Description
This article shows how to configure multiple Internet connections without load-balance. The interfaces are set for failover using a link monitor.
Scope
FortiGate.
Solution
This example is considering that both Internet connections are configured with static IP addresses, and there are two default routes as static routes. The secondary WAN link will be a standby link and will trigger a change once the primary WAN link is down. If the addressing mode on one of the WAN interfaces is DHCP, refer to the end of the document.
wan1: 10.5.21.50.
wan2: 10.5.53.50.
Set the IP addresses under System -> Network -> Interfaces:
Use the following CLI commands to set the IP addresses of the WAN interfaces:
config system interface
edit "wan1"
set vdom "root"
set ip 10.5.21.50 255.255.240.0
set allowaccess ping https
set type physical
next
edit "wan2"
set vdom "root"
set ip 10.5.53.50 255.255.240.0
set allowaccess ping https
set type physical
end
edit "wan1"
set vdom "root"
set ip 10.5.21.50 255.255.240.0
set allowaccess ping https
set type physical
next
edit "wan2"
set vdom "root"
set ip 10.5.53.50 255.255.240.0
set allowaccess ping https
set type physical
end
Create two default routes:
For the redundant Internet connections, both the default static routes have to be active in the routing table.
So, to achieve it, set the distance of both routes the same.
If wan1 is to be the primary link (active link), then set the lowest priority to that link.
And the highest priority is given to the other WAN interface.
When there are multiple routes to the same destination with the same distance, the priority will be checked.
The route with the least priority will be given preference.
Example:
wan1 has a distance of 10 and a priority of 1.
wan2 has a distance of 10 and a priority of 10.
Here, wan1 will be a selected route, as it has the least priority compared to wan2.
So, all the traffic will be handled by wan1. If wan1 goes down, then the traffic will be shifted to wan2.
The route with the least priority will be given preference.
Example:
wan1 has a distance of 10 and a priority of 1.
wan2 has a distance of 10 and a priority of 10.
Here, wan1 will be a selected route, as it has the least priority compared to wan2.
So, all the traffic will be handled by wan1. If wan1 goes down, then the traffic will be shifted to wan2.
Refer following article for more details on routing behavior depending on administrative distance and priority for static routes and policy-based routes: Technical Tip: Routing behavior depending on distance and priority for static routes, and Policy Bas...
To configure these routes in the GUI, go to Network -> Static Routes and create two default routes:
Note:
In v7.0.3 and earlier, the minimum value for 'priority' is 0, which remains the same if a WAN port is assigned a DHCP IP address.
Create Two Firewall Policies:
To configure Firewall Policies in the GUI, go to Policy & Objects -> Firewall Policy and create two Firewall Rules to allow traffic to the internet (main WAN1 interface and backup WAN2 interface).
Configure the Firewall Policies for the traffic that must go to the Internet, and create the same policy twice but with different Outgoing interfaces (one policy for WAN1 and another policy for WAN2). In this case, no specific subnets are defined, the Source will be left as 'all', but specify them; however, remember that they must be the same config for both WAN1 and WAN2 firewall policies.
In case the multiple interface policy feature is enabled, as shown below:
Then add both WAN interfaces in 1 policy as shown below:
Set up the Health Link Monitor and configure ping servers (CLI Only):
The following will ping a server of choice. If it stops receiving replies at the set rate, it will pull the static route from the routing table, and the secondary connection will be used.
config system link-monitor
edit Wan1Failover
set srcintf port1 <----- Specify the port used for the WAN1 link.
set server 8.8.8.8
set protocol ping
set gateway-ip 10.5.31.254
set source-ip 0.0.0.0
set interval 5 <---- This value changes for its minimum. For example, at v7.2.8: minimum value: 20.
set probe-timeout 500
set failtime 5
set recoverytime 5
set ha-priority 1
set update-cascade-interface enable
set update-static-route enable
set status enable
next
edit Wan2Failover
set srcintf port2 <----- Specify the port used for WAN2 link.
set server 4.2.2.2
set protocol ping
set gateway-ip 10.5.63.254
set source-ip 0.0.0.0
set interval 5 <---- This value changes for its minimum. For example, at v7.2.8: minimum value: 20.
