Redundant Internet connections


In this example, you will create a WAN link interface that provides your FortiGate unit with redundant Internet connections from two Internet service providers (ISPs). The WAN link interface combines these two connections into a single interface.

This example includes weighted load balancing so that most of your Internet traffic is handled by one ISP.

Find this recipe for other FortiOS versions
5.2.0 | 5.2.1 +  | 5.4

Watch the video

1. Connecting your ISPs to the FortiGate

Connect your ISP devices to your FortiGate so that the ISP you wish to use for most traffic is connected to WAN1 and the other connects to WAN2.

2. Deleting security policies and routes that use WAN1 or WAN2

You will not be able to add an interface to the WAN link interface if it is already used in the FortiGate’s configuration, so you must delete any security policies or routes that use either WAN1 or WAN2. Traffic will not be able to reach WAN1 or WAN2 through the FortiGate after you delete the existing policies.

Many FortiGate models include a default Internet access policy that uses WAN1. This policy must also be deleted.

Go to Policy & Objects > IPv4 Policy and delete any policies that use WAN1 or WAN2.
Go to Network > Static Routes and delete any routes that use WAN1 or WAN2.

3. Creating a WAN link interface

Go to Network > WAN LLB (WAN Link Load Balancing).

Set the Interface State to Enable.

Under WAN LLB, select Create New to add an interface.

Add wan1 and enter the Gateway IP provided by your primary ISP. Do the same for wan2, but this time use the Gateway IP provided by your secondary ISP.


Under Load Balancing Algorithm, select Volume as the type. This will allow you to prioritize the wan1 interface so that more traffic uses it. For the weight, set wan1 to 3 and set wan2 to 1.

The weight settings will cause 75% of traffic to use WAN1, with the remaining 25% using WAN2.

To help analyze the effectiveness of the algorithm selected, the WAN Links Usage graph shows you the volume and bandwidth usage.

4. Configuring Health Check (optional)

You can optionally configure Health Check to verify the health and status of the links that make up the virtual WAN link. Health Check is only available via the CLI. Go to Dashboard > CLI and enter the following commands:

config system virtual-wan-link
 set fail-detect [enable | disable]
 set fail-alert-interfaces (available only if fail-detect is enabled)
 config health-check
  edit [health check name]
  set server <string>
  set protocol [ping | tcp-echo | udp-echo | http | twamp ]
  set timeout <integer>
  set failtime [1-10]
  set recoverytime [1-10]
  set update-cascade-interface [enable | disable]
  set update-static-route [enable | disable ]

5. Creating a default route for the WAN link interface

Go to Network > Static Routes and create a new default route.

Set Device to the WAN link interface.

6. Allowing traffic from the internal network to the WAN link interface

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to your internal network’s interface and set Outgoing Interface to the WAN link interface.

Turn on NAT.

Scroll down to view the Logging Options. To view the results later, turn on Log Allowed Traffic and select All Sessions.

7. Results

Browse the Internet using a computer on the internal network and then go to FortiView > All Sessions.

Make sure that the Destination Interface column is shown. If it’s not, right-click on the top menu row to add it to the menu.

The log shows traffic flowing through both WAN1 and WAN2.


Go to Network > Interfaces and disable the wan1 port. Then browse the Internet from the internal network.

Go back to FortiView > All Sessions and the results should show that traffic is only flowing through wan2, until you enable WAN1 again.  

For further reading, check out Redundant Internet installation in the FortiOS 5.4 Handbook.

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

  • Was this helpful?
  • Yes   No
  • Panda Woodworking

    I’m most definitely not a FG expert, but our last admin had over 600 policies that use wan 1! Can those be updated afterwards instead of having to enter them all back one by one? Also, I’d like the 2ndary ISP to remain unused unless the primary goes completely out. Can this be done via weights? Any help is much appreciated.

  • Rob Aronson

    Is there a good way to migrate existing connections to wan link load balancing? We have dual ISPs with inbound and outbound policies, routes, vpns and multiple VIPs. I’d love to be able to reduce my redundant policies. We have to create two policies every time we change the firewall. Its extra work and introduces opportunities for errors.


    • Rurico

      I would like to know the same thing, what if I already have various Site-to-Site VPN’s? How do I make a partially redundant connection with this setup?

  • Merong Mahawangsa IV

    how about adding Tunnel in WAN-LLB? We have try but the WAN-LLB interface seems down. Fortigate 1200D v5.4.4

    • bdickie

      It is our understanding that this configuration is not supported for FortiOS 5.4. It is for FortiOS 5.6.

  • Victoria Martin

    I’m glad you were able to get things sorted out.

  • jppataki

    I’ve tried but my WAN connections don’t appear when I try to Create New under WAN LLB (and all the other appear!!!), of course I can change to other but somehow feels odd and i wolud like to understand what’s going on. And I’m sure deleted every IP V4 policy and all the static rules (and made a reboot just to be sure).
    What else can it be?

    • Victoria Martin


      When you go to Network > Interfaces, check the Ref. column located on the far right side of the interface list. This column lists any references to the interface in your configuration. If the number is 1 or higher, click on it to see where your configuration references the interface.

      If this number is 0, then you have successfully removed all references – if this is the case, I would recommend contacting Support about the issue.

  • Neemias Caetano

    I’m sorry, allow another curiosity / question.
    Some other way to monitor the link / availability, without the need to enable LLB?

  • Neemias Caetano

    If there is 01(one) with two WAN interface’s VLAN, this rule does not apply, right? I have not found documentation contemplating this kind of situation / scenario.
    You could talk about?

    • Kerrie Newton

      Hello Neemias,

      Just to clarify, are you attempting to create a WAN LLB using VLANs? I haven’t tested it but doing a quick setup I was able to create a VLAN and select it as an interface for WAN LLB.

      Should you attempt that and need further assistance troubleshooting feel free to contact Fortinet Support:
      How to work with Fortinet Support

      Correct to using a different Load Balancing Algorthim you will still need to enable WAN LLB. afterwards you’d be able to monitor the links via FortiView.


      • Neemias Caetano

        Thanks for the answer.
        As for the VLAN interface, it does not appear in WLLB.
        I believe, not bear it.