Redundant Internet with SD-WAN


This recipe provides an example of how you can configure redundant Internet connectivity for your network using SD-WAN. This allows you to load balance your Internet traffic between multiple ISP links and provides redundancy for your network’s Internet connection if your primary ISP is unavailable. 

Find this recipe for other FortiOS versions
5.2.0 | 5.2.1 +  | 5.4 | 5.6

1. Connecting the FortiGate to your ISP devices

Connect the Internet-facing ports (WAN ports) on the FortiGate to your ISP devices. Connect WAN1 to the ISP that you want to use for most traffic. Connect WAN2 to the other ISP.

2. Removing existing configuration references to interfaces

Before you can configure FortiGate interfaces as SD-WAN members, you must remove or redirect existing configuration references to those interfaces in routes and security policies. This includes the default Internet access policy that’s included with many FortiGate models. Note that after you remove the routes and security policies, traffic can’t reach the WAN ports through the FortiGate.

Redirecting the routes and policies to reference other interfaces avoids your having to create them again later. After you configure SD-WAN, you can reconfigure the routes and policies to reference the SD-WAN interface.

Go to Network > Static Routes and delete any routes that use WAN1 or WAN2.

Go to Policy & Objects > IPv4 Policy and delete any policies that use WAN1 or WAN2.

3. Creating the SD-WAN interface

Go to Network > SD-WAN and set Status to Enable.

Under SD-WAN Interface Members, select + and select wan1. Set the Gateway to the default gateway for this interface. This is usually the default gateway IP address  of the ISP that this interface is connected to. Repeat these steps to add wan2.

Go to Network > Interfaces and verify that the virtual interface for SD-WAN appears in the interface list. You can expand SD-WAN to view the ports that are included in the SD-WAN interface.

4. Configuring SD-WAN load balancing

Go to Network > SD-WAN Rules and edit the rule named sd-wan.

In the Load Balancing Algorithm field, select Volume, and prioritize WAN1 to serve more traffic.

In the example, the ISP connected to WAN1 is a 40Mb link, and the ISP connected to WAN2 is a 10Mb link, so we balance the weight 75% to 25% in favor of WAN1.

5. Creating a static route for the SD-WAN interface

Go to Network > Static Routes and create a new route.

In the Destination field, select Subnet, and leave the destination IP address and subnet mask as

In the Interface field, select the SD-WAN interface from the drop-down menu. 

Ensure that Status is set to Enable.

If you previously removed or redirected existing references in routes to interfaces that you wanted to add as SD-WAN interface members, you can now reconfigure those routes to reference the SD-WAN interface.

6. Configuring a security policy for SD-WAN

Configure a security policy that allows traffic from your organization’s internal network to the SD-WAN interface.

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the interface that connects to your organization’s internal network and set Outgoing Interface to the SD-WAN interface.

Enable NAT and apply Security Profiles as required.

Enable Log Allowed Traffic for All Sessions to allow you to verify the results later.

If you previously removed or redirected existing references in security policies to interfaces that you wanted to add as SD-WAN interface members, you can now reconfigure those policies to reference the SD-WAN interface.

7. Configuring link health monitoring

You can configure link health monitoring to verify the health and status of the links that make up the SD-WAN link.

Go to Network > Performance SLA and create a new performance SLA. 

Set the Protocol for the health checks. In the Server fields, enter the IP addresses of up to two servers that you want to use to test the health of each SD-WAN member interface. In the Participants field, select the SD-WAN interface members that you want the health check to apply to.

You can view link quality measurements on the Performance SLA page. The table displays information about configured health checks. The values in the Packet Loss, Latency, and Jitter columns apply to the server that the FortiGate is using to test the health of the SD-WAN member interfaces.

The green (up) arrows indicate only that the server is responding to the health checks, regardless of the packet loss, latency, and jitter values, and don’t indicate that the health checks are being met.

8. Results

Browse the Internet using a computer on your internal network and then go to Network > SD-WAN.

In the SD-WAN Usage section, you can see the bandwidth, volume, and sessions for traffic on the SD-WAN interfaces.

Go to Monitor > SD-WAN Monitor to view the number of sessions, bit rate, and more information for each interface.

9. Testing failover

To test failover of the redundant Internet configuration, you must simulate a failed Internet connection to one of the ports. Do so by physically disconnecting the Ethernet cable connected to WAN1.

Verify that users still have Internet access by navigating to Monitor > SD-WAN Monitor. The Upload and Download values for WAN1 show that traffic isn’t going through that interface.

Go to Network > SD-WAN. In the SD-WAN Usage section, you can see that bandwidth, volume, and sessions have diverted entirely through WAN2.

Users on the internal network shouldn’t notice the WAN1 failure. Likewise, if you’re using the WAN1 gateway IP address to connect to the admin dashboard, nothing should change from your perspective. It appears as though you’re still connecting through WAN1.

After you verify successful failover, reconnect the WAN1 Ethernet cable.


Karyn Jacobs

Karyn Jacobs

Technical Writer at Fortinet
Karyn Jacobs is a technical writer on the FortiOS Technical Documentation team. She has a B.A.H. in English and a B.Ed. from Queen’s University, and has worked as a technical writer for the past 20 years at various high tech companies.
Karyn Jacobs
You can use any stable server that responds to ICMP requests, such as the ISP gateway. A best practice is to use a server location with the fewest hops.