Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

NAT on secondry ISP

Hello Dears


I am trying to perferom NAT on my backup ISP but the virtual IP seems is not passthourgh firewall policy since i-is the  am seeing the hits of NAT is increase but nothing reconred on firewall policy


ISP1- is the perirmry ISP

ISP2- is the backup

the default route is build on ISP1


any suggestion please




You need to have a default route in the routing-table for ISP2. Otherwise, any access to the interface would be dropped with "reverse path check, fail" since the current default route is pointing to ISP1 interface.

If you want to keep the second ISP as backup for outgoing but want to use it for incoming for VIPs, you can have two static default routes then set the priority for the ISP2 bound one to like 10 (default is 1) so that the other one to ISP1 will win for outgoing traffic.



New Contributor III

Hello Dear

Thnx for replying,  would it impact on traffic ? So the users would say outgoing on ISP1 and just the NAT would be reply on ISP2?

I made politicy route for server that to ne NATed


If you're warrying about outgoing SNAT traffic adding the second default route with high number of priority won't affect to the existing traffic. But it's a good idea to do that in a maintenance window. And I recommend removing the policy route. That's not necessary if only VIP/DNAT policy would be on ISP2 interface. Policy routes would often get you and create headaches in the future because they wouldn't disappear even when the interface goes down.

New Contributor

Also depends on if your ISP allows a public IP directly to your home.

But yea, if your router external IP is a local IP 172.16-31.x.x, 10.x.x.x, or 192.168.x.x, then its definitely double NAT.
Top Kudoed Authors