Redundant Internet connections (5.2.1 and higher)

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will create a WAN link interface that provides your FortiGate unit with redundant Internet connections from two Internet service providers (ISPs). The WAN link interface combines these two connections into a single interface.

This example includes weighted load balancing so that most of your Internet traffic is handled by one ISP.

A video of this recipe can be found here.

This recipe is only for FortiOS releases 5.2.1 and higher.

Find this recipe for other FortiOS versions
5.2.0 | 5.2.1 +  | 5.4

1. Connecting your ISPs to the FortiGate

Connect your ISP devices to your FortiGate so that the ISP you wish to use for most traffic is connected to WAN1 and the other connects to WAN2.  

2. Deleting security policies and routes that use WAN1 or WAN2

You will not be able to add an interface to the WAN link interface if it is already used in the FortiGate’s configuration, so you must delete any policies or routes that use either WAN1 or WAN2.

Many FortiGate models include a default Internet access policy that uses WAN1. This policy must also be deleted.

 

Go to Policy & Objects > Policy > IPv4 and delete any policies that use WAN1 or WAN2.
Go to Router > Static > Static Routes and delete any routes that use WAN1 or WAN2.

3. Creating a WAN link interface

Go to System > Network > WAN Link Load Balancing.

Set WAN Load Balancing to Weighted Round Robin. This will allow you to prioritize the WAN1 interface so that more traffic uses it.

Add WAN1 to the list of Interface Members, set Weight to 3, and set it to use the Gateway IP provided by your ISP.

You can optionally configure Health Check to verify that WAN1 can connect to the Internet.

Do the same for WAN2, but instead set Weight to 1.

You can optionally configure Health Check to verify that WAN2 can connect to the Internet.

The weight settings will cause 75% of traffic to use WAN1, with the remaining 25% using WAN2.

 

4. Creating a default route for the WAN link interface

Go to Router > Static > Static Routes and create a new default route.

Set Device to the WAN link interface.

5. Allowing traffic from the internal network to the WAN link interface

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to your internal network’s interface and set Outgoing Interface to the WAN link interface.

Turn on NAT.

Scroll down to view the Logging Options. To view the results later, turn on Log Allowed Traffic and select All Sessions.

6. Results

Browse the Internet using a PC on the internal network and then go to System > FortiView > All Sessions.

Ensure that the Dst Interface column is visible in the traffic log. If it is not shown, right-click on the title row and select Dst Interface from the dropdown menu. Scroll to the bottom of the menu and select Apply.

The log shows traffic flowing through both WAN1 and WAN2.

 
Disconnect the WAN1 port, continue to browse the Internet, and refresh the traffic log. All traffic is now flowing through WAN2, until you reconnect WAN1.

For further reading, check out Installing a FortiGate in NAT/Route Mode in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
After you remove these policies, traffic will no longer be able to reach WAN1 or WAN2 through the FortiGate.
  • Vedret Hrvanovic

    Hi Victoria,
    How can i use Virtual ip for enabling RDP.
    Is it possible with WAN LLB?
    60D V.5.4

    Thanks

  • Jan Gebhardt

    Hi Victoria,
    Just want to know if it is possible to have a redundant WAN LLB (2 ISP’s on both sides)(60D v5.4.0 at main office and 30E at remote office) and still config a redundant route-based VPN between them?
    Thanks

    • Victoria Martin

      Hi Jan,

      The WAN LLB feature is not compatible with VPNs in FortiOS 5.4.

