- Prioritize WAN1 with Route Distance.
If WAN1 and WAN2 use DHCP/PPPoE, set different distance values:
config system interface
edit "wan1"
set distance 10
next
edit "wan2"
set distance 20
next
end
Lower distance = higher priority.
If using static routes, disable default gateways on interfaces and set priority in the routes.
- Monitor WAN1 Health Only.
Set a link monitor for WAN1 to detect failure:
config system link-monitor
edit "wan1-monitor"
set srcintf "wan1"
set server "8.8.8.8"
set protocol ping
set update-static-route enable
next
end
- Enable SNAT Session Failover.
config system global
set snat-route-change enable
end
Ensures existing sessions follow new routes during failover/failback.
Once everything is configured, test various failure scenarios to check the setup:
- Disconnect WAN1 and observe automatic failover to WAN2.
- Reconnect WAN1 and ensure the system fails back correctly.
- Monitor the routing table to confirm that only WAN1 is present when both are alive.
diagnose sys link-monitor status
get router info routing-table all
execute ping 8.8.8.8
diagnose debug flow
For a reliable dual WAN setup on FortiGate, set WAN1 with a lower route distance (or higher priority for static routes), monitor only WAN1, and enable snat-route-change. This ensures automatic failover to WAN2 and failback to WAN1.
SD-WAN as an Alternative to Traditional WAN Failover:
While the example above demonstrates manual configuration of dual WAN failover using static routes and link monitoring, FortiGate also supports SD-WAN, which simplifies WAN management and provides more advanced failover and load-balancing capabilities.
- Basic SD-WAN Configuration Steps:
- Go to Network -> SD-WAN.
- Add the WAN interfaces as SD-WAN members.
- Define Performance SLA targets (e.g., 150ms latency, 2% packet loss).
- Set up SD-WAN rules to define how traffic is distributed across links.
- Create a firewall policy to allow traffic to the SD-WAN zone.
Related articles:
|