set probe-timeout 500
set failtime 5
set recoverytime 5
set ha-priority 1
set update-cascade-interface enable
set update-static-route enable
set status enable
end
edit Wan1Failover
set srcintf port1 <----- Specify the port used for the WAN1 link.
set server 8.8.8.8
set protocol ping
set gateway-ip 10.5.31.254
set source-ip 0.0.0.0
set interval 5 <---- This value changes for its minimum. For example, at v7.2.8: minimum value: 20.
set probe-timeout 500
set failtime 5
set recoverytime 5
set ha-priority 1
set update-cascade-interface enable
set update-static-route enable
set status enable
next
edit Wan2Failover
set srcintf port2 <----- Specify the port used for WAN2 link.
set server 4.2.2.2
set protocol ping
set gateway-ip 10.5.63.254
set source-ip 0.0.0.0
set interval 5 <---- This value changes for its minimum. For example, at v7.2.8: minimum value: 20.
set probe-timeout 500
set failtime 5
set recoverytime 5
set ha-priority 1
set update-cascade-interface enable
set update-static-route enable
set status enable
end
Note:
In v6.2 and above, 'interval' is a millisecond value between 500 and 3600000. In v6.0, the value is in seconds between 1 and 3600.
Check the link-monitor status via the CLI with:
diagnose sys link-monitor status
Link Monitor: 0, Status: alive, Server num(1), Flags=0x1 init, Create time: Fri Feb 12 01:52:09 2021
Source interface: port1 (3)
Source IP: 10.10.0.21
Interval: 500 ms
Peer: 8.8.8.8(8.8.8.8)
Source IP(10.5.21.50)
Route: 10.5.21.50 ->8.8.8.8/32, gwy(10.5.31.254)
protocol: ping, state: alive
Latency(Min/Max/Avg): 5.334/5.543/5.450 ms
Jitter(Min/Max/Avg): 0.002/0.122/0.050
Packet lost: 0.000%
Number of out-of-sequence packets: 0
Fail Times(0/5)
Packet sent: 104, received: 104, Sequence(sent/rcvd/exp): 105/105/106
When the WAN1 link goes down, navigate to the system event logs as below and verify the logs:
FortiGate GUI -> Log and Reports -> System Event.
Log: The static route is removed, Route (10.5.21.50 <-> 8.8.8.8 ping-down).
The above log means that the static route of wan1 is removed, and the health check failed.
If the addressing mode on one of the WAN interfaces is DHCP, configure the interface to use DHCP:
- Select Network -> Interfaces.
- Select the WAN port to set DHCP on.
- Set the Addressing mode to DHCP.
- Check the Enable Retrieve default gateway from the server option.
- Set the Distance to be the same as the static route for WAN1.
- Select OK.
Use the CLI to set it up as follows:
config system interface
edit "port3"
set vdom "root"
set mode dhcp
set distance 10
set type physical
set snmp-index 3
next
end
Another option is to change the Administrative Distance to 5 on the existing provider interfaces (ports 1 and 2). Administrative Distance (AD) is set to 5 by default in DHCP or PPPoE mode.
Port1:
Port2:
FortiGate will create a dynamic route when using DHCP as the addressing mode for the interface.
To configure the link-monitor:
config system link-monitor
edit WanDHCPFailover
set srcintf port3 <----- Specify the port used for the DHCP WAN link.
set server 8.8.8.8
set protocol ping
set gateway-ip 0.0.0.0 <----- Leave as 0.0.0.0: the system will add it dynamically.
set source-ip 0.0.0.0
set interval 500
set probe-timeout 500
set failtime 5
set recoverytime 5
set ha-priority 1
set update-cascade-interface enable
set update-static-route enable
set status enable
end
Check the link-monitor status through the CLI with the following command:
diagnose sys link-monitor status
If any further assistance is required, contact Fortinet support.
Related articles:
Technical Tip: Link-Monitor Explained
Technical Tip: How to create a static route on FortiGate from the GUI Interface
Technical Tip: Command to get the status of link-monitor settings configured
