FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable
Article Id 197694

Description


This article shows how to configure multiple Internet connections without load-balance. The interfaces are set for failover using a link monitor.

 

Scope

 

FortiGate.


Solution


This example is considering that both Internet connections are configured with static IP addresses, and there are two default routes as static routes. The secondary WAN link will be a standby link and will trigger a change once the primary WAN link is down. If the addressing mode on one of the WAN interfaces is DHCP, refer to the end of the document.

wan1: 10.5.21.50.
wan2: 10.5.53.50.

Set the IP addresses under System -> Network -> Interfaces:

 

 
Use the following CLI commands to set the IP addresses of the WAN interfaces:
 
config system interface
    edit "wan1"
        set vdom "root"
        set ip 10.5.21.50 255.255.240.0
        set allowaccess ping https
        set type physical
    next   
    edit "wan2"
        set vdom "root"
        set ip 10.5.53.50 255.255.240.0
        set allowaccess ping https
        set type physical
end

Create two default routes:
For the redundant Internet connections, both the default static routes have to be active in the routing table.
So, to achieve it, set the distance of both routes the same.

If wan1 is to be the primary link (active link), then set the lowest priority to that link.
And the highest priority is given to the other WAN interface.
 
When there are multiple routes to the same destination with the same distance, the priority will be checked.
The route with the least priority will be given preference.

Example:
wan1 has a distance of 10 and a priority of 1.
wan2 has a distance of 10 and a priority of 10.

Here, wan1 will be a selected route, as it has the least priority compared to wan2.
So, all the traffic will be handled by wan1. If wan1 goes down, then the traffic will be shifted to wan2.
 
Refer following article for more details on routing behavior depending on administrative distance and priority for static routes and policy-based routes: Technical Tip: Routing behavior depending on distance and priority for static routes, and Policy Bas...

To configure these routes in the GUI, go to Network -> Static Routes and create two default routes:
 
route edit.jpg
 
 
Note:
In v7.0.3 and earlier, the minimum value for 'priority' is 0, which remains the same if a WAN port is assigned a DHCP IP address.
 
Create Two Firewall Policies:
To configure Firewall Policies in the GUI, go to Policy & Objects -> Firewall Policy and create two Firewall Rules to allow traffic to the internet (main WAN1 interface and backup WAN2 interface).

firewall policy pic.jpg

 

Configure the Firewall Policies for the traffic that must go to the Internet, and create the same policy twice but with different Outgoing interfaces (one policy for WAN1 and another policy for WAN2). In this case, no specific subnets are defined, the Source will be left as 'all', but specify them; however, remember that they must be the same config for both WAN1 and WAN2 firewall policies.
 
In case the multiple interface policy feature is enabled, as shown below:
 

Screenshot 2024-12-06 172751.png

 

Then add both WAN interfaces in 1 policy as shown below:

 

Screenshot 2024-12-07 174053.png

 

Set up the Health Link Monitor and configure ping servers (CLI Only):

The following will ping a server of choice. If it stops receiving replies at the set rate, it will pull the static route from the routing table, and the secondary connection will be used. 
 
config system link-monitor
    edit  Wan1Failover
        set srcintf port1    
<----- Specify the port used for the WAN1 link.
        set server 8.8.8.8
        set protocol ping
        set gateway-ip 10.5.31.254
        set source-ip 0.0.0.0
        set interval 5
<---- This value changes for its minimum. For example, at v7.2.8: minimum value: 20.
        set probe-timeout 500
        set failtime 5
        set recoverytime 5
        set ha-priority 1
        set update-cascade-interface enable
        set update-static-route enable
        set status enable
    next
    edit  Wan2Failover
        set srcintf port2    
<----- Specify the port used for WAN2 link.
        set server 4.2.2.2
        set protocol ping
        set gateway-ip 10.5.63.254
        set source-ip 0.0.0.0
        set interval 5
<---- This value changes for its minimum. For example, at v7.2.8: minimum value: 20.
        set probe-timeout 500
        set failtime 5
        set recoverytime 5
        set ha-priority 1
        set update-cascade-interface enable
        set update-static-route enable
        set status enable
end

 

Note:

In v6.2 and above, 'interval' is a millisecond value between 500 and 3600000. In v6.0, the value is in seconds between 1 and 3600.

 

Check the link-monitor status via the CLI with:

 

diagnose sys link-monitor status

 

Link Monitor: 0, Status: alive, Server num(1), Flags=0x1 init, Create time: Fri Feb 12 01:52:09 2021
Source interface: port1 (3)
Source IP: 10.10.0.21
Interval: 500 ms
 Peer: 8.8.8.8(8.8.8.8)
        Source IP(10.5.21.50)
        Route: 10.5.21.50 ->8.8.8.8/32, gwy(10.5.31.254)
        protocol: ping, state: alive
                Latency(Min/Max/Avg): 5.334/5.543/5.450 ms
                Jitter(Min/Max/Avg): 0.002/0.122/0.050
                Packet lost: 0.000%
                Number of out-of-sequence packets: 0
                Fail Times(0/5)
                Packet sent: 104, received: 104, Sequence(sent/rcvd/exp): 105/105/106

 

When the WAN1 link goes down, navigate to the system event logs as below and verify the logs:

 

FortiGate GUI -> Log and Reports -> System Event.

 

Log: The static route is removed, Route  (10.5.21.50 <-> 8.8.8.8 ping-down).

 

The above log means that the static route of wan1 is removed, and the health check failed.

 

If the addressing mode on one of the WAN interfaces is DHCP, configure the interface to use DHCP:

 

  1. Select Network -> Interfaces.
  2. Select the WAN port to set DHCP on.
  3. Set the Addressing mode to DHCP.
  4. Check the Enable Retrieve default gateway from the server option.
  5. Set the Distance to be the same as the static route for WAN1.
  6. Select OK.

 

Picture1.png

 

Use the CLI to set it up as follows:

 

config system interface

    edit "port3"

        set vdom "root"

        set mode dhcp

        set distance 10

        set type physical

        set snmp-index 3

    next

end

 

Another option is to change the Administrative Distance to 5 on the existing provider interfaces (ports 1 and 2). Administrative Distance (AD) is set to 5 by default in DHCP or PPPoE mode.

 

Port1:

port1.png

 

Port2:

 

port2.png


FortiGate will create a dynamic route when using DHCP as the addressing mode for the interface.

To configure the link-monitor:

 

config system link-monitor
    edit WanDHCPFailover
        set srcintf port3         <----- Specify the port used for the DHCP WAN link.
        set server 8.8.8.8
        set protocol ping
        set gateway-ip 0.0.0.0     <----- Leave as 0.0.0.0: the system will add it dynamically.
        set source-ip 0.0.0.0
        set interval 500
        set probe-timeout 500
        set failtime 5
        set recoverytime 5
        set ha-priority 1
        set update-cascade-interface enable
        set update-static-route enable
        set status enable

end

 

Check the link-monitor status through the CLI with the following command:

 

diagnose sys link-monitor status

 

Picture2.png
If any further assistance is required, contact Fortinet support.

 

Related articles:

Technical Tip: Configuring link redundancy - Traffic load-balancing / load-sharing - ECMP (Equal Cos...

Technical Tip: Link-Monitor Explained

Technical Tip: How to create a static route on FortiGate from the GUI Interface 

Technical Tip: Routing behavior depending on distance and priority for static routes, and Policy Bas...

Technical Tip: Adding new DHCP addressing mode WAN connection for redundant traffic flow without bri... 

Technical Tip: Command to get the status of link-monitor settings configured