Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Norris81
New Contributor II

Created on ‎02-14-2025 09:14 AM

WAN Failover NAT Issues

Hi All,

I'm trying to configure a WAN2 failover but I'm getting stuck on NAT.

I have a primary leased line internet circuit on WAN1.

I have a secondary FTTC internet circuit on WAN2

Both WAN interfaces are in a WAN-ZONE.

All firewall policies currently have a specific outbound NAT address with a dynamic ip pool address.

This outbound NAT address is different to the public IP assigned to the firewall.

The IP Pool addresses are Overload addresses.

I have several IP Pool addresses with incremented public ip addresses assigned.

Some firewall policies will have different outbound NAT IP Pool address.

It is a single public IP from the range allocated to the internet circuit on WAN1.

 

I plan to configure link-monitor to detect when there is problem with WAN1, override the current static routes and send all outbound traffic via WAN2.

 

The problem.

 

When testing, If a client hits a policy like this below, it cannot get to the internet.

This is due to the option, "Use Dynamic IP Pool" and the fact that "Outbound_NAT_9.19" is not a IP from the WAN2 ISPs network.

Policy.jpg

If I set it to "Use Outgoing Interface Address", it works, but then I will not be able to specify the Outbound NAT address that I want to use.

 

What's the best way configure this?

I'm not really looking to use SD-WAN, as 99% of the time all traffic should use WAN1 and only WAN2 if WAN1 is unavailable.

 

WAN1 is 1Gb Leased Line, WAN2 is 80Mb FTTC.

 

Below is screenshots of the other related configs.

Outbound Nat.jpgStatic Routes.jpgWAN2.jpg
Zones.jpg

 

 

 

Labels:
641
0 Kudos
1 Solution
Jirka1
Contributor III

Created on ‎02-14-2025 10:09 AM

In the dynamic pool, you must have all pools specified (for both wan1 and wan2) and then add them to the policy at the same time. 
It is also necessary to define which pools are on which interface, e.g.:

 

config firewall ippool
    edit "wan2-pool1"
        set startip xx.xxx.xxx.xxx
        set endip xxx.xxx.xxx.xxx
        set associated-interface "wan2"
    next
end


 Jirka

View solution in original post

627
3 REPLIES 3
Jirka1
Contributor III

Created on ‎02-14-2025 10:09 AM

In the dynamic pool, you must have all pools specified (for both wan1 and wan2) and then add them to the policy at the same time. 
It is also necessary to define which pools are on which interface, e.g.:

 

config firewall ippool
    edit "wan2-pool1"
        set startip xx.xxx.xxx.xxx
        set endip xxx.xxx.xxx.xxx
        set associated-interface "wan2"
    next
end


 Jirka

628
Norris81
New Contributor II
In response to Jirka1

Created on ‎02-14-2025 11:58 AM

@Jirka1 Thanks for the reply.

I did add the WAN2 IP Pool address into the dynamic interface, but as I didn't specify the associated interface it did not route.

 

I will try adding the associated-interface parameter in the next few days and report back.

607
0 Kudos
Norris81
New Contributor II
In response to Jirka1

Created on ‎02-16-2025 01:20 PM

Thanks @Jirka1 

Parameter: set associated-interface "wan2" resolved it.

568
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.