Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Fortigate Route Trafic from Specific Interface to Specific WAN

Hi, I have Fortigate 60F and two ISP added to SD-WAN:





I would like always to route traffic from Interface "3" (Subnet to ISP "WAN2" and never failover to ISP "WAN1". If "WAN2" is down then clients on Interface "3" will be offline (that is OK). When other interfaces can use WAN2 as primary ISP and failover to WAN1 ISP. 

If I will create below SD-WAN RULE then won't Interface "3" ( failover to WAN1 in case of WAN2 is offline?



1 Solution
New Contributor II

For the time being found three options how to block traffic originated from subnet (port3) to be routed via WAN1 port even if WAN2 is physically down (cable unplugged):


1) Found on this resource absolutely the same issue what I have:


On port3 (subnet, I created secondray IP

Secondary IP addressSecondary IP address


Created two policy routes. First routing policy is to route always traffic from subnet (port3) via WAN2 (Starlink):

Policy Route Nr. 1Policy Route Nr. 1


Second policy to route traffic from port3 to port3 with gateway as this port's secondary IP which is Once WAN2 link is down (cable unplugged for example) then first routing policy is skipped and below is taking care of traffic since will match:

Policy Route Nr. 2Policy Route Nr. 2


2) Another option, is two remove SD-WAN zone and make WAN1 and WAN2 as the separate interfaces. 

Configure failover between WAN1 and WAN2 using link-monitor as per below resource:


Configure Policy to block traffic from to WAN1


Not sure how practical is first approach but it is working without removing SD-WAN zone. Was tested and found working. 
2nd option was tested as well.


3) Under SD-WAN create two new zones:




Add WAN1 and WAN2 interfaces to respective zone. 

Create two SD-WAN rules:

- Rule1: Source Address specify subnet what you want to route via WAN2 only. Manual mode -> Interface Preference: WAN2

- Rule2: Source Address specify all remaining subnets what can access WAN2 and WAN1.  Manual mode -> Interface Preference: WAN2, WAN1 (order of interfaces is important)

Go to Routes -> Static Routes -> Add both new SD-WAN zones to Static Route Device fields


Configure SLA under SD-WAN

Configure Policy Firewall:

Top rule Block subnet from accessing WAN1 (WAN1 ZONE as destination interface)

Second rule allow subnet to access WAN2 interface (WAN2 ZONE as destination interface)


View solution in original post



Ah, the Fortinet docs, a treasure trove of info! Good call on suggesting the Manual Selection Rule. That should definitely streamline things if you're only dealing with one preferred interface.

Thanks for sharing the link for more details. Always helpful to have the source right there. :thumbs_up:



Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors