Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Umer221
Staff
Staff

Created on ‎09-23-2024 08:27 AM Edited on ‎01-19-2025 11:24 PM By Community Manager

Article Id 343041

Technical Tip: Configuring Failover with Policy Routing on FortiGate for Redundant WAN Links

Description This article describes how to configure failover on a FortiGate using policy-based routing to manage two or more redundant WAN links for specific traffic. The topology consists of WAN1, WAN2, and WAN3, where WAN2 acts as the primary link, WAN1 as a secondary link, and WAN3 as the last resort in case both primary and secondary links fail.
Scope FortiOS, FortiGate, Routing.
Solution

Topology:

 

Topology (3).png

 

The firewall policies and routes will direct traffic from the internal network (LAN) to the available WAN interfaces based on their priority and availability. If WAN2 goes down, traffic will be routed through WAN1. If both WAN2 and WAN1 fail, traffic will be routed via WAN3.

 

Objectives:

  1. Set up policy routes for failover.
  2. Create the firewall policies aligning with the configured routing.

  3. Observe the traffic flow by simulating the failover on WAN2, WAN1, and WAN3.

Configuration:

 

Policy Route Configuration:

 

Policy Route GUI.png

 

Policy Route CLI.png

 

Firewall Policies for each WAN Link:

Firewall Policies GUI.png

 

Firewall Policies CLI.png

 

Testing and Verification:

 

Initial Traffic Flow:

WAN2 (Primary Link): 192.168.19.133 (Port 2)

WAN1 (Secondary Link): 192.168.19.130 (Port 1)

WAN3 (Last Resort): 192.168.19.137 (Port 5)

Windows PC (Connected to LAN): 10.10.10.2

 

When all WAN links are operational, traffic is routed through WAN2 because the policy route for WAN2 is prioritized above WAN1, establishing WAN2 as the primary link.

 

Initial WAN2 GUI.png

Initial WAN2 CLI.png

 

After a failover from WAN2, traffic is redirected to WAN1, making WAN1 the primary link.

 

WAN2 Down-GUI.png

  

WAN2 Down-CLI.png

 

When both WAN2 and WAN1 fail, traffic is redirected to WAN3, making it the active link. Since there is no specific policy route configured for WAN3, all traffic will follow the default route in the absence of the interfaces tied to the policy route. If the goal is to block all traffic from reaching the internet during this failover, a Firewall Policy with the action set to 'Deny' needs to be created for the source subnet and placed above the general firewall policy to prevent outgoing traffic.


WAN3 GUI.png

 

WAN3 CLI.png

 

When all WAN links come back up, traffic again routes through WAN2 because the policy route for WAN2 is prioritized above WAN1, making WAN2 the primary link once again.

 

All Links Up GUI.png

All Links Up CLI.png

 

When all WAN links are operational, traffic is routed through WAN1 because the policy-route for WAN1 is administratively moved above WAN2, making WAN1 the primary link.

 

WAN2 Down GUI.png

WAN2 Down CLI.png

 

Note:

  1. The number of policy routes required is equal to the total number of WAN links minus one, accounting for the redundant links.
  2. This approach is particularly useful for directing specific types of traffic.
  3. The order of firewall policies does not affect the policy route configuration; however, the sequence of policy routes is crucial as it determines how traffic is directed.
  4. Ensure that a static or dynamic route is in place to route traffic to the final WAN port (e.g., WAN3) if the WAN ports configured for policy routing (e.g., WAN1 and WAN2) are unavailable.

 

Related articles:

Adding a static route

Redundant Internet connection without load-balancing

Setting up ISP Failover with Static and DHCP Interfaces

Other necessary changes to make when changing WAN IP

Configuring the Firewall Policy Routes

Adding new DHCP addressing mode wan connection for redundant traffic flow without bringing down the ...

3930
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.