Redundant Internet connections (5.2.1 and higher)

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will create a WAN link interface that provides your FortiGate unit with redundant Internet connections from two Internet service providers (ISPs). The WAN link interface combines these two connections into a single interface.

This example includes weighted load balancing so that most of your Internet traffic is handled by one ISP.

A video of this recipe can be found here.

This recipe is only for FortiOS releases 5.2.1 and higher.

Find this recipe for other FortiOS versions
5.2.0 | 5.2.1 +  | 5.4 | 5.6

1. Connecting your ISPs to the FortiGate

Connect your ISP devices to your FortiGate so that the ISP you wish to use for most traffic is connected to WAN1 and the other connects to WAN2.  

2. Deleting security policies and routes that use WAN1 or WAN2

You will not be able to add an interface to the WAN link interface if it is already used in the FortiGate’s configuration, so you must delete any policies or routes that use either WAN1 or WAN2.

Many FortiGate models include a default Internet access policy that uses WAN1. This policy must also be deleted.

 

Go to Policy & Objects > Policy > IPv4 and delete any policies that use WAN1 or WAN2.
Go to Router > Static > Static Routes and delete any routes that use WAN1 or WAN2.

3. Creating a WAN link interface

Go to System > Network > WAN Link Load Balancing.

Set WAN Load Balancing to Weighted Round Robin. This will allow you to prioritize the WAN1 interface so that more traffic uses it.

Add WAN1 to the list of Interface Members, set Weight to 3, and set it to use the Gateway IP provided by your ISP.

You can optionally configure Health Check to verify that WAN1 can connect to the Internet.

Do the same for WAN2, but instead set Weight to 1.

You can optionally configure Health Check to verify that WAN2 can connect to the Internet.

The weight settings will cause 75% of traffic to use WAN1, with the remaining 25% using WAN2.

 

4. Creating a default route for the WAN link interface

Go to Router > Static > Static Routes and create a new default route.

Set Device to the WAN link interface.

5. Allowing traffic from the internal network to the WAN link interface

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to your internal network’s interface and set Outgoing Interface to the WAN link interface.

Turn on NAT.

Scroll down to view the Logging Options. To view the results later, turn on Log Allowed Traffic and select All Sessions.

6. Results

Browse the Internet using a PC on the internal network and then go to System > FortiView > All Sessions.

Ensure that the Dst Interface column is visible in the traffic log. If it is not shown, right-click on the title row and select Dst Interface from the dropdown menu. Scroll to the bottom of the menu and select Apply.

The log shows traffic flowing through both WAN1 and WAN2.

 
Disconnect the WAN1 port, continue to browse the Internet, and refresh the traffic log. All traffic is now flowing through WAN2, until you reconnect WAN1.

For further reading, check out Installation in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
After you remove these policies, traffic will no longer be able to reach WAN1 or WAN2 through the FortiGate.