| Description | This article describes how to send locally generated traffic like FortiGuard, FortiGate Cloud, DNS, NTP, etc, through the secondary ISP link and all other general internet traffic through the primary ISP link. |
| Scope | FortiGate. |
| Solution |
FortiGate relies on routing table lookups to determine the egress interface and source IP it uses to initiate the connection for locally generated traffic.
For that, there should be active routes available via both links. In this example, port1 is the primary link and port3 is the secondary one.
See the static routes configured for port1 and port3:
Here, port1 has an AD value of 10 with priority 1, and port3 has an AD value of 10 with priority 2. Note that if the AD values are different, only one route with the lowest AD value will be active in the routing table. As both routes are active, port1 will be taken as the highest priority route. If the AD value of both routes is the same, the firewall will look into the priority configured, and the route with the lowest priority number will take precedence.
Now, route configurations have been completed. The next step is to specify the services to use the secondary links. Below are the CLI commands for specifying FortiGate Cloud traffic to use port3: Note
config log fortiguard setting
Note: This is configurable only from the CLI.
Now, after initiating the connection towards FortiGate Cloud, it was taken via port 3. In the same way, it is possible to specify other services like FortiGuard, DNS, NTP, etc, to use port3. |
