Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor




I have a pair of FortiGate 80F, running in HA mode, 2 Subnet (“Server Subnet” and “Client Subnet”), and 2 WAN link, WAN1 is connected to a Dynamic IP internet connection and WAN2 is connected to a Static IP Line (1 IP only)


“Client Subnet” will exit through WAN1, while “Server Subnet” will exit through WAN2, I’ve configured 2 default routes, both, to each of the WAN link, same distance and priority.

I’ve created 4 policy routes:
“Server Subnet” to go to “” will go via WAN2,
“Client Subnet” to go to “” will go via WAN1,
“Server Subnet” to go to “Client Subnet” will go via “Client Subnet” Interface,
“Client Subnet” to go to “Server Subnet” will go via “Server Subnet” Interface.


Base on checking at web site, computers from Client subnet is showing WAN1 IP and servers from Server subnet is showing WAN2 IP, which is what I wanted.


web management (HTTP / HTTPS) on WAN1 and WAN2 are not enabled.


I have 1 web server need to be accessed from external, I created a VIP, mapped from WAN2,, map to the server IP,, set to forward port 80. I created a firewall policy to allow ALL traffic from WAN2 (any) to the webserver-VIP, NAT disabled.


However, the web server cannot be accessed from external. I can see there are “hits” at the VIP status page, there is no traffic being logged at the Policy page.


Any idea what did I missed?




Is it possible that the RPF check is pointing to WAN1 interface instead of WAN2 and dropping the packet?


Do you have 2 defualt routes configured via WAN1 and WAN2 ?

Can you check if "set strict-src-check enable" is configured? If so disable it and test



- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Top Kudoed Authors