  • Dave Thommy Roxie

    Hi Victoria,
    I followed your instructions for Redundant Internet connections. But Backup line wan2 is not working. When I disabled wan1 (NetworkInterfaceWan1) wan 2 line is no internet connection. I’m using Fortigate60E and Firmware Version v5.4.4,build6003 (GA) [Update]. I’m using NetworkInterfaceLan(1) – internal local subnet is(192.168.0.3.255.255.255.0). For wan-load-balance wan1 is using static IP Public IP which ISP Provide (x.x.x.x.255.255.255.252) and wan2 is using DHCP (192.168.10.2.255.255.255.0). For DNS Settings NetworkInterfaceDNS – DNS Settings Specify – Primary DNS Server which provide ISP from wan1 and Secondary DNS Server – which provide ISP from wan1. For Wan2 Dynamically Obtained DNS Servers is using DNS servers 192.168.10.1 for wan2. Both Line is a Linked and Up. My Question is Why Wan2 line is become no internet when wan1 disabled. Then I want let you know wan1 public ip is I using in fortigate I Mean’s when browse fortigate firewall to access with web browser I using wan1 public ip to access it.

    • Dave Thommy Roxie

      For Wan2 Interface need to Clear or turn off Override internal DNS right??

  • Emanuel X

    thank you Victoria, for VPN config… we need replace the WAN1/2 with virtual device WAN LLB … and recreate the policy for this new scenario

    • Victoria Martin

      Hi Emanuel,

      Unfortunately, the WAN LLB feature is not compatible with VPNs in FortiOS 5.2. However, this functionality is available for in 5.6 using SD-WAN (which is the new name for WAN LLB). We are working on a recipe about SD-WAN and IPsec VPN which we hope to have published soon.

  • wpyesther

    Hi Victoria,

    In my environment, we have virtual IP for some internal servers. And also, we have some ssl-vpn user.
    As you said ” You will not be able to add an interface to the WAN link interface if it is already used in the FortiGate’s configuration, so you must delete any policies or routes that use either WAN1 or WAN2.” , so how can we build up ssl-vpn and virtual ip for internal servers?

    Thank you in advance.

  • Fcbmg

    Hello @vkmartin:disqus ,

    Thank you for sharing this article. I encounter some problems after setting up the WAN LLB.
    I want to creat a virtual IP but I can’t found the incoming port “WAN1” & “WAN2” neither at the “Virtual IP” section nor at the “Policy & Objects” section.
    I know that with less recent OS it is possible to make this configuration/
    I have a FortiGate 60E under fortios 5.4.
    What it is necessary to do?
    Thank you in advance.

    • Victoria Martin

      Hello,

      First, I would suggest that you look at the 5.4 version of this recipe, to see if there were any changes made between 5.2 and 5.4 that you haven’t accounted for: http://cookbook.fortinet.com/redundant-internet-connections-54/

      Also, make sure that neither WAN1 or WAN2 is currently in use by your configuration.

  • Just wonderin, what does the health check do? We had one Internet Connection dropping, but the Interface (Vlan Interface) was not put down. We have a server with VIP assigned to it and using a static Route. When the Interface goes down, all is fine, it just switched to the other connection to go out – but if the interface is up but dead, it doesn’t work. Dead Gateway Detection doesn’t work, as it doesn’t show VLAN to put down.. only physical Interfaces, so I am a little lost how to make a failover in such a case. We are using Spillover.

  • Sando Junitra

    Hello Victoria,

    Thank you for your sharing, i want to ask a solution for my network project.

    So, i have 2 ISP for 2 Wan, and i already set for wan load balance, just what did you say on the replied comment above, we can’t create a policy from ssl to wan1 or wan 2. Then my client connect via SSLVPN with forticlient and get no internet except if i use split tunneling, but that makes my client not get my server ip public(for web filtering).

    Any solution for me to make my client get my server ip public?

    Thank you before.

    Sando.

  • William Lam

    Hi Victoria Martin,

    Thank you your sharing. I have two question.
    How can I make a WAN IP mapping after WAN load balancing had created?
    I can’t found the incoming port “WAN1” & “WAN2” at the “Policy & Objects”.
    And the second question is, can I still make a policy base site to site IPSec VPN?

    Thank you in advance.

