Redundant Internet connections (5.2.0)


In this example, you will create a virtual WAN link that provides your FortiGate unit with redundant Internet connections from two Internet service providers (ISPs). The virtual WAN link combines these two connections into a single interface.

This example includes weighted load balancing so that most of your Internet traffic is handled by one ISP.

This recipe is only for FortiOS 5.2.0.

Find this recipe for other FortiOS versions
5.2.0 | 5.2.1 +  | 5.4 | 5.6

1. Connecting your ISPs to the FortiGate

Connect your ISP devices to your FortiGate so that the ISP you wish to use for most traffic is connected to WAN1 and the other connects to WAN2.

2. Deleting security policies and routes that use WAN1 or WAN2

You will not be able to add an interface to the virtual WAN link if it is already used in the FortiGate’s configuration, so you must delete any policies or routes that use either WAN1 or WAN2.

Many FortiGate models include a default Internet access policy that uses WAN1. This policy must also be deleted.

Go to Policy & Objects > Policy > IPv4 and delete any policies that use WAN1 or WAN2.
Go to Router > Static > Static Routes and delete any routes that use WAN1 or WAN2.

3. Creating a virtual WAN link

Go to System > Network > Interfaces and select Create New > Virtual WAN.
Set WAN Load Balancing to Weighted Round Robin. This will allow you to prioritize the WAN1 interface so that more traffic uses it.

Add WAN1 to the list of Interface Members, set Weight to 3, and set it to use the Gateway IP provided by your ISP.

You can optionally configure Health Check to verify that WAN1 can connect to the Internet

Do the same for WAN2, but instead set Weight to 1.

You can optionally configure Health Check to verify that WAN2 can connect to the Internet.

The weight settings will cause 75% of traffic to use WAN1, with the remaining 25% using WAN2.

4. Creating a default route for the virtual WAN link

Go to Router > Static > Static Routes and create a new default route.

Set Device to the virtual WAN link.

5. Allowing traffic from the internal network to the virtual WAN link

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to your internal network’s interface and set Outgoing Interface to the virtual WAN link.

Turn on NAT.

Scroll down to view the Logging Options. To view the results later, turn on Log Allowed Traffic and select All Sessions.

6. Results

Browse the Internet using a PC on the internal network and then go to System > FortiView > All Sessions.

Ensure that the Dst Interface column is visible in the traffic log. If it is not shown, right-click on the title row and select Dst Interface from the dropdown menu. Scroll to the bottom of the menu and select Apply.

The log shows traffic flowing through both WAN1 and WAN2.
Disconnect the WAN1 port, continue to browse the Internet, and refresh the traffic log. All traffic is now flowing through WAN2, until you reconnect WAN1.

For further reading, check out Installing a FortiGate in NAT/Route Mode in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
After you remove these policies, traffic will no longer be able to reach WAN1 or WAN2 through the FortiGate.
  • ariel marlon javier

    This is very helpful article, thank you.
    I have another situation where i created 2 groups we only want the first group to use WAN1 and the other group to use WAN2, unfortunately no luck.
    On the diag debug it show it still forward the traffic to WAN 1 port even if i have policy that will use WAN 2 as the destination port (and i moved to sequence no 1 just for troubleshooting).

    any assistance is highly appreciated. thank you again

    id=13 trace_id=10103 func=print_pkt_detail line=4311 msg=”vd-root recei ved a packet(proto=6,> from internal. fla g [S], seq 1396561514, ack 0, win 8192″
    id=13 trace_id=10103 func=init_ip_session_common line=4467 msg=”allocate a new s ession-000a9d04″
    id=13 trace_id=10103 func=vf_ip4_route_input line=1600 msg=”find a route: flags= 00000000 gw-x.x.x.x via wan1″
    id=13 trace_id=10103 func=fw_forward_handler line=548 msg=”Denied by forward pol icy check (policy 0)”

  • Russell Shirley

    Will this work in a HA pair where one each of the WANs are on different units?

    • bdickie

      The redundant Internet connection configuration described in this recipe will only work between interfaces on the same FortiGate unit. The redundant Internet connection configuration is supported for an HA cluster with connections from both FortiGates to both ISPs.

      • James Heal


        I have taken over a partially configured DR solution. There will be two sites one 500D at each site. It appears there is no way to support the HA features over a WAN connection. Is this true? Do you have a recipe for HA over a WAN (VLAN) connection?



        • bdickie

          In general yes the FGCP supports clusters where the FortiGate units are in different locations. No special configuration is required beyond possibly increasing the heartbeat interval. Plus the heartbeat interfaces need to be able to communicate over the WAN. The following section of the FortiOS Handbook has some general information about this kind of configuration:

          • James Heal

            Thank you for the info. You may have saved a life 🙂 I was, after all, having a heart attack after I was told in a chat session that it will not work over a WAN. I had noted that there was no IP address assignment to the heartbeat ports and wondered how it worked…. Maybe the front line support people need a bit more training.

          • bdickie

            I hope it works out. Based on your comments I am going to add a bit more information to that section of the HA handbook about using the WAN links for HA heartbeat and about the CLI options for HA heartbeat encryption and authentication:
            config system ha
            set authentication enable
            set encryption enable

            We will also relay your comments to the support team.

          • James Heal

            I appreciate your time on this. Great service, thank you. I will be doing a VLAN test today (assuming the ISP gets back to me) and if you like I can post results, hangups, whatever…



          • bdickie

            Thanks, results or tips of any kind would be great, thanks.

  • Thomas Kp

    We have 3 internet links and each internet link has 2 set of public ip address (/30 and /28 network).
    When the traffic goes out to a virtual wan interface can we NAT it with specific ip address (ip from /28 network) instead interface ip. The internet links are directly connected to the firewall with /30 ip address.

    • Bruce Davis

      NATing is something that is set in the policy, so I will assume that you have a policy going from the internal to the Internet using a virtual WAN link. The strategy here is to prepare an IP pool that is configured for the IP address(es) that you want to use. Just because it says pool doesn’t mean that you have to use more than one address. With the IP pool configured you go to your policy and select the NAT option but instead of using the outgoing interface, you use the Dynamic IP pool option and select the IP pool that you have set up.