I have a FG200D and we are getting ready to receive a new Cradlepoint 3G/4G router for failover of the main office only. The plan is to connect it to WAN2. My question is this: Would it be better to use WAN LLB and set a sky high priority like 99 for WAN1 and 1 for WAN2, or would it be better to use two static routes and weight them accordingly?
I mainly want to make sure WAN2 isn't going to be used unless WAN1 is absolutely down. I don't mind a small amount of traffic for health check but we are only allotted so much data per month on the fail over service without overage charges.
I've seen multiple posts about this and read multiple articles, but couldn't really determine the best method from those. I've only known FortiOS 5.4, which apparently isn't the favorite for this setup since most of the failover documentation still references 5.2.
Opinions and thoughts welcomed and thanks in advance.
Kevin
Thank you for your time,
Kevin W. Knuckles
Solved! Go to Solution.
The default deep peer detection for the IPSEC tunnels is to send a packet every 20 seconds, and if 3 of them fail then it will deem it dead, ie your IPSEC will stay up for 60 seconds. You can change the dpd parameters (via cli) if you want it to fail over faster. The below config will make it fail over in 9 seconds
config vpn ipsec phase1-interface
edit <vpn name>
set dpd-retrycount 3
set dpd-retryinterval 3
end
-- Bjørn Tore
-- Bjørn Tore
-- Bjørn Tore
Does SD-WAN in FortiOS version 6.4 offer the option to do what in prior versions of FortiOS required config system link-monitor?
We have situations that we want all traffic to go out the WAN1 link unless the primary WAN link fails, has high packet loss, or high ping time.
-- Bjørn Tore
So can all your traffic be made to use the fiber connections when they are working and only use the mobile backup (cellular) connection during outages?
-- Bjørn Tore
could you show some config?
I cannot achieve that goal with sd-wan.
The easiest way would be to not have the failover link participiate in sd-wan. Howeder Fortinet chose to block that way because you would need a second default route for that and FortiOS does not allow this when you use sd-wan.
This also would requeire a second internet policy but I would be ok with that.
If I use sd-wan I can only chose between doing loadbalancing and have it use the fallback link if all others are unusable or no loadbalancing but only least cost or something like that which can stuff up my wan links and then thus use the failover. In this case one would have to create sd-wan rules but in sd-wan rules you do not have the loadblanacing algorithms like volume or spill over (as the explicit rule has them) available.
So is there any way to have a group of WANs do sd-wan for internet and if that ain't availale (and only then) failover to annothr wan?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I use 4 interfaces - IPSEC-1 and 2, and 4G-1 and 2. IPSEC-1 primary, IPSEC-2 secondary etc.
config system virtual-wan-link
set status enable
config members
edit 1
set interface "4G-1"
set cost 50 ## not sure if needed
next
edit 2
set interface "4G-2"
set cost 50 ## not sure if needed
next
edit 3
set interface "IPSEC-1"
next
edit 4
set interface "IPSEC-2"
next
end
config health-check
edit "HUB"
set server "172.18.50.1" ## the IP I want to check against
set interval 5000
set failtime 4
set recoverytime 4
set members 3 4 ## keeps ping-check away from 4G-interfaces
next
end
config service
edit 1
set name "Failover"
set mode priority
set dst "all"
set src "all"
set health-check "HUB"
set priority-members 3 4 1 2 ## the priority list
next
end
end
In my firewall policies I use the whole SD-WAN as src/dst;
config firewall policy
edit 1
set srcintf "virtual-wan-link" ## strangely enough not autocompleted..
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
..etc
-- Bjørn Tore
This has been something of confusion for me on SDWAN - you wrote below the srcint is "virtual-wan-link" and dstinf is "internal" - I would have expected those to be turned around (Internal -> Virtual-Wan-Link) but coming inbound like you show, how does a VIP come into play with SDWAN and connections form outside world to inside? Both interfaces are defined in the
config firewall policy edit 1 set srcintf "virtual-wan-link" ## strangely enough not autocompleted.. set dstintf "internal" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set fsso disable next Here is mine as it sits for a NAT that we have coming into a web server - It's just odd to me that we define the actual interface on the VIP but when creating the rule it's SDWAN or Virtual-WAN-Link - Why? Is there any advantage there?
config firewall policy edit 170 set name "sdwan-isp1>test.https" set uuid 911efb1a-e1f8-51ea-c42b-8c75aadf33bd set srcintf "virtual-wan-link" set dstintf "int.dmz.ems" set srcaddr "geo.united.states" set dstaddr "vip.sdwan-isp1.smtp" set action accept set schedule "always" set service "HTTPS" set fsso disable next
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1780 | |
1116 | |
767 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.