  • Stoepps

    Hi. Does this work also when both WAN links connect to the same ISP (and use the same gateway address)?

    • Victoria Martin

      Hello Stoepps,

      The configuration you are describing is supported;
      however, because that set-up is not going to provide redundant Internet
      as described in this recipe, I do not know if this method is the best
      way to create that configuration. I would suggest contacting Fortinet
      Support for more information about that set-up.

  • carlos bello

    I m planning implementing this in my network , can you help me ? I have LINK wan up up with ip route default DA 10 priority 0 , when I configure the other ip route default for the other link WAN I loose managment of my equipment??? should configure the other route with more prioriti ?? please help me

    • Taher Elbar

      Hi Carlos,
      How are you accessing your equipment for management ? is that via WAN1, WAN2, LAN, or mgmt. interface?
      Regards,
      Taher.

  • Rodrigo de los Santos

    Victoria, what is the difference between use Wan Link Load Balance or group Wan Interfaces inside an Interface Zone and config Link Health Monitor?. I have a lot of setup with Wan Interface Zones and I don’t want to migrate to 5.4 because the lack of GUI Support of this config (I didn’t find Link Health in 5.4)

    • Rodrigo de los Santos

      Dismiss this!!! you already answer my question thanks

  • adolfo Zameza

    hi Victoria, it is nice to know that fortigate has this great connection with end users. Kudos for that. my Question for you is, how is tested this scenario when you use two wan links and needs to have public servers in a dmz zone? how we control what link will be used by the DMZ servers to respond to the externals users?

    • Victoria Martin

      Hi Adolfo,

      Each interface in the wan link has a unique public IP address, so traffic to your servers should only be coming in on one of the interfaces. Responses from the server to the client will then be sent out using the same interface (so if the traffic came in wan1, the reply will be sent using wan1).

      I hope that helps!

  • Gustavo Kotelchuk

    Hi Victoria, is it possible to have this configuration in a scenario in which there are two dynamic IP on one side? How can I configure the DDNS parameters in that case? What happens in my case is that I get the same IP address for wan1 and wan2 even having configured two separate names for the FortiDDNS on wan1 and wan2.
    Thanks!

    • Bruce Davis

      Gustavo,

      This is one of those things that seems like it should be easy and straight forward, but is less so when you take into account the things going on in the background.

      There isn’t any reason that 2 separate interfaces shouldn’t be able to have separate assigned DDNS IP addresses, but there are a few things complicating the issue.

      1. The point of this recipe is for the two interfaces to be combined, so that may be causing an issue. The combining of the interfaces would likely have to be done after the DDNS configuration.
      2. The configuration interface may only allow for the entering of one DDNS setup.
      3. I suspect that at least part of the issue for your getting the same IP address for both WAN1 and WAN2, is because the request for both WAN1 and WAN2 is going out the same interface to the DDNS server. At the very least, it sounds like you need to force the DDNS requests for the different interfaces to go out different interfaces. Possible solutions could include Policy Routes, changing the load balancing algorithm or sending the requests to different DDNS servers.

      The best option for you may be to contact the Technical Assistance Center so that they can make a recommendation based on your specific situation.

  • Alessandro Rossi

    We’ve got several published services (with the main ISP link): we are concerned about asymmetric routing.
    Are we sure that, configuring the second internet link, all the incoming traffic from the main ISP link to the published servers will return to the source client using the same link? Do we have to use the policy routing to be sure of that?
    And what about this other method?
    http://www.securelinks.net/fortinet-fortigate-multi-wan-basic-setup-tips/
    Thanks a lot for your help 🙂

  • David

    Is it possible to use 2 isp connections with DHCP assigned addresses in this configuration?

    • Kerrie Newton

      Hello David,

      Yes, you can use WAN connections that use DHCP. What firmware are you currently running?

