Redundant Internet connections

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will create a WAN link interface that provides your FortiGate unit with redundant Internet connections from two Internet service providers (ISPs). The WAN link interface combines these two connections into a single interface.

This example includes weighted load balancing so that most of your Internet traffic is handled by one ISP.

Find this recipe for other FortiOS versions
5.2.0 | 5.2.1 +  | 5.4 | 5.6

Watch the video

1. Connecting your ISPs to the FortiGate

Connect your ISP devices to your FortiGate so that the ISP you wish to use for most traffic is connected to WAN1 and the other connects to WAN2.

2. Deleting security policies and routes that use WAN1 or WAN2

You will not be able to add an interface to the WAN link interface if it is already used in the FortiGate’s configuration, so you must delete any security policies or routes that use either WAN1 or WAN2. Traffic will not be able to reach WAN1 or WAN2 through the FortiGate after you delete the existing policies.

Many FortiGate models include a default Internet access policy that uses WAN1. This policy must also be deleted.

Go to Policy & Objects > IPv4 Policy and delete any policies that use WAN1 or WAN2.
Go to Network > Static Routes and delete any routes that use WAN1 or WAN2.

3. Creating a WAN link interface

Go to Network > WAN LLB (WAN Link Load Balancing).

Set the Interface State to Enable.

Under WAN LLB, select Create New to add an interface.

Add wan1 and enter the Gateway IP provided by your primary ISP. Do the same for wan2, but this time use the Gateway IP provided by your secondary ISP.

 

Under Load Balancing Algorithm, select Volume as the type. This will allow you to prioritize the wan1 interface so that more traffic uses it. For the weight, set wan1 to 3 and set wan2 to 1.

The weight settings will cause 75% of traffic to use WAN1, with the remaining 25% using WAN2.

To help analyze the effectiveness of the algorithm selected, the WAN Links Usage graph shows you the volume and bandwidth usage.

4. Configuring Health Check (optional)

You can optionally configure Health Check to verify the health and status of the links that make up the virtual WAN link. Health Check is only available via the CLI. Go to Dashboard > CLI and enter the following commands:

config system virtual-wan-link
 set fail-detect [enable | disable]
 set fail-alert-interfaces (available only if fail-detect is enabled)
 config health-check
  edit [health check name]
  set server <string>
  set protocol [ping | tcp-echo | udp-echo | http | twamp ]
...
  set timeout <integer>
  set failtime [1-10]
  set recoverytime [1-10]
  set update-cascade-interface [enable | disable]
  set update-static-route [enable | disable ]
 end
end

5. Creating a default route for the WAN link interface

Go to Network > Static Routes and create a new default route.

Set Device to the WAN link interface.

6. Allowing traffic from the internal network to the WAN link interface

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to your internal network’s interface and set Outgoing Interface to the WAN link interface.

Turn on NAT.

Scroll down to view the Logging Options. To view the results later, turn on Log Allowed Traffic and select All Sessions.

7. Results

Browse the Internet using a computer on the internal network and then go to FortiView > All Sessions.

Make sure that the Destination Interface column is shown. If it’s not, right-click on the top menu row to add it to the menu.

The log shows traffic flowing through both WAN1 and WAN2.

 

Go to Network > Interfaces and disable the wan1 port. Then browse the Internet from the internal network.

 
Go back to FortiView > All Sessions and the results should show that traffic is only flowing through wan2, until you enable WAN1 again.  

For further reading, check out Redundant Internet installation in the FortiOS 5.4 Handbook.

Kayla Robinson

Kayla Robinson

Technical Writer at Fortinet
Kayla Robinson works in Ottawa as part of Fortinet's Technical Documentation and New Media team. With a Bachelor's degree from Carleton, and a graduate certificate in Technical Writing from Algonquin College, she enjoys creating FortiOS Cookbook videos.
Kayla Robinson

Latest posts by Kayla Robinson (see all)

  • Was this helpful?
  • Yes   No
  • Ray Ho

    Hi,

    I am looking for FG-100E to replace my old firewall.
    Currently, I have 3 internet connection ( 3WAN). Can I assign the FG-100E switch ports to WAN ports ?
    I suppose the PBR , default route, can be easy to handle by FG-100E.

    Thanks.

  • Tanguy Le Loch

    How to just do a failover ?
    If I update my Forti, I can see in the config file that I have still entries about system health check. So I think it still works.
    But if I have to configure a new Fortinet if a have a fiber and a SDSL (very slow) and I want my lan’s computer going through fiber and failover only if there is no link ???

    • bdickie

      We have received many requests for a basic failover redundant internet
      connections example so its on our To Do list. Until it actually happens,
      here is some information about how to set it up.

