Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gonzalezw
Staff
Staff

Created on ‎09-15-2024 10:08 PM Edited on ‎11-12-2025 06:24 AM By Moderator

Article Id 341370

Technical Tip: Configure ISP failover using default routes and link health monitor as traditional method without SD-WAN

Description This article describes how to set up an ISP Failover using static routing and link-health monitor
Scope FortiGate V7.x.
Solution
  1. Configure WAN interfaces using Manual IP assignment: Go to Network -> Interfaces, and assign an IP address to the first WAN interface:

 

Failover1.jpg

 

  • Repeat the same step as WAN1 but with WAN2 now.
  • Enable an option to add multiple interfaces in a policy and to avoid creating a separate policy for WAN2 or WAN1 for traffic coming from LAN to WAN. Go to System ->Feature Visibility and enable 'Multiple Interface Policies':

 

Failover2.jpg

 

  • Create a Firewall Policy under Policy & Objects -> Firewall Policy and select 'Create New'.
 

Failover4.jpg

 

Note1:

After enabling 'Multiple Interface Policies', add multiple interfaces to a single policy.

 

  • Configure the default routes to allow the Failover under Network -> Static Routes and select 'Create New'.

 

Failover5.jpg

 

Note 2:

It is important to note that when distances are equal, both routes will be included in the routing table. However, the route with the lower priority will be preferred. The s* symbol indicates that this route is the primary route to the internet.

 

Failover6.jpg

 

If assigning a higher distance to WAN2, it will be removed from the routing table and will no longer be usable. If the goal is to keep WAN2 available for specific routes, port forwarding (VIP), or management access, it is better to use the configuration option mentioned above.

 

Failover7.jpg

 

The WAN2 default route has been removed and is no longer available for use.

 

  1. Configure WAN interfaces using DHCP IP assignment: When the FortiGate WAN interface is connected to the ISP modem, it typically obtains an IP address from the DHCP server of the modem. In this case, the interface will also receive the default gateway and DNS server information from the ISP. By default, the default gateway has a distance of '5' and a priority of '1'. If two default routes are set up as shown in the previous steps, and it was not considered the DHCP address provided by the ISP modem, the firewall will prioritize it due to its lower distance, removing other default routes from the routing table.

 

Failover8.jpg

 

To keep one of the interfaces as a DHCP client, to achieve ISP Failover, assign a higher distance to the other interface.

 

Alternatively, to keep both WAN1 and WAN2 active with WAN1 as the primary and a WAN2 DHCP client as the secondary, configure the Administrative Distance to the same as the primary and keep the priority value higher to make the WAN2 DHCP the secondary. Changes to the priority can only be made under the interface via the CLI.

 

 config system interface
    edit "port8"
        set mode dhcp
        set distance 10
        set priority 5
        set type physical
    next
end

 

Another option to set the distance and priority of the DHCP interface is by using the static route. To achieve this, disable the 'Retrieve default gateway from server' option from the GUI or disable 'defaultgw' from the CLI on the WAN DHCP interface, and configure the static route with 'dynamic-gateway' from the CLI or enable the 'Dynamic' option from the GUI.

 

CLI: 

 

config router static
    edit 1
        set distance 10
        set priority 5
        set device "port8"
        set dynamic-gateway enable
    next
end

 

GUI:

 

kb 35.1.png

 

In the GUI, the 'Dynamic' option under static route will show up when the DHCP interface is selected under interfaces. Selecting the Dynamic option will make sure the default gateway is updated by itself whenever there is a change to the default gateway of the DHCP interface.

 

The routing table will look like the following:

 

kb 33.3.jpg

 

The steps mentioned will work as an ISP failover if a physical or logical shutdown of any of the WAN interfaces occurs. This is the basic configuration of the ISP failover.

 

However, if internet service is lost on the ISP modem, failover may not complete. To complete failover when the ISP goes down, it is necessary to configure a link health monitor. To do this, see Technical Tip: Link-Monitor Explained.

 

For further assistance, reach out to the TAC support team.

 

Related article:
Technical Tip: Setting up ISP Failover with Static and DHCP Interfaces 

Technical Tip: Override default route settings (default route received from DHCP)

Technical Tip: Static route for DHCP/PPPoE interfaces with dynamic gateway

Technical Tip: WAN interface in DHCP mode takes routing precedence over WAN interface with static co...

Technical Tip: How to configure a FortiGate interface to use DHCP

Technical Tip: Link-Monitor Explained
5515
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.