      Kerrie

  • Hugo Maya

    Hi
    For me all the process was trasnsparent but I have a problem.
    How can I route al smtp traffice for the ISP correctly?
    I made my link with 5 services of 150 MB DSL and one dedicated service. But Exchange server is not doing well.
    Thanks

    • Victoria Martin

      Hi Hugo,

      Try creating a policy route (Router > Static > Policy Routes) for SMTP traffic. You can find information about it on the Fortinet forums: https://forum.fortinet.com/tm.aspx?m=100069

      I hope that helps!

      • Hugo Maya

        Victoria
        Works, the only problem that I can not specify only my Exchange Server in source address, take me all my segment (192.168.1.0/255.255.255.0)
        What impact can I have?
        Thanks

        • Victoria Martin

          Hugo,

          At this point, you may want to contact Support so they can look at your entire configuration. Before you do that, I would recommend you read our article about working with Support: http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

          • adolfo Zameza

            I will try the same config but with others publics servers (web servers) have you tried using 32 bit mask -quite obiously- ? 255.255.255.255? i think in my enviroment any other mask will be enough.

  • Marvin Romero

    Hi,
    I just configured a Weighted Round Robin load balancing. My WAN1 is a high-speed internet which my primary and my WAN2 is just a standard-speed internet which is my secondary and here are the issues that I’am experiencing right now.
    1. Loged-on users of the website always kicked out from the session.
    2. Even i configured that WAN1 as 100% and WAN2 as 0%, the traffic still transferred on the WAN2 which gives me a slow internet connection compare to my primary.

    Thanks a lot

  • Waleed Kayani

    Hi,
    I recently configured load balancing between 2 WAN links, a cable and an LTE modem. The problem is, users keep getting kicked out from their sessions on websites that require logins. They would enter the data and as soon as they submit, they lose all data and are back at the sign in screen.

    I suppose this is a problem due to load-balancing. Is there a way to allow certain traffic through only 1 WAN link?

    Thanks much

    • Anderson Vieira Gonçalves

      Hello!

      Try using the balancing method “Source IP-based Destination”. May solve your problem.

  • Muthukumaran

    Hi victoria, I am using fortigate 100D with fortios 5.4.0. wan 1 having 2.6mbps down, 768kbps up and wan2 having 1mbps each in up & down. In fortios 5.4 showing many methods for load balancing. which is the best load balance method for me? Also i want to enable ipsec vpn for wan1 and wan2. please guide me. Thanks

    • Bruce Davis

      Hello Muthukumaran,

      You submitted your comment in a recipe for Redundant Internet connections, so I will concentrate on that question first.

      There are many possible variable that come in to play when choosing a load balancing variable. You’ve only mentioned bandwidth, so I’ll assume that is the criteria that matters most.

      I’m making these assumptions:
      – Most of your sessions will be using about the same bandwidth.
      – Most of you traffic will be downloading.
      – You are using WAN LLB

      The important factor is that the two connections have different levels of bandwidth. This means you will want to use ‘weight’ to determine the load on each link. That being the case, either the Volume or Session algorithm should suit your needs.

      With both algorithms you set the weight for each link. WAN1 has a download capacity of 2.6 mbps and WAN2 has a capacity of 1. The weight setting needs to be an integer not a decimal value, otherwise you could set the weight of WAN1 to 2.6 and the weight for WAN2 to 1 and be done. That would work out to about 72% of the traffic going through WAN1 and 28% going through WAN2. Seeing as we need to use integers, try WAN1 at 3 and WAN2 at 1. This will work out to 75% and 25%; not exactly the same, but close. As time goes by, you can check the usage and make adjustments as needed.

      If your requirements are more involved, you can always check with the TAC (Technical Assistance Center) for support. For working with Support you can find more information at http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

      Regarding the question of enabling IPsec VPN on WAN1 and WAN2 while using WAN load balancing; this is a more complex question. It is one of those things that I’ve been told is theoretically possible if the right conditions are met, but definitely a more complicated set up than can be put in a comment like this. We do not have a recipe available yet for that kind of set up, so for the time being, your best option is to contact TAC to get assistance for that particular kind of setup.

