@emnoc: edit 2 should be " wan1" , the second default route to the second WAN interface. And regarding failover: all true for static routing but...not for PBR. Policy routes won' t obey the routing metrics, they are always followed before routing table lookup. That' s where the FortiOS PBR has it' s limitations: if your PBR points SMTP traffic to WAN1 and WAN1 fails, SMTP traffic will go to Nirvana. (Hopefully, you prove me wrong.)

Dead Gateway Detection would remove the policy route. You don' t need to specify a gateway for the PBR as this can be taken from the routing table (for the matching PBR egress interface).

I have a question close to this... We have a Fortinet in an MPLS cloud, with VOIP phones leaving the Fortinet and terminating in the MPLS, and a secondary ISP attached to WAN2. If the internet at the head of the MPLS goes down, but the MPLS itself stays up, and I am pinging an external IP, the failover will happen to WAN2, but will the failover allow the VOIP phones to continue to function across WAN1, or will it stop all traffic? We are a little stuck getting failover to occur for just their internet traffic, but leave all the traffic needing to go into the MPLS to stay running across WAN1.

ECMP with DPD will work this out. DPD is meant to protect against logical failures (the interface may be physically up, but cannot process traffic). following articles may provide more details with examples: http://kb.fortinet.com/kb/viewContent.do?externalId=100137 Mohammad

Let me ask : do you have 2 ISP with two different pools if public IP ? if you talk about smtp traffic - do you mean outgoing traffic or incoming ? If you have your own smtp server and 2 different public IP you can set 2 MX records in DNS.

Yes, it' s possible. Since you have 2 ISPs, I imagine you received 2 independent public IP pools/addresses. You BGP advertise one prefix via ISP1 and the other one via ISP2. Both BGP neighbors will advertise the default gateway to your FGT with ECMP (Equal Cost Multiple Path) applied and same distance, so you have to make sure different priority settings are applied on them. Whichever default has the lowest value in the priority field will be used as the primary route. You can then create a policy to force SMTP via ISP2 only even though the different priority will be used for everything else, e.g config router policy edit 1 set input-device " LAN_port1" set protocol 6 set start-port 25 set end-port 25 set output-device " WAN2" next end That may create asymmetric routing and the firewall will drop the response due to RPF (reverse past forwarding) check and with error " reverse path check fail, drop" , but it' s just a guess, because the source IP of the packets are coming from will be the one that' s advertised via ISP2, the response should go back the same way. You can configure the firewall though to enable asymmetric routing if that happens, but be aware that by doing this you are reducing the security level of your firewall since spoofed packets can now more easily traverse the firewall. Unfortunately the solution still won' t help during failover, you will manually have to change the policy routes to point at the working ISP, since you are forcing SMTP traffic through the secondary route. The DNS MX should have 2 records, 1 for the preferred IP via ISP2 and the 2nd points at the secondary IP via ISP2, so that should take care of the automatic failover. What I would suggest is to stage and test it first to make sure it behaves as you expect it. Also you may want to look at the new " virtual WAN" interface feature in FortiOS 5.2 It helps with some of the config to reduce the number of policies, etc. but the failover still need to be manually taken care of. Using a virtual WAN link for redundant Internet connections http://docs.fortinet.com/d/fortigate-using-a-virtual-wan-link-for-redundant-internet-connections