Redundant Internet with SD-WAN


The following example demonstrates how to configure redundant Internet using the new SD-WAN feature in FortiOS 5.6. 

The goal of SD-WAN is to seamlessly manage traffic at the Layer 2 level of the OSI model without the need to manage hardware-based switches or WAN controllers.

Find this recipe for other FortiOS versions
5.2.0 | 5.2.1 +  | 5.4 | 5.6

The example includes volume-based weighted load balancing so that 75% of your Internet traffic is handled by the ISP connected to WAN1, with the remaining 25% handled by the ISP connected to WAN2.

This configuration also means that in the event of a failure connecting to one ISP, all traffic will divert to the other WAN interface (this is commonly referred to as ‘failover’).

1. Connecting your ISPs to the FortiGate

Connect your ISP devices to your FortiGate so that the ISP you wish to use for most traffic is connected to WAN1 and the other connects to WAN2.

2. Modifying existing policies

You will not be able to add any interface to the SD-WAN interface that is already used in the FortiGate’s configuration. So, in this scenario, you must delete any security policies that use either WAN1 or WAN2, such as the default Internet access policy. Traffic will not be able to reach WAN1 or WAN2 through the FortiGate after you delete the existing policies.

It is also advisable to check for any other references to WAN1 or WAN2 and make the necessary modifications.

If you have many policies that reference WAN1 and/or WAN2, a simple method is to redirect those policies to unused ports, rather than delete them, to avoid having to recreate each policy from scratch. Obviously, you should redirect those same policies back to the SD-WAN interface once it is created.

Go to Policy & Objects > IPv4 Policy and delete any policies that use WAN1 or WAN2.

3. Creating the SD-WAN interface

Go to Network > SD-WAN.

Set the Interface State to Enable.

Under SD-WAN, add the two WAN interfaces.

Under Load Balancing Algorithm, select Volume and prioritize the WAN1 interface to serve more traffic.

In the example, the ISP connected to WAN1 is a 40Mb link, and the ISP connected to WAN2 is a 10Mb link, so we balanced the weight 75% to 25% in favor of WAN1.

To help visualize the effectiveness of the algorithm selected, the WAN Links Usage graph shows you the Bandwidth and Volume usage.

4. Configuring SD-WAN Status Check

You can optionally configure SD-WAN Status Check to verify the health and status of the links that make up the virtual WAN link.

This configuration uses the Ping protocol to verify the status of the SD-WAN.

Go to Network > SD-WAN Status Check and (if you wish to use Google) enter the values shown here.

5. Allowing traffic from the internal network to the SD-WAN interface

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to your internal network’s interface and set Outgoing Interface to the SD-WAN interface.

Enable NAT and apply Security Profiles as required.

Enable Log Allowed Traffic for All Sessions to allow you to verify the results later.

At this point, you should recover any policies that may have been redirected or deleted in Step 2 and point them to the SD-WAN interface.

6. Results

Browse the Internet using a computer on the internal network and then go to Network > SD-WAN > SD-WAN Usage.

You can see the bandwidth and volume of traffic traversing the SD-WAN interfaces.

Verify that Status Check is working by viewing the table at Network > SD-WAN > SD-WAN Status Check.

Go to Monitor > SD-WAN Monitor to view the number of sessions for each interface, bit rate, and more.

7. Testing failover

To test failover of the redundant Internet configuration, you must simulate a failed Internet connection to one of the ports. Do so by physically disconnecting the Ethernet cable connected to WAN1.

Verify that users still have Internet access by navigating to Monitor > SD-WAN Monitor. Note the Upload/Download of each WAN interface.

Furthermore, go to Network > SD-WAN > SD-WAN Usage to see that bandwidth and volume have diverted entirely through WAN2.

Users on the internal network should have no knowledge of the WAN1 failure. Likewise, if you are using the WAN1 gateway IP to connect to the admin dashboard, nothing should change from your perspective. It will appear as though you are still connecting through WAN1.

Reconnect the WAN1 Ethernet cable when you have verified successful failover.

For further reading, check out Installing a FortiGate in NAT/Route mode in the FortiOS 5.6 Handbook.

Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux

Latest posts by Keith Leroux (see all)

  • Was this helpful?
  • Yes   No
You can use any stable server that responds to ICMP requests, such as the ISP’s gateway. We recommend something with the fewest hops.