      • Muthukumaran

        Thanks Mr.Bruce. please help me to configure my fortigate 100d with Fortios 5.4.0. I want to use both interface separately. it means no redundancy and no load balancing. I want to put some traffics via wan1 and some traffics via wan2. As per fortinet support, i have tried policy route. but wan1 only is working. no traffics are passing via wan2. if i change the policy route from wan2 to wan1 for particular system, then it is working. if i put back wan2 for particular system,then no internet at wan2. if this works, then i can use ipsec easily.

        • Bruce Davis

          Muthukumaran,

          The comments section of a recipe, even if it is related, is not the best medium for troubleshooting a specific issue like this one. Policy routes bring their own set of complications. This is why, when using them, you need to be very aware of the environment that they are operating in. Troubleshooting this requires a knowledge of the topology of the network surrounding the FortiGate and knowledge of most of the FortiGate’s configuration. I would recommend continuing to work with Technical Support on this issue. If the technician you are working with is unable to provide a solution you do have the option of requesting another or escalating the issue.

  • Rodrigo de los Santos

    Hi Victoria, what would be the difference between Wan Link Load Balance and do the same with a Zone and Setting Options in Router Branch? When I create the wan link I lost admin access from other wans with higher weight. Also I have a PPTP VPN settings enabled and the same behavior (only works with wan with lower weight)… is a normal behavior?

    • Victoria Martin

      Hi Rodrigo,

      WAN link load balancing is a simplified method of allowing redundant Internet access, so the main difference between it and other methods is that using a WAN link allows for less control for some parts of the configuration.

      As for your other issue, I would suggest contacting Fortinet Support. Before you do so, we have an article you may find useful to read about working with Support. You can find it at http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

      I hope that helps!

  • Lester Marcos

    Hi Sir, lets say I have two ISPs (wan1/wan2) and the primary link is wan1 and wan2 is the backup. Should the wan1 go down, the wan2 will takeover. Can i or is it possible to force a single or group of ip addresses in a LAN to use the backup link (wan2)? TIA.

  • Christian T

    Hi Victoria, can i configure the redundant Internet connections with any physical interface or only with the wan1 and wan2 ports?

    • Victoria Martin

      Hi Christian, you can use any physical interface (provided it isn’t used elsewhere in your configuration). WAN1 and WAN2 are simply the interfaces most commonly used for this purpose.

      • Christian T

        Thank you Victoria.

  • Steve Godfrey

    Hi there, thanks for creating this document it’s very helpful. Can you provide more detail around the ‘weight’ values. For instance if I set WAN1 to a weight of 1 and WAN2 to a weight of 255 what percentage of traffic would go via WAN2?
    Thanks!

    • Victoria Martin

      Hi Steve, I’m glad you found the recipe helpful.

      In this recipe, we’re using weighted round robin load balancing, which distributes traffic over the two interfaces. The weighted values are assigned to each of the interface based on
      their capacity and on how many connections they are currently
      processing. Weighted round robin
      distributes traffic more evenly because units that are not processing
      traffic will be more likely to receive new connections than units that
      are very busy. So with weighted round robin, the weights of 1 and 255 would not be a good fit, since almost no traffic would be assigned to WAN2.

      You can find out more information about this type of load balancing in the FortiOS Handbook: http://help.fortinet.com/fos50hlp/52data/index.htm#FortiOS/fortigate-high-availability-52/HA_a-a.htm

      • Steve Godfrey

        Thanks for the thorough reply, I want to effectively disable use of WAN2 interface for a few days, but have it there in the event of WAN1 failing, hence the weighting question. The document you’ve provided doesn’t seem to discuss the WAN-load-balancing weighting values, currently I use weights of 5 & 5 (which shows as 50% in the GUI) but I reckon 1 and 255 are perfect for me effectively disabling one of the internet feeds for a few days.

