Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎03-08-2023 09:45 PM Edited on ‎07-28-2025 10:40 PM By Community Manager

Article Id 248510

Technical Tip: Setting up ISP Failover with Static and DHCP Interfaces

Description

This article describes how to configure wan1 as a static interface and wan2 as DHCP interface and set up an ISP failover between them.
Scope FortiGate, v7.x.
Solution

Configuring the interfaces.

 

To configure wan1 as static, Enable SD-WAN, and add wan1 :

Go to Network -> Interfaces, select the WAN port to configure, set the Addressing mode as 'Manual', enter the 'IP/Netmask', and select 'OK'.

 

avneesh__0-1678313514785.png

 

To configure wan2 as DHCP:

Go to Network -> Interfaces, select the WAN port to configure, set the Addressing mode as 'DHCP', enable 'Retrieve default gateway' from the server and then select 'OK'.

 

avneesh__1-1678313529702.png

 

Note: 

If SD-WAN is not used, adding a DHCP interface may interfere with the default route and interrupt Internet-bound traffic.

This is because the default static route (if not customized) has an administrative distance (AD) of 10 and a priority of 1.

However, the DHCP route has an AD of 5 and a priority of 1, which makes it the preferred route.

 

Therefore, it is important to set the correct distance and priority values on the DHCP route.

This can be configured via the GUI or CLI. A manual static route does not need to be added for a DHCP interface.

 

FortiGate automatically adds a route once the DHCP interface receives an IP address and gateway information

 

config system interface

    edit wan2

        set distance  <Integer Value> 

        set priority <Integer Value>

    next

end

 

To set up the ISP failover between two WAN interfaces, an SD-WAN will be used.

 

To create the SD-WAN interface:

Go to Network -> SD-WAN, under SD-WAN Zones, select Create New -> SD-WAN member.

 

avneesh__2-1678313540513.png

 

Adding wan1 (Static):

Select wan1 and select the zone as virtual-wan-link, set the default gateway as set when configuring the interface, and select 'OK'.

 

avneesh__3-1678313550428.png

 

Adding wan2 (DHCP):

Select wan2 and select the zone as virtual-wan-link. Do not change the default gateway and select 'OK'.

 

avneesh__4-1678313559672.png

 

To add the Default Static Route:

Select the virtual-wan-link from the Interface, set the Destination as 0.0.0.0/0.0.0.0, and select 'OK'.

 

avneesh__5-1678313570485.png

 

Verifying the routes in the route table:

It is possible to verify the routes have been added using with the following command:

 

get router info routing-table all

 

avneesh__6-1678313579564.png

 

Creating an ISP failover:

Go to Network -> SD-WAN -> Performance SLA, select 'Create New', set the Name as Link-Monitor, set Probe as Active, set Protocol as Ping, add 8.8.8.8 as the Server, enable Update static route and then, select 'OK'.

 

avneesh__7-1678313588952.png

Related article:
Technical Tip: Configure ISP failover using default routes and link health monitor as traditional me... 
39653
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.