Hello,
I am pretty new to Fortigate products, so sorry in advance for any confusion in my post.
I am using a fortigate 60D in dual WAN and using it as NAT mode. We have three ISPs at work, and want to use two ISPs at the same time to do traffic load balance (currently static routes are used for particular traffics), and want to use the third ISP as a backup for automatic failover.
Is there any way how I can use the DMZ port as WAN3 to achieve above?
Solved! Go to Solution.
hi,
and welcome to the forums.
I will assume you are using FortiOS v5.0 or v5.2. In v5.2, you would configure the 2 existing WAN ports as one "WAN load balancing" port. In order to include the 3rd WAN port (you can use ANY free port - "DMZ" is just a label) you would create 2 default routes with equal distances but (!) different priorities. This way, both routes will show up in the Routing Monitor but only the one with smaller priority will be actually used. (In FortiOS, translate "priority" with "cost"). So if the WLLB port is down it's route will be deleted from the Routing Table and the 3rd WAN will take over.
Have a look at the Cookbook, and eventually the Handbook (both on docs.fortinet.com) to see how that is done in detail. For any questions you've got the forum now.
hi,
and welcome to the forums.
I will assume you are using FortiOS v5.0 or v5.2. In v5.2, you would configure the 2 existing WAN ports as one "WAN load balancing" port. In order to include the 3rd WAN port (you can use ANY free port - "DMZ" is just a label) you would create 2 default routes with equal distances but (!) different priorities. This way, both routes will show up in the Routing Monitor but only the one with smaller priority will be actually used. (In FortiOS, translate "priority" with "cost"). So if the WLLB port is down it's route will be deleted from the Routing Table and the 3rd WAN will take over.
Have a look at the Cookbook, and eventually the Handbook (both on docs.fortinet.com) to see how that is done in detail. For any questions you've got the forum now.
Hello @ede_pfau, Thank you very much for the explanation. I am extremely sorry for the delay in reply, as I had to wait for a weekend to carry out the testing.
Setting up priorities in static routes do work, but still I can't use third ISP in DMZ port. The current setup is, ISP1 on WAN1, and ISP2 on WAN2. Default routes are set for both the ISPs, and we are using static routes to specific packets to be sent across ISP2 on WAN2.
I have setup the DMZ interface with ISP3 WAN IP and subnet, and set a default route using ISP3's gateway. But when tried to route a packet through ISP3 (tried both static routing and policy routing), it doesn't work.
Current firmware version is - 5.2.4,build688
Any suggestions?
Thanks!
Well, if you set it up like I've posted then WAN3 will only be active if the other WAN trunk fails. You may have several default routes in the Routing Table but only one is used at any time.
Policy routing though should work. I bet if you look at WAN3 with the sniffer (CLI: diag deb enable; diag sniffer packet <wan3 port name> '' 4) you'll see outgoing traffic but no replies. Could be that the return traffic comes in on the other port which would make the FGT discard it (asymmetric routing).
In addition, if there are VPN accesses, like IPSec and SSL, coming into a low priority(high in number) interface like this WAN3/DMZ, all VPN traffic use this interface for both inbound and outbound packets.
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.