        Thank for your help.

  • Ernesto B

    Hi everyone. Please, culd you tell me if there is some doc about how I can to set up a IPsec VPN between tow FTG-90D + DDNS + WAN LINK? I have Wan Link only in one FTG-90D (Two ISPs) but both of them uses DDNS. All the docs I just found only talk about IP statics or not about Wan Link+VPN…Tanks in advanced…

    • Keith Leroux

      Hello Ernesto,
      Regrettably, we don’t appear to have any documentation specific to your desired configuration. I recommend contacting Support through support.fortinet.com for greater assistance.

      • Ernesto B

        Ok Keith and Thanks for take this case in the future…

  • Franz Honegger

    Hi, can you tell me how to configure wan1 and wan2 only if wan1 fails because we have a very fast wan1 line 150/15 and a very slow backup wan 2 with 10/2, and we only want wan2 to take over when wan1 is not available. Thank you

    • Victoria Martin

      Hi Franz,

      For this type of set-up, you should set up redundant Internet that does not use the virtual WAN link. This is because you will need to have two static routes, and a virtual WAN link configuration only uses one.

      When you create the static routes, you will set Distance so that your WAN1 interface’s route has a smaller distance, allowing it to be considered the “better” route. By doing this, you tell the FortiGate to use this route as long as it is available, even if WAN2 is also available.

      Information about this type of configuration is included in our 5.0 redundant Internet recipe, which you can find here: http://docs.fortinet.com/uploaded/files/1646/using-two-ISPs-for-redundant-Internet-connections.pdf

      I hope that helps!

      • Franz Honegger

        Thank you Victoria for your replay. BR Franz

  • Pablo Perez

    Hi, this feature is very good, but you can define a IPpool and restrict some directions used by the ISP1 and others by the ISP2

  • Romaric Gueliago

    Hi, I have another question, can you configure the wan-load-balance interface with two site to site VPN interface?

    • Keith Leroux

      Hello,

      I’m attempting to get some clarification on IPsec VPN with regard to wan-load-balance so I can improve the IPsec VPN handbook chapter and potentially create some Cookbook material. In the meantime, I would advise contacting support.fortinet.com with your query; Support would be able to facilitate a proper dialogue with you concerning your particular environment, and they have much greater subject matter expertise than I can provide, especially regarding wan-load-balance.

      • Romaric Gueliago

        Hi Keith.thanks to answer me. I am awaiting news from you!

  • Romaric Gueliago

    Hi dear Victoria! Is it possible to configure the wan-load-balance interface to use a site to site VPN tunnel interface on wan 1 link and a physical wan 2 link for internet connection. My aim is to allow remote users on branch sites to use VPN interface for browsing using internet of the HQ site, if VPN is down use their local wan. 2 link or wan 1 link directly for browsing.thanks

  • PetrM

    Unfortunately wan-load-balance interface cannot be used for Explicit Proxy Policy with 5.2.3 release.
    Do your consider wan-load-balance interface as allowed interface for Explicit Proxy Policy in the future?

  • Rabah Benafla

    Dear Victoria Martin,
    it’s possible to configure VPN site to site on the Wan link interface ?

    Thanks

  • PetrM

    Thank you for recipe.

    Is load balanced interface health monitoring done automatically? How?

    • bdickie

      You can add interface health checking when you add an interface (in step 3). The health checking check box was cropped out of the screen shot. We will update this recipe to show the health checking checkbox and add some info about health checking.

      • PetrM

        I was hoping for load balanced interface health monitoring is done automatically by default against Fortinet or Fortiguard servers.

        Your competitors have already implemented it and it is set as default.

        Feel free to add Automatic interface health monitoring as alternative to manual configuration.

        • bdickie

          Thanks for the recommendation. I will forward it to our product management team.