Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Another Load Balance for some IPs



I have this issue not so common, so I will explain first the scenario:

- It is a Fortigate 100E with firmware version 5.6.6

- We have 2 different ISP connected to WAN1 and WAN2

- There is a kind of load balance by content, just with policy routes

- SD-Wan is not configured

- There are rules for WAN1 and rules for WAN2

- There are static routes and policy routes for WAN1 and WAN2


Now, we need to add another 2 ISPs in different interfaces (example: Port2 and Port3)

We need that everyone, like now, use the current settings (Without any change at all)

But we need to make a load balance between Port2 and Port3 just for some IPs (Just some IPs to go out through Port2 or Port3)

If I create a SD-Wan, I have the following issues:

- I can not create a static route because it is not allowed to create static routes for SD-Wan and not SD-Wan interfaces

- I can not create a policy route because it does not allow me to select the SD-Wan as the destination interface.


I could add another device to make the load balance but it is preferred to make it work with the current hardware.


Any Idea?




Esteemed Contributor III

If you are not balancing multiple interfaces pseudo randomly pointing default routes to all of them and instead setting some specific destination groups to go specific interfaces, that's regularly not called as load-balancing. It's just specific routing toward multiple internet interfaces. You can keep doing it in the same way regardless the number of interfaces.

But even with SD-WAN, you can do the same with default routes going to all member interfaces. Despite your statement, you can set specific (static) routes toward one of SD-WAN member interfaces if you really want. But you can limit the member interfaces, like specifying only one, in the SD-WAN rule (GUI, in CLI it's called "config service" under "config sys virtual-wan-link") to limit where to go for specific destinations, sources, protocol, etc. just like policy routes, while all other traffic can be "load-balanced".

As a matter of fact an FTNT SE called those rules as "policy routes" when he explained SD-WAN in a tech refresher seminar. 

The hardest part is to remove all references for the member interfaces in the current config to form SD-WAN interface. It's almost equivalent to configure from scratch.



I think I got it

This sould be everything through 1 SD-Wan with multiple WANs using SD-WAN rules, or through different interfaces using policy routes or static routes + firewall policies.


Thanks a lot

Esteemed Contributor III

By the way, it's possible to go hybrid as well; some members in SD-WAN and others independent. 


How can I do this if I cannot create rutes?

The fortigate does not allow to me to create rutes with the SD-Wan (static or policy)

Esteemed Contributor III

For static routes, you might need to go to CLI and disable SD-WAN routing for the specific route.

config router static

  edit N

    set virtual-wan-link disable




For general policies, you just need to allow it toward the SD-WAN. Then in the rule, you can specify the interface(s) in the preference. I hope this is the same with 5.6. Mine is 6.0.7. If not, you might need to upgrade yours. With 6.2, they added more visibility of the statistics on SD-WAN members in GUI.

Esteemed Contributor III

I just checked mine and found "virtual-wan-link diable" was by default when you create a new static route in CLI.

I recommend you play around only with the new ISP interfaces so that you can see what you can do and what you can't.


toshiesumi wrote:

I just checked mine and found "virtual-wan-link diable" was by default when you create a new static route in CLI.

I recommend you play around only with the new ISP interfaces so that you can see what you can do and what you can't.

Can you load balance two ISP circuits on a single device with SDWAN interface when each ISP gives you 4 addresses to use for resources? I have a remote site that I need to get 2 circuits installed for primary and backup.


Esteemed Contributor III

Those additional IPs (say IPs from ISP1) wouldn't work well if you route packets sourced with the IPs toward the different ISP (ISP2) especially when ISP1's circuit is down. Because the super subnet the ISP1 owns, which includes those IPs, is advertised from ISP1 to eventually ISP2 over the Internet. ISP2 would route returning traffic destined to those IPs toward ISP1, never route back to your circuit.

In addition, when ISP1's circuit is still up but your SD-WAN might decide using ISP2 circuit to send some specific traffic out, then gets the replies from ISP1's circuit. This is so-called "asymmetric routing", which the FGT will block.


Top Kudoed Authors