Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Chris5
New Contributor

Created on ‎08-25-2015 01:43 AM

Failover between two ISPs

Hi Guys,

 

Apologies if this has been asked before - I'm new to the forum and to Fortinet. 

 

We currently have 2 individual networks connected to separate ISPs and we use a Fortigate 600c firewall in each network.

 

I need each network to be able to use the other link as a back up route to the internet should it's primary ISP connection fail.

 

I'd like to know the simplest configuration for this - My initial thought is to set up a second static route with a higher distance between the WAN 2 ports on each firewall? Traffic from each network needs to be isolated but still be able to access the internet when the primary ISP fails.

 

Any help/advice would be appreciated.

 

Thanks

Internet failover.jpg
Preview file
69 KB
21780
0 Kudos
14 REPLIES 14
ede_pfau
SuperUser
SuperUser
In response to Allwyn_Mascarenhas

Created on ‎12-08-2015 08:47 AM

A link failure is logged as a System Event (level "alert"). You could set up the admin email feature to get notified of "alert" or "critical" events.

SNMP trap is your second option, the way the bulk of network devices are monitored or "alerting" their admin.

 

Pulling the cable is only half smart. Link failure will always be noticed (by observing the link status of the interface) by a FGT cluster. What the (invaluable) ping server feature gives you is detection of connectivity failures further up the stream, beyond the first router or switch.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2199
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎09-09-2015 11:44 AM

You have many choices

 

1: use the 2nd wan port as your earlier thoughts and adjust the distance & use dead gateway detect

 

2: combine both units to to be a vdom cluster  ( this would give you redundancy also btw )

 

3: place a static route thru the other unit to reach the other  ISP ( this would generate more fw-policies to manage  probably not ideal )

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2199
0 Kudos
0x_nuLL_
New Contributor

Created on ‎12-08-2015 04:10 PM

two static default routes through your wan interfaces with the minial distance to the primary ISP and higher distance on the another route.

 

Configure policies LAN->WAN1 and LAN->WAN2 like you desire, or create a zone interface to avoid make a lot of policies.

 

Greetings.

2199
0 Kudos
matt1
New Contributor

Created on ‎12-09-2015 01:07 AM

Hi Chris

 

Think the easiest thing for you to do on this would be to setup an interface on each firewall with a private point to point network /30

Setup routes and policies as need to give i each network access to the others internet connection.

you will also want to setup link heath checks to monitor the the internet links if you want automatic fail over to the back up link

Regards

2199
0 Kudos
zlimmen
New Contributor II
In response to matt1

Created on ‎10-03-2016 02:08 AM

how do i do this on 5.4.1 firmware? i can not find the "Router > Static > Settings"

 

please help, feeling "lost" with all the changes in 5.4 :\

2211
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.