ECMP session persistence and dual WAN link failover/failback
2 WAN links to different ISPs on a Fortigate firewall using a static route for each WAN link, equal cost/distance, different priority. No dynamic routing - very simple topology.
This allows me to ping both interfaces on the Fortigate to monitor remotely that BOTH ISPs are up and functional. This also prefers traffic out the interface that is weighted with the appropriate priority.
Using link-monitor CLI functionality to ping 22.214.171.124 on WAN links to monitor for WAN failure so the static route is removed from the routing table as appropriate during WAN link failure.
During WAN link failback, e.g. WAN1 becomes available again after an outage, any existing sessions passing through WAN2 remain on the WAN2 interface. This becomes problematic with my VoIP traffic which runs over the internet. I want all sessions to be cleared on WAN2, and new sessions to establish out WAN1. Instead, existing sessions persist through WAN2 - particularly my VoIP sessions using SIP - in this scenario I do NOT want the sessions to stay up through WAN2 but be torn down. WAN2 is often a less preferred link with lower bandwidth or higher latency so I do not want sessions to persist on this interface.
In summary - I want to have both WAN interfaces pingable on the Fortigate (which seems to require an equal route cost) so I can monitor reachability of the firewall through both ISPs on WAN1 and WAN2. I want to utilize WAN2 for failover, but I do NOT want my existing sessions to persist on WAN2 once WAN1 comes back up.
Is there a way to achieve the above using say SD-WAN functionality or some type of macro on the Fortigate device or any other method?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.