      You now setup the basic failover configuration from the CLI only. It is also referred
      to as dead-gateway detection or link-monitoring.

      See this link for details about the command:

      http://help.fortinet.com/cli/fos50hlp/54/index.htm#FortiOS/fortiOS-cli-ref-54/config/system/link-monitor.htm

      Here is the configuration:

      config system link monitor

      edit wan1

      Echo1 (wan1) # get
      name : wan1
      srcintf :
      server :
      protocol : ping
      gateway-ip : 0.0.0.0
      source-ip : 0.0.0.0
      interval : 5
      timeout : 1
      failtime : 5
      recoverytime : 5
      ha-priority : 1
      update-cascade-interface: enable
      update-static-route : enable
      status : enable

      Typically you would configure the link monitor for both interfaces.
      Set the Distance to be equal on the routes for each interface.
      Set the priority to be higher, on the redundant interface.

      To test the feature, remove/disconnect the cable upstream.

      This configuration requires you to create redundant routes and redundant
      firewall policies. See this old FortiOS 5.0 recipe for the GUI steps http://docs.fortinet.com/uploaded/files/1646/using-two-ISPs-for-redundant-Internet-connections.pdf

  • mohamed

    VPNS not working with link laodbalanci ng ? can you help me plz

  • Jan Alvarado

    I follow the instructions but one of my ISP do not respond, both ISP are under “WAN LLB” after finished the all steps one of my ISP works normal with the 75% of the traffic and the another one does not respond always shows “Link down” but in Network>> Interfaces all is fine, also I configure the ISP in a local machine and works normal.

  • Casey Phillips

    Are you telling me we have to flush all the Policy routes we have already configured in the unit, just to configure this feature? I thought these were business class products. Can I do this in the CLI with out that nonsense?

  • Justin Loebel

    Any chance all of the above instruction can be provided in cli? =D

  • Panda Woodworking

    I’m most definitely not a FG expert, but our last admin had over 600 policies that use wan 1! Can those be updated afterwards instead of having to enter them all back one by one? Also, I’d like the 2ndary ISP to remain unused unless the primary goes completely out. Can this be done via weights? Any help is much appreciated.

  • Rob Aronson

    Is there a good way to migrate existing connections to wan link load balancing? We have dual ISPs with inbound and outbound policies, routes, vpns and multiple VIPs. I’d love to be able to reduce my redundant policies. We have to create two policies every time we change the firewall. Its extra work and introduces opportunities for errors.

    Thanks

    • Rurico

      I would like to know the same thing, what if I already have various Site-to-Site VPN’s? How do I make a partially redundant connection with this setup?

  • Merong Mahawangsa IV

    how about adding Tunnel in WAN-LLB? We have try but the WAN-LLB interface seems down. Fortigate 1200D v5.4.4

    • bdickie

      It is our understanding that this configuration is not supported for FortiOS 5.4. It is for FortiOS 5.6.

  • Victoria Martin

    I’m glad you were able to get things sorted out.

  • jppataki

    I’ve tried but my WAN connections don’t appear when I try to Create New under WAN LLB (and all the other appear!!!), of course I can change to other but somehow feels odd and i wolud like to understand what’s going on. And I’m sure deleted every IP V4 policy and all the static rules (and made a reboot just to be sure).
    What else can it be?

    • Victoria Martin

      Hello,

      When you go to Network > Interfaces, check the Ref. column located on the far right side of the interface list. This column lists any references to the interface in your configuration. If the number is 1 or higher, click on it to see where your configuration references the interface.

      If this number is 0, then you have successfully removed all references – if this is the case, I would recommend contacting Support about the issue.

  • Neemias Caetano

    I’m sorry, allow another curiosity / question.
    Some other way to monitor the link / availability, without the need to enable LLB?

  • Neemias Caetano

    If there is 01(one) with two WAN interface’s VLAN, this rule does not apply, right? I have not found documentation contemplating this kind of situation / scenario.
    You could talk about?

    • Kerrie Newton

      Hello Neemias,

      Just to clarify, are you attempting to create a WAN LLB using VLANs? I haven’t tested it but doing a quick setup I was able to create a VLAN and select it as an interface for WAN LLB.

      Should you attempt that and need further assistance troubleshooting feel free to contact Fortinet Support:
      How to work with Fortinet Support
      http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

      Correct to using a different Load Balancing Algorthim you will still need to enable WAN LLB. afterwards you’d be able to monitor the links via FortiView.

      Regards,
      Kerrie

      • Neemias Caetano

        Hi,
        Thanks for the answer.
        As for the VLAN interface, it does not appear in WLLB.
        I believe, not bear it.
        tks,

        • mohamed

          VPNS not working with link laodbalancing ? can you help me plz