Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

What is outgoing manual failover criteria?

Hi experts, 

I want to ask when we choose sdwan rules ->  outgoing interface -> manual : 
Port 1 (isp 1)

Port 2 (isp 2)


The port 1 will be primary right, all traffict will be through this, and port 2 will be standby/secondary.

My question is what is down criteria of port 1 so the port 2 can take over?

Let's say the topology is : 
Forti - internet switch - ISP 1 modem - hop 1- hop 2 - google dns


If the google dns down on ISP 1 does the failover to ISP 2 happened? remembering port 1 is not realy down because connection between forti to internet switch not down.


And if the ISP 1 modem (ISP GW) down, does the failover to ISP 2 happened? remembering port 1 is not realy down because connection between forti to internet switch not down.



Hi @subnet_warrior ,

Since you have SDWAN, you can also configure Performance SLA.
Performance SLA is act like IPSLA which check layer 3 (IP) connectivity.

When Performance SLA for SDWAN Member interface goes down, it will tag the interface as down and remove static routes related to that interface from routing-table (Inactive Route).
Which results to failover.

Best Regards,

Arnold Dimailig
TAC Engineer

Hi subnet_warrior

We have an article that describe how to do what you are looking for. The article does not explain how SDWAN works so I will try to add what is missing.


Basically, there is something called 'Performance SLA' or 'Health checks' on SDWAN feature, that is basically a feature that monitor a device using a protocol. To have a performance SLA' you need to choose a protocol, an server (destination) and a mode (passive or active). 


Let's use ping and Google DNS ( as our example.


FGT will send pings to Google DNS via ISP1 and ISP2 and it will keep statistics about each ping via each ISP. As you said, ISP1 modem is down but the interface is UP. So the ping via ISP1 will fail anyway but the ping via ISP2 will work fine. FGT will notice that and start to use ISP2 to send traffic to Internet. 


Now let's assume that ISP1 modem is up and running but Google DNS ( is down, so the Performance SLA will fail for both links (ISP1 and ISP2), FGT won't change anything. Because FGT knows that the destination has failed, not the link. Fortinet suggest to have at least 2 destinations ( and for example. So FGT can compare both results and realise that has failed on both link but is up and running on both links, so actually the Google DNS has failed, not the ISP1 or ISP2, so no changes are necessary anyway.


Check the article below as well, it might help you.


I tried to keep my explanation simple, just add further question in case there is something not clear yet. 





Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors