Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Failover between two ISPs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Failover between two ISPs
Hi Guys,
Apologies if this has been asked before - I'm new to the forum and to Fortinet.
We currently have 2 individual networks connected to separate ISPs and we use a Fortigate 600c firewall in each network.
I need each network to be able to use the other link as a back up route to the internet should it's primary ISP connection fail.
I'd like to know the simplest configuration for this - My initial thought is to set up a second static route with a higher distance between the WAN 2 ports on each firewall? Traffic from each network needs to be isolated but still be able to access the internet when the primary ISP fails.
Any help/advice would be appreciated.
Thanks
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
As you already suggested set up a second static route with a higher distance between the WAN 2 interfaces on each firewall.
Then make sure you have on both firewalls policies WAN2 -> WAN1. This way you isolate the networks.
And if I'm right (probably you won't need this) make sure you have policy routes in place! all traffic coming from WAN2 interface is routed to WAN1.
thanks,
yiannis
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please refer the below Video link
http://video.fortinet.com/video/105/redundant-internet-connections-5-2
Hope this helps you to configure dual ISP.
Cheers
EMEA Technical Support
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
May I know if both the networks are geographically different and possibility of the physical connections between them?
Also, we need to keep in the mind about what if the interface stays UP, but the internet is down, gateway detect should help in this case.
Chris wrote:Hi Guys,
Apologies if this has been asked before - I'm new to the forum and to Fortinet.
We currently have 2 individual networks connected to separate ISPs and we use a Fortigate 600c firewall in each network.
I need each network to be able to use the other link as a back up route to the internet should it's primary ISP connection fail.
I'd like to know the simplest configuration for this - My initial thought is to set up a second static route with a higher distance between the WAN 2 ports on each firewall? Traffic from each network needs to be isolated but still be able to access the internet when the primary ISP fails.
Any help/advice would be appreciated.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for your help guys - the plan is coming together.
Geographically we are in the same location and share a server room (& IT Team)- the firewalls are racked next to each other but are in different networks and connected to different ISPs (essentially we are 2 companies sharing office space - we are under the same umbrella company so sharing the ISPs for fail over is no issue). Each network uses a different IP addressing scheme (192.168.0.0 and 10.0.0.0) so I don't see an issue here.
I've seen you can set up a ping to determine that each link is active - after a few successive failures we want the connection to fail over.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easiest way:
Connect the two FortiGates on the wan2 port
Go to System > Network > Interface
Assign FortiGate1 an IP Address on wan2 172.16.0.1/30
Assign FortiGate2 an IP Address on wan2 172.16.0.2/30
Go to Router > Static > Static Routes
On FortiGate1 create a new route
Destination 0.0.0.0/0.0.0.0
Device wan2
Gateway 172.16.0.2
Distance 11 (greater than your default route)
On FortiGate2 do the same but
Gateway 172.16.0.1
Create a new Static route on FortiGate1
Destination 10.0.0.0/8
device wan2
Gateway 172.16.0.2
Distance 10
On FortiGate2 do the same but
Destination 192.168.0.0/16
Gateway 172.16.0.2
Now go to Policy&Objects > Objects > Addresses
On FortiGate1 create an object for Network_fortigate2 with 192.168.0.0/16
On FortiGate2 create an object for network_fortigate1 with 10.0.0.0/8
Go to Policy&Objects > IPv4 > Policies
On FortiGate1 create new Policy
Incoming Interface: wan2
Source Address: network_fortigate2
Outgoing Interface: wan1
Destination Address: all
Enable NAT
configure rest as needed
On FortiGate2 do the same but
Source Address: network_fortigate1
Go to Router > Static > Settings
Create two new Link Health Monitor
Interface wan1/wan2
Gateway on wan2 Fortigate1: 172.16.0.2 / on fortigate2: 172.16.0.1
On wan1 Gateway from your ISPs
Enable health check
Ping
8.8.8.8 (or whatever you like)
The optimal way would be a HA setup with both devices, that way if one internet connection fails the other takes over AND if one of the FortiGates dies the other takes over
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When setting up the Link Health Monitor ALWAYS configure at least 2 independent ping target servers! If Google ever takes down 8.8.8.8 for maintenance both WAN lines will be killed...
And no, I would not choose ANY host on the internet just because it's IP address is easy to remember. Choose a host nearby, for instance one located with your ISP (DNS - might or might not allow pings).
You can set additional target IPs in the CLI (only).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ede_pfau wrote:If Google ever takes down 8.8.8.8 for maintenance both WAN lines will be killed...
If Google ever takes down 8.8.8.8, even for a second, half of the worlds monitoring scripts and DNS queries would fail and the world would probably collapse. Or at least a few sysadmins ;)
Choose a host nearby, for instance one located with your ISP (DNS - might or might not allow pings).
Your ISPs gateway probably is the best choice (if you can ping it)
Telekom (as an example) took down a few "old" DNS servers and suddenly a customers internet connection failed ;)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
Thanks for all your help - The Failover is up and running!
I have one further question - Is there an alert or log I can set up so I can tell when the primary link has failed?
Just to be clear the firewalls are configured and pinging externally to check the link state - I've checked that it works by physically taking each cable out and ensuring connectivity from both networks. I'd simply like an email or log I can check to find out when the redundant link has been in use.
Any thoughts?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chris wrote:Hi Guys,
Thanks for all your help - The Failover is up and running!
I have one further question - Is there an alert or log I can set up so I can tell when the primary link has failed?
Just to be clear the firewalls are configured and pinging externally to check the link state - I've checked that it works by physically taking each cable out and ensuring connectivity from both networks. I'd simply like an email or log I can check to find out when the redundant link has been in use.
Any thoughts?
Thanks
i've been thinking of this, can't think of any automatic feature in fortigate which can do this. I guess a batch file which keeps pinging the primary wan every 30mins or so as a scheduled task and raises a pop-up when the pings fail can do this work.
Do share if you get a way to do this.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,812 -
FortiClient
1,789 -
5.2
801 -
FortiManager
746 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
481 -
FortiAP
476 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
217 -
FortiWeb
211 -
5.0
196 -
FortiNAC
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
110 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Customer Service
81 -
Wireless Controller
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
46 -
DNS
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
37 -
NAT
37 -
SAML
36 -
Certificate
36 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
Interface
32 -
VDOM
32 -
FortiConnect
30 -
FortiLink
29 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1747 | |
| 1114 | |
| 761 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.