important to note that when distances are equal, both routes will be included in the routing table. However, the route with the lower priority will be preferred. The s* symbol indicates that this route is the primary route to the internet.

 

Failover6.jpg

 

If assigning a higher distance to WAN2, it will be removed from the routing table and will no longer be usable. If the goal is to keep WAN2 available for specific routes, port forwarding (VIP), or management access, it is better to use the configuration option mentioned above.

 

Failover7.jpg

 

The WAN2 default route has been removed and is no longer available for use.

 

  1. Configure WAN interfaces using DHCP IP assignment: When the FortiGate WAN interface is connected to the ISP modem, it typically obtains an IP address from the DHCP server of the modem. In this case, the interface will also receive the default gateway and DNS server information from the ISP. By default, the default gateway has a distance of '5' and a priority of '1'. If two default routes are set up as shown in the previous steps, and it was not considered the DHCP address provided by the ISP modem, the firewall will prioritize it due to its lower distance, removing other default routes from the routing table.

 

Failover8.jpg

 

To keep one of the interfaces as a DHCP client, to achieve ISP Failover, assign a higher distance to the other interface.

 

The basic settings of the ISP Failover have been completed. The steps mentioned will work if having a physical or logical shutdown of any of the WAN interfaces, but if internet service is lost on the ISP modem, Failover may not be done. To avoid this issue, it is necessary to configure a link health monitor. To accomplish this, follow this KB article: Technical Tip: Link-Monitor Explained

 

For further assistance, reach out to the TAC support team

 

Related article:
Technical Tip: Setting up ISP Failover with Static and DHCP Interfaces 
4379
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.