Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nishtha_Baria
Staff
Staff

Created on ‎09-20-2023 10:02 AM Edited on ‎11-05-2024 10:27 PM By Community Manager

Article Id 274797

Technical Tip: SD-WAN failover between two/three WAN interfaces in FortiGate

Description This article describes how to set up SD-WAN failover between two/three WAN ports in FortiGate.
Scope FortiGate.
Solution

Prerequisites:

On the FortiGate system, two/three WAN interfaces are correctly set up and linked.

 

Configuration Steps:

  • Select 'SD-WAN' from the dropdown menu under 'Network' on the menu bar.
  • To create a new SD-WAN member, select 'Create New' button, and select 'member':

 

sdwanmember.png

 

  • Create a static route by going to Network -> Static Routes.

 

MicrosoftTeams-image (7).png

 

 

  • To create a new SD-WAN rule, navigate to SD-WAN Rules, and select the 'Create New' button.
  • Give the rule a name, and then choose the relevant WAN interfaces from the list of choices. By placing the WAN interfaces in the desired order, specify the failover order. 
  • Set the desired parameters for the SD-WAN interface selection strategy as Manual.

 

MicrosoftTeams-image (11).png

 

  • Apply the modifications after saving the settings.
  • Create the policy to allow the traffic by going to 'Policy & Objects' as follows:

 

firewallsdwanpolicy.PNG

 

 

Testing and Monitoring:

 

It is essential to test and keep an eye on the system after installing SD-WAN failover amongst two/three WAN interfaces to ensure efficacy.

 

Here are a few suggestions:


Disconnecting one of the WAN interfaces will simulate a connection failure; watch to see if traffic is immediately redirected to the remaining interfaces.

 

A check sign will be seen beside the selected interface that is processing the traffic. In the below screenshot, it is possible to see that from all 3 interfaces, wan1 is selected as the outgoing interface.

 

sdwanmember1.PNG

 

When wan1 is down, the traffic will be processed by wan2:

 

sdwanmember2.PNG

 

Track the performance and status of each WAN link by checking the SD-WAN dashboard in the FortiGate administration interface.

 

Review the SD-WAN logs and reports frequently to spot any problems or irregularities.

 

 

Troubleshooting:

Check the WAN interfaces' physical connections and set-ups.
Verify the FortiGate device's firmware version to make sure SD-WAN capability is supported.


Review the load balancing mechanism, connection monitoring, and failover thresholds in the SD-WAN setup settings.
For more information, refer to the FortiGate manual or contact the Fortinet community.

The following commands are useful for troubleshooting an SD-WAN environment.

 

  • Gather the traffic transmitted and received by the FortiGate:

 

diagnose sniffer packet
 
  • View how FortiGate processes a packet and the decisions it makes:

 

diagnose debug flow

 

  • Show active sessions:

 

diagnose system session list

 

Feel free to open a TAC support case if require any further help.
14291
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.