FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes on how to create redundancy with IPsec and MPLS link.
Scope All Fortigate versions.

This is regarding the scenario where the users are looking to create remote connectivity primarily with the MPLS link and secondarily as a redundant path to the IPsec tunnel.


Since the routes provided to both will be on the basis of the AD value/priority or the SD-WAN rules .


Along with the routing, the best recommendation will also be to create a link monitor.


To make efficient redundancy, link monitor will be configured to keep the health of the interface in check. 




- Performance SLA link health monitoring measures the health of links that are connected to SD-WAN member interfaces by either sending probing signals through each link to a server, or using session information that is captured on firewall policies and measuring the link quality based on latency, jitter, and packet loss.


- Here, the server will be set as the remote gateway of the other peer's wan interface IP and when the probe packets are lost, the traffic will be automatically routed towards the IPsec tunnel considering the primary MPLS link is down.


- SLA targets will make sure that if those targets are not match, the routes on that link are removed from the SD-WAN link load balancing group, and traffic is routed through other links.


- When the link is working again the routes are reestablished. This prevents traffic being sent to a broken link and lost.


It is also possible to configure link monitoring if static routes are used for both the links from CLI , there is no option for GUI for same:

# config system link-monito
    edit "1"
        set addr-mode ipv4
        set srcintf ''
        set protocol ping
        set gateway-ip
        set source-ip
        set interval 500
        set probe-timeout 500
        set failtime 5
        set recoverytime 5
        set probe-count 30
        set ha-priority 1
        set update-cascade-interface enable
        set update-static-route enable
        set status enable


Reference links: