Hello there,
We have two WANs in place. We just upgraded our Internet for WAN2 today. We are going to be losing WAN1 in a few days and replacing it with another WAN1. However, WAN2 is meant to become the new primary. What steps should I take to ensure that the Fortigate Firewall does this conversion properly? Do I need to take the Ethernet cables and swap them or is there a way to just switch the WANs in the system?
So you're saying that by taking the WAN1 cable out of the Fortigate, it's going to automatically start the fail over process and then make WAN2 the primary on a semi-permanent basis after I put the cable back in?
Basically yes. By assuming the key policies are allowing wan2 as well though. But definitely missing 35 referencing. If those on wan1 side are not actually used, it might be ok. But you better figure them out before testing.
For the redundant Internet connections, both the default static routes have to be active in the routing table.
So, in order to achieve it, set the distance of both routes the same.
If wan1 is to be the primary link [active link], then set the lowest priority to that link.
And highest priority to the other wan interface.
When there are multiple routes to the same destination with the same distance then the priority will be checked.
And the route with the least priority will be given preference.
Please refer to the below document:
So basically you want your traffic to be routed via the WAN2.
If you will remove the cable from WAN1 and replacing with the new WAN then you can adjust your default route and give the new gateway IP in the existing default route.
Also to prioritize the WAN2 to be used you can create one more default route and give the lower priority then it will be given priority.
However I would recommend using SD-WAN to achieve this and use the manual mode in the sd-wan rule.
Refer this link for static route guidance >
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Default-route-configuration/ta-p/194613
So this morning, I took the WAN1 cable. Seems to be no downtime so far.
This is the current configuration (I didn't change anything yet):
Static Route WAN1:
Subnet
Gateway Address: PublicIP
Interface: WAN1
Administrative Distance: 5
Priority: 0
Static Route WAN2:
Subnet
Gateway Address: PublicIP
Interface: WAN2
Administrative Distance: 10
Priority: 0
I changed the Admin Distances to be the opposites. I'm still leaving the WAN1 cable out for now.
WAN1 is getting replaced by a new Internet service but it's meant to be the backup. As is, can I just insert the new Backup Internet into the WAN1 port and it will still remain the backup?
Yes. Just becomes the same state wan2 was originally at. Even it comes up, the default route toward wan1 wouldn't show up in the routing-table. You need to change the interface IP and GW IP though.
Also be aware that with your current default routes the new primary/wan2's link needs to go down to fail-over. If the link is up but can't reach the internet the default route to wan2 won't disappear. To cover the situation, you have to set up "link-monitor" to keep pinging something on the internet, or at least GW.
Toshi
There is a chance whoever set this up originally might have configured link-monitor already on wan1. Go to CLI, type "config system link-monitor" then "show" to see if something is configured already.
Just need to maintain the Distance value to lowest.
GO to > static route > distance (lowest distance will be primary wan link)
An update from me: So twice over the last couple weeks, the new WAN2 which is the primary has gone down. The WAN1 which is now the secondary doesn't bring the Internet up at all despite being connected. What should my next steps be? To fix this, I reboot the router and unplug the WAN2 cable and plug it back in.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1742 | |
1113 | |
759 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.