It would probably be easiest just to swap the cables for now, and have the better-performing ISP on your wan1 interface.

Depending on your ISP, you might have to make a few configuration changes on wan1 (essentially you want the same config on wan1 as you currently have on wan2), but all the policies, routing and settings currently relying on wan1 would work as before, with no need to for adjustments or additional configuration.

if you don't want to do this and leave the lines as is, then I would suggest the following:
- go to Network > Interfaces, and scroll to the right; there should be a column 'references' with a number

- click on that number for wan1; that tells you where the interface wan1 is in use

- make sure you have wan2 in use in the same places (like policies), or wan2 replaces wan1 in those places (like routing)

They are both static routes with nothing listed in the destination field but with a Public IP listed in the Gateway Address field.

If both static, you need to check the routing table in CLI. "get router info routing-table all".

At the top of the output there should be routes similar to mine. But I have SD-WAN set up so yours should be a little different:

fg40f-utm (root) # get router info routing-t all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
 
Routing table for VRF=0
S*      0.0.0.0/0 [1/0] via x.x.x.x, ppp3, [1/20]
                  [1/0] via y.y.y.y, a, [1/1]

Just share those last two lines above by changing the public IPs.

S* 0.0.0.0/0 [5/0] via WAN1PublicIP.145, wan1
C PublicWirelessIP/24 is directly connected, port3
S AnotherPublicIP/24 [10/0] is directly connected, ssl.root
C WAN2PublicIP.136/29 is directly connected, wan2
C WAN1PublicIP.144/29 is directly connected, wan1
is directly connected, wan1
S VeeamBackupInternalIP/24 [10/0] via InternalGatewayIP1, port1
C InternalIP/24 is directly connected, port1
S InternalVoiceIP1/24 [10/0] via InternalGatewayIP1, port1
S InternalVoiceIP2/24 [10/0] via InternalGatewayIP1, port1
S InternalVoiceIP3/24 [10/0] via InternalGatewayIP2, port1
S InternalVoiceIP4/24 [10/0] via InternalGatewayIP2, port1
C InternalGuestIP/24 is directly connected, port15

This means the second default route toward wan2 has a lower distance unless wan2 is currently down.

Check "Admin distance" on those two static default routes. The primary one to WAN 1 should have "5" as shown above, and the secondary should have 6 or higher.

Then you can test fail-over. As Debbie explained if you want to make sure the policies are fine with wan2, you can check the current "Ref." for wan1 interface and compare with wan2's. But likely it was set for both by whoever designed this.

Then I would just test the failover at night and if some key functions/polcies are working fine, leave it for next morning.

If somebody screams you need to debug those policies and call in to open a TT at TAC if you can't figure it out in time.

In the worst case, you can always bring the wan1 back up to revert.

On the other hand you can swap the cables as Debbie suggests. But you have to swap the interface config between wan1 and wan2 and swap the default routes as well.

Toshi

Then once this survives next morning or more, you can swap the Admin distance between two default routes and put the wan1 cable back in to make wan2 primary and wan1 secondary semi-permanently.

Admin Distance for WAN1 is currently 5

Admin Distance for WAN 2 is currently 10

WAN1 currently has 56 references

WAN2 currently has 21 references

Then you need to figure out what are missing with wan2 side.