Need to change WAN1 to WAN2 as primary

ritterm · ‎07-11-2023

Hello there,

We have two WANs in place. We just upgraded our Internet for WAN2 today. We are going to be losing WAN1 in a few days and replacing it with another WAN1. However, WAN2 is meant to become the new primary. What steps should I take to ensure that the Fortigate Firewall does this conversion properly? Do I need to take the Ethernet cables and swap them or is there a way to just switch the WANs in the system?

saneeshpv_FTNT · ‎07-11-2023

Hi,

Are using to SDWAN with WAN1 and WAN2 in your deployment ?

If SDWAN is used with WAN1 and WAN2, where WAN1 is primary member, if WAN1 fails traffic should shift to the next available member which is WAN2 and you can remove them from SDWAN Zone. Once WAN1 is back you can add them to SDWAN Zone and create rules to steer the traffic to WAN1 or WAN2 depending on your requirement.

If SDWAN is not used, you need to play around with policy route to control traffic flow.

Regards,

ritterm · ‎07-11-2023

For whatever reason, SD-WAN is not in use, currently. As to why that is, I have no idea. What would you suggest I do?

saneeshpv_FTNT · ‎07-11-2023

Hi,

You can still work around all the possible suggestion provided in the Forum. But if you are planning to migrate to SDWAN, we have this option called "Integrate Interface" which would help you migrate to SDWAN without much of hurdle, but still a proper planning is required form your side. I would recommend this as this will help you stabilize your policy in a long run, as you will referring the SDWAN Zone instead of individual interfaces in the Firewall policies and you can control all your WAN steering with SDWAN rules with or without SLA's depending on your requirement.

Reference: This feature available in 7 onwards if I am not wrong.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Migrate-Physical-Interface-to-SDWAN-zone/t...

Regards,

Toshi_Esumi · ‎07-11-2023

Deploying/converting to SD-WAN would take proper learning and planning. If it's just a temporary situation losing wan1 I would just make sure the failover to wan2 would happen by testing it manually, like pulling the cable from wan1, in a maintenance window.

But prior to that, I would check:

1) two default routes to wan1 and wan2 are set to failover, either static routes with priorities or pppoe/dhcp with different distances on the interfaces.

2) policies are allowing toward wan2 as well as wan1.

When you test it, you likely need to use CLI to troubleshoot like checking routing table, sniffing traffic toward wan2, etc. So if you haven't used CLI before you need to get yourself familialize before testing.

Toshi

Toshi_Esumi · ‎07-11-2023

I guess I misread your original statement. You wan to make wan2 as primary then wan1 as secondary.

But what you need to do is the same. Just reverse the role between them. Set the two default routes properly and the policies are allowing both interfaces.

Toshi

ritterm · ‎07-11-2023

In what way do I officially reverse the roles? In the dashboard, the IP associated with the Firewall is associated with WAN1 so I'm assuming that it will have to change too. I believe the policies already allow for both interfaces. What confuses me about how this was originally created was that not all of the policies for each WAN are the same.

Toshi_Esumi · ‎07-11-2023

Are you talking about an additional public IP subnet from the ISP? Or the interface IP? Not sure what you meant by "associated".

Toshi

ritterm · ‎07-11-2023

In System Information under Dashboard, there is a column for WAN IP. The IP listed is a Public IP associated with WAN1.

Toshi_Esumi · ‎07-11-2023

Are you talking about this "WAN IP"? It's just showing the current status so it changes when the primary connection goes to wan2.