FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Umer221
Staff
Staff
Article Id 276308
Description This article provides guidance on setting up a FortiGate firewall with two WAN connections, with the goal to route specific traffic (for example, software updates) through one connection (WAN2) while keeping the primary traffic flow on the other (WAN1).
Scope FortiGate version 7.4
Solution

For optimal dual WAN setup on FortiGate, follow these detailed instructions:

 

  1. Configure Static Default Routes:

    • Create a static default route for each WAN interface.
      • Note: if the WAN interface is in PPPoE mode, with defaultgw enabled, there is no need to create a static route. Static route will be automatically installed in the routing table. Static route can be created when defaultgw disable on PPPoE interface.
    • Ensure both routes have the same distance but different priorities (a lower priority value wins).
      • Note: if the WAN interface is in PPPoE mode, with defaultgw enabled, Route distance and priority can be configured on interface settings under 'config system interface'
    • See Configure Static Route.
  2. Set Up Link Health Monitors:

    • Implement a link health monitor for each route. This will remove the route from the routing table if the link becomes unusable, ensuring failover to the other WAN.
    • The route gets removed from the routing table if the specified IPs aren't reachable.
    • See Configure Link Monitor.
  3. Establish Policy Route for Secondary Interface Traffic:

    • Create a policy route for the traffic that should use the secondary interface (with higher priority). This will be used for specific traffic. For example, Windows updates.
    • Remember, each policy route is inspected in the order they appear. The first matching route is used. If an interface is down (via the link health monitor), the corresponding policy route will be skipped.
    • See Configure the firewall Policy Routes.
  4. Understand Routing Mechanism:

    • Routes in the FortiGate device are used to specify where to direct the traffic, whether to an interface (WAN1, WAN2, LAN, etc.) or a VPN tunnel.
    • Remember that VPN tunnels appear as virtual interfaces.
    • As traffic flows in, the FortiGate device inspects each policy route. The first matching policy route will be selected to direct the traffic.
    • If the interface associated with a matched policy route is down, the policy route will be skipped.
    • If no policy route matches, the FortiGate device will then inspect each static route, starting from the one with the lowest priority.
  5. Create Specific Rules for Special IPs:

    • If specific traffic is desired (like certain IPs) to skip the priority routes and use the primary route, add an entry higher in the list of policy routes that stops policy routing for those IPs.
  6. Set Traffic Policies:

    • Traffic policies in FortiGate dictate what is done to the traffic as it passes through an interface.
    • These policies check if the traffic should be allowed to pass based on source address, destination address, or port.
    • Decide on the type of inspection for the traffic like Anti-virus or Website Blocking.
    • Also, setup NAT for the source IP address. This changes private addresses to public IP addresses.
  7. Direction of Traffic:

    • Always think of traffic from the FortiGate’s perspective in terms of its origin.
    • When a user accesses content, like a YouTube video, this is governed by a policy from LAN to WAN.
    • For traffic that originates from the internet to the servers, it's managed by a WAN to LAN policy. In this case, the destination IP address is changed using a Virtual IP.
  8. Servers Traffic Management:

    • Servers that send traffic out to the internet (for example, email servers sending out SMTP messages) should have their own LAN to WAN policy rule.
    • Ensure these servers have a dedicated public IP address using an IP Pool.
  9. Test the Configuration:

    • After implementing the changes, ensure that the primary traffic uses WAN1 and the software updates or specific traffic uses WAN2. Ensure WAN1 isn't affected when WAN2 is in use.

Related articles: