Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IronMan
New Contributor III

Created on ‎02-02-2023 12:47 AM Edited on ‎02-02-2023 12:48 AM

Fortigate dual internet & policy routes question

I have a Fortigate and configured 2 interfaces that connect to 2 different ISPs.

 

Interface 9 - ISP A

Interface 10 - ISP B

 

Basically, I would like all computers to use interface 9, except for a selected few that will use interface 10.

 

Interface 10 is configured with a DHCP, and I've been told that because of this, Interface 10 becomes the default route. To fix this, I created a Policy Route so that all traffic goes to Interface 9. Then I created another  Policy Route to make the selected few computers to use Interface 10. This all works perfectly fine.

 

My question is: If interface 9 goes down, will the computers automatically use Interface 10?

 

I don't want it to use interface 10, I want the computers to just not have any internet access at all if interface 9 is down. (sounds odd but there's a reason for that). I am unable to test this out now, hence this question.

 

 

 

 

 

 

 

 

Labels:
1345
0 Kudos
1 Solution
seshuganesh
Staff
Staff

Created on ‎02-02-2023 02:27 AM Edited on ‎02-02-2023 02:30 AM

ideally even if ISP is down like if internet is not working, there is no way firewall can detect that connectibity issue unless you configure link monitor.

So if you dont configure link monitor your configuration and "enable update static route" option in the link monitor configuration, firewall should still pass the packet through the down interface.

Please check

View solution in original post

1325
0 Kudos
3 REPLIES 3
antholux
New Contributor

Created on ‎02-02-2023 12:55 AM

Hello, 

Why not try to use SD-WAN feature with better priority for interface 9 ? 

1341
0 Kudos
srajeswaran
Staff
Staff

Created on ‎02-02-2023 01:14 AM

I think you can create a negate policy from your LAN/Computers to port10. With this you can allow access only to the selected computers/usres.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-Policy-Negate-option/ta-p/194290

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
1336
0 Kudos
seshuganesh
Staff
Staff

Created on ‎02-02-2023 02:27 AM Edited on ‎02-02-2023 02:30 AM

ideally even if ISP is down like if internet is not working, there is no way firewall can detect that connectibity issue unless you configure link monitor.

So if you dont configure link monitor your configuration and "enable update static route" option in the link monitor configuration, firewall should still pass the packet through the down interface.

Please check

1326
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.