We have two WANs in place. We just upgraded our Internet for WAN2 today. We are going to be losing WAN1 in a few days and replacing it with another WAN1. However, WAN2 is meant to become the new primary. What steps should I take to ensure that the Fortigate Firewall does this conversion properly? Do I need to take the Ethernet cables and swap them or is there a way to just switch the WANs in the system?
Are using to SDWAN with WAN1 and WAN2 in your deployment ?
If SDWAN is used with WAN1 and WAN2, where WAN1 is primary member, if WAN1 fails traffic should shift to the next available member which is WAN2 and you can remove them from SDWAN Zone. Once WAN1 is back you can add them to SDWAN Zone and create rules to steer the traffic to WAN1 or WAN2 depending on your requirement.
If SDWAN is not used, you need to play around with policy route to control traffic flow.
You can still work around all the possible suggestion provided in the Forum. But if you are planning to migrate to SDWAN, we have this option called "Integrate Interface" which would help you migrate to SDWAN without much of hurdle, but still a proper planning is required form your side. I would recommend this as this will help you stabilize your policy in a long run, as you will referring the SDWAN Zone instead of individual interfaces in the Firewall policies and you can control all your WAN steering with SDWAN rules with or without SLA's depending on your requirement.
Reference: This feature available in 7 onwards if I am not wrong.
Deploying/converting to SD-WAN would take proper learning and planning. If it's just a temporary situation losing wan1 I would just make sure the failover to wan2 would happen by testing it manually, like pulling the cable from wan1, in a maintenance window.
But prior to that, I would check:
1) two default routes to wan1 and wan2 are set to failover, either static routes with priorities or pppoe/dhcp with different distances on the interfaces.
2) policies are allowing toward wan2 as well as wan1.
When you test it, you likely need to use CLI to troubleshoot like checking routing table, sniffing traffic toward wan2, etc. So if you haven't used CLI before you need to get yourself familialize before testing.
In what way do I officially reverse the roles? In the dashboard, the IP associated with the Firewall is associated with WAN1 so I'm assuming that it will have to change too. I believe the policies already allow for both interfaces. What confuses me about how this was originally created was that not all of the policies for each WAN